changeset 28455:8f4f16efeeb3 v8.2.4752

patch 8.2.4752: wrong 'statusline' value can cause illegal memory access Commit: https://github.com/vim/vim/commit/5dc294a7b63ed0e508dd360bc4d98173f1a1aeec Author: zeertzjq <zeertzjq@outlook.com> Date: Fri Apr 15 13:17:57 2022 +0100 patch 8.2.4752: wrong 'statusline' value can cause illegal memory access Problem: Wrong 'statusline' value can cause illegal memory access. Solution: Properly check the value. (closes https://github.com/vim/vim/issues/10192)
author Bram Moolenaar <Bram@vim.org>
date Fri, 15 Apr 2022 14:30:03 +0200
parents e7216db16ce9
children 6353f897ac82
files src/optionstr.c src/testdir/test_options.vim src/version.c
diffstat 3 files changed, 20 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/src/optionstr.c
+++ b/src/optionstr.c
@@ -574,7 +574,7 @@ valid_filetype(char_u *val)
 #ifdef FEAT_STL_OPT
 /*
  * Check validity of options with the 'statusline' format.
- * Return error message or NULL.
+ * Return an untranslated error message or NULL.
  */
     static char *
 check_stl_option(char_u *s)
@@ -625,17 +625,19 @@ check_stl_option(char_u *s)
 	}
 	if (*s == '{')
 	{
-	    int reevaluate = (*s == '%');
+	    int reevaluate = (*++s == '%');
 
-	    s++;
+	    if (reevaluate && *++s == '}')
+		// "}" is not allowed immediately after "%{%"
+		return illegal_char(errbuf, '}');
 	    while ((*s != '}' || (reevaluate && s[-1] != '%')) && *s)
 		s++;
 	    if (*s != '}')
-		return N_(e_unclosed_expression_sequence);
+		return e_unclosed_expression_sequence;
 	}
     }
     if (groupdepth != 0)
-	return N_(e_unbalanced_groups);
+	return e_unbalanced_groups;
     return NULL;
 }
 #endif
@@ -1805,8 +1807,8 @@ ambw_end:
     }
 
 #ifdef FEAT_STL_OPT
-    // 'statusline' or 'rulerformat'
-    else if (gvarp == &p_stl || varp == &p_ruf)
+    // 'statusline', 'tabline' or 'rulerformat'
+    else if (gvarp == &p_stl || varp == &p_tal || varp == &p_ruf)
     {
 	int wid;
 
@@ -1824,7 +1826,7 @@ ambw_end:
 	    else
 		errmsg = check_stl_option(p_ruf);
 	}
-	// check 'statusline' only if it doesn't start with "%!"
+	// check 'statusline' or 'tabline' only if it doesn't start with "%!"
 	else if (varp == &p_ruf || s[0] != '%' || s[1] != '!')
 	    errmsg = check_stl_option(s);
 	if (varp == &p_ruf && errmsg == NULL)
--- a/src/testdir/test_options.vim
+++ b/src/testdir/test_options.vim
@@ -392,8 +392,16 @@ func Test_set_errors()
   call assert_fails('set rulerformat=%15(%%', 'E542:')
   call assert_fails('set statusline=%$', 'E539:')
   call assert_fails('set statusline=%{', 'E540:')
+  call assert_fails('set statusline=%{%', 'E540:')
+  call assert_fails('set statusline=%{%}', 'E539:')
   call assert_fails('set statusline=%(', 'E542:')
   call assert_fails('set statusline=%)', 'E542:')
+  call assert_fails('set tabline=%$', 'E539:')
+  call assert_fails('set tabline=%{', 'E540:')
+  call assert_fails('set tabline=%{%', 'E540:')
+  call assert_fails('set tabline=%{%}', 'E539:')
+  call assert_fails('set tabline=%(', 'E542:')
+  call assert_fails('set tabline=%)', 'E542:')
 
   if has('cursorshape')
     " This invalid value for 'guicursor' used to cause Vim to crash.
--- a/src/version.c
+++ b/src/version.c
@@ -747,6 +747,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    4752,
+/**/
     4751,
 /**/
     4750,