Mercurial > vim
changeset 13188:a49a5419a83f v8.0.1468
patch 8.0.1468: illegal memory access in del_bytes()
commit https://github.com/vim/vim/commit/191f18bad0b5c48afa05c3e8a00f3ced993f6a38
Author: Bram Moolenaar <Bram@vim.org>
Date: Sun Feb 4 16:38:47 2018 +0100
patch 8.0.1468: illegal memory access in del_bytes()
Problem: Illegal memory access in del_bytes().
Solution: Check for negative byte count. (Christian Brabandt, closes https://github.com/vim/vim/issues/2466)
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Sun, 04 Feb 2018 16:45:05 +0100 |
parents | a577d6c63cff |
children | 893d4211408d |
files | src/message.c src/misc1.c src/version.c |
diffstat | 3 files changed, 18 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/src/message.c +++ b/src/message.c @@ -761,7 +761,7 @@ emsgn(char_u *s, long n) void iemsg(char_u *s) { - msg(s); + emsg(s); #ifdef ABORT_ON_INTERNAL_ERROR abort(); #endif @@ -4993,7 +4993,7 @@ vim_vsnprintf_typval( zero_padding = 0; } else - { + { /* Regular float number */ format[0] = '%'; l = 1; @@ -5016,7 +5016,7 @@ vim_vsnprintf_typval( format[l + 1] = NUL; str_arg_l = sprintf(tmp, format, f); - } + } if (remove_trailing_zeroes) {
--- a/src/misc1.c +++ b/src/misc1.c @@ -2457,7 +2457,7 @@ del_chars(long count, int fixpos) * If "fixpos" is TRUE, don't leave the cursor on the NUL after the line. * Caller must have prepared for undo. * - * return FAIL for failure, OK otherwise + * Return FAIL for failure, OK otherwise. */ int del_bytes( @@ -2476,12 +2476,21 @@ del_bytes( oldp = ml_get(lnum); oldlen = (int)STRLEN(oldp); - /* - * Can't do anything when the cursor is on the NUL after the line. - */ + /* Can't do anything when the cursor is on the NUL after the line. */ if (col >= oldlen) return FAIL; + /* If "count" is zero there is nothing to do. */ + if (count == 0) + return OK; + + /* If "count" is negative the caller must be doing something wrong. */ + if (count < 1) + { + IEMSGN("E950: Invalid count for del_bytes(): %ld", count); + return FAIL; + } + #ifdef FEAT_MBYTE /* If 'delcombine' is set and deleting (less than) one character, only * delete the last combining character. */