# HG changeset patch # User Bram Moolenaar # Date 1650025803 -7200 # Node ID 8f4f16efeeb3790b38ffa5a69470030748d1cfe7 # Parent e7216db16ce93a35f2db7911f6534389061dce50 patch 8.2.4752: wrong 'statusline' value can cause illegal memory access Commit: https://github.com/vim/vim/commit/5dc294a7b63ed0e508dd360bc4d98173f1a1aeec Author: zeertzjq Date: Fri Apr 15 13:17:57 2022 +0100 patch 8.2.4752: wrong 'statusline' value can cause illegal memory access Problem: Wrong 'statusline' value can cause illegal memory access. Solution: Properly check the value. (closes https://github.com/vim/vim/issues/10192) diff --git a/src/optionstr.c b/src/optionstr.c --- a/src/optionstr.c +++ b/src/optionstr.c @@ -574,7 +574,7 @@ valid_filetype(char_u *val) #ifdef FEAT_STL_OPT /* * Check validity of options with the 'statusline' format. - * Return error message or NULL. + * Return an untranslated error message or NULL. */ static char * check_stl_option(char_u *s) @@ -625,17 +625,19 @@ check_stl_option(char_u *s) } if (*s == '{') { - int reevaluate = (*s == '%'); + int reevaluate = (*++s == '%'); - s++; + if (reevaluate && *++s == '}') + // "}" is not allowed immediately after "%{%" + return illegal_char(errbuf, '}'); while ((*s != '}' || (reevaluate && s[-1] != '%')) && *s) s++; if (*s != '}') - return N_(e_unclosed_expression_sequence); + return e_unclosed_expression_sequence; } } if (groupdepth != 0) - return N_(e_unbalanced_groups); + return e_unbalanced_groups; return NULL; } #endif @@ -1805,8 +1807,8 @@ ambw_end: } #ifdef FEAT_STL_OPT - // 'statusline' or 'rulerformat' - else if (gvarp == &p_stl || varp == &p_ruf) + // 'statusline', 'tabline' or 'rulerformat' + else if (gvarp == &p_stl || varp == &p_tal || varp == &p_ruf) { int wid; @@ -1824,7 +1826,7 @@ ambw_end: else errmsg = check_stl_option(p_ruf); } - // check 'statusline' only if it doesn't start with "%!" + // check 'statusline' or 'tabline' only if it doesn't start with "%!" else if (varp == &p_ruf || s[0] != '%' || s[1] != '!') errmsg = check_stl_option(s); if (varp == &p_ruf && errmsg == NULL) diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim --- a/src/testdir/test_options.vim +++ b/src/testdir/test_options.vim @@ -392,8 +392,16 @@ func Test_set_errors() call assert_fails('set rulerformat=%15(%%', 'E542:') call assert_fails('set statusline=%$', 'E539:') call assert_fails('set statusline=%{', 'E540:') + call assert_fails('set statusline=%{%', 'E540:') + call assert_fails('set statusline=%{%}', 'E539:') call assert_fails('set statusline=%(', 'E542:') call assert_fails('set statusline=%)', 'E542:') + call assert_fails('set tabline=%$', 'E539:') + call assert_fails('set tabline=%{', 'E540:') + call assert_fails('set tabline=%{%', 'E540:') + call assert_fails('set tabline=%{%}', 'E539:') + call assert_fails('set tabline=%(', 'E542:') + call assert_fails('set tabline=%)', 'E542:') if has('cursorshape') " This invalid value for 'guicursor' used to cause Vim to crash. diff --git a/src/version.c b/src/version.c --- a/src/version.c +++ b/src/version.c @@ -747,6 +747,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 4752, +/**/ 4751, /**/ 4750,