Mercurial > vim
comparison src/mbyte.c @ 3812:f86619764a1e v7.3.664
updated for version 7.3.664
Problem: Buffer overflow in unescaping text. (Raymond Ko)
Solution: Limit check for multi-byte character to 4 bytes.
author | Bram Moolenaar <bram@vim.org> |
---|---|
date | Tue, 18 Sep 2012 18:03:37 +0200 |
parents | a8897fd5d074 |
children | be1cffa1e477 |
comparison
equal
deleted
inserted
replaced
3811:996f1a928627 | 3812:f86619764a1e |
---|---|
3791 */ | 3791 */ |
3792 char_u * | 3792 char_u * |
3793 mb_unescape(pp) | 3793 mb_unescape(pp) |
3794 char_u **pp; | 3794 char_u **pp; |
3795 { | 3795 { |
3796 static char_u buf[MB_MAXBYTES + 1]; | 3796 static char_u buf[6]; |
3797 int n, m = 0; | 3797 int n; |
3798 int m = 0; | |
3798 char_u *str = *pp; | 3799 char_u *str = *pp; |
3799 | 3800 |
3800 /* Must translate K_SPECIAL KS_SPECIAL KE_FILLER to K_SPECIAL and CSI | 3801 /* Must translate K_SPECIAL KS_SPECIAL KE_FILLER to K_SPECIAL and CSI |
3801 * KS_EXTRA KE_CSI to CSI. */ | 3802 * KS_EXTRA KE_CSI to CSI. |
3802 for (n = 0; str[n] != NUL && m <= MB_MAXBYTES; ++n) | 3803 * Maximum length of a utf-8 character is 4 bytes. */ |
3804 for (n = 0; str[n] != NUL && m < 4; ++n) | |
3803 { | 3805 { |
3804 if (str[n] == K_SPECIAL | 3806 if (str[n] == K_SPECIAL |
3805 && str[n + 1] == KS_SPECIAL | 3807 && str[n + 1] == KS_SPECIAL |
3806 && str[n + 2] == KE_FILLER) | 3808 && str[n + 2] == KE_FILLER) |
3807 { | 3809 { |
3834 if ((*mb_ptr2len)(buf) > 1) | 3836 if ((*mb_ptr2len)(buf) > 1) |
3835 { | 3837 { |
3836 *pp = str + n + 1; | 3838 *pp = str + n + 1; |
3837 return buf; | 3839 return buf; |
3838 } | 3840 } |
3841 | |
3842 /* Bail out quickly for ASCII. */ | |
3843 if (buf[0] < 128) | |
3844 break; | |
3839 } | 3845 } |
3840 return NULL; | 3846 return NULL; |
3841 } | 3847 } |
3842 | 3848 |
3843 /* | 3849 /* |