Mercurial > vim
changeset 36115:f0c4102568cf v9.1.0722
patch 9.1.0722: crash with large id in text_prop interface
Commit: https://github.com/vim/vim/commit/701c863e68fa24847100beef3c9008024615a081
Author: Christian Brabandt <cb@256bit.org>
Date: Sun Sep 8 20:05:23 2024 +0200
patch 9.1.0722: crash with large id in text_prop interface
Problem: crash with large id in text_prop interface
prop_add()/prop_add_list() (cposture)
Solution: Error out if the id is > INT_MAX or <= INT_MIN
fixes: #15637
closes: #15638
Signed-off-by: Christian Brabandt <cb@256bit.org>
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Sun, 08 Sep 2024 20:15:05 +0200 |
| parents | 3aff196dc6b4 |
| children | c4052b4892ee |
| files | runtime/doc/textprop.txt src/testdir/test_textprop.vim src/textprop.c src/version.c |
| diffstat | 4 files changed, 32 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/runtime/doc/textprop.txt +++ b/runtime/doc/textprop.txt @@ -1,4 +1,4 @@ -*textprop.txt* For Vim version 9.1. Last change: 2024 Jun 08 +*textprop.txt* For Vim version 9.1. Last change: 2024 Sep 08 VIM REFERENCE MANUAL by Bram Moolenaar @@ -140,10 +140,10 @@ prop_add({lnum}, {col}, {props}) bufnr buffer to add the property to; when omitted the current buffer is used id user defined ID for the property; must be a - number, should be positive; when using "text" - then "id" must not be present and will be set - automatically to a negative number; otherwise - zero is used + number, should be positive |E1510|; + when using "text" then "id" must not be + present and will be set automatically to a + negative number; otherwise zero is used *E1305* text text to be displayed before {col}, or above/below the line if {col} is zero; prepend @@ -271,7 +271,7 @@ prop_add_list({props}, [{item}, ...]) call prop_add_list(#{type: 'MyProp', id: 2}, \ [[1, 4, 1, 7], \ [1, 15, 1, 20], - \ [2, 30, 3, 30]] + \ [2, 30, 3, 30]]) < Can also be used as a |method|: > GetProp()->prop_add_list([[1, 1, 1, 2], [1, 4, 1, 8]])
--- a/src/testdir/test_textprop.vim +++ b/src/testdir/test_textprop.vim @@ -393,6 +393,8 @@ func Test_prop_add_list() call assert_fails('call prop_add_list(test_null_dict(), [[2, 2, 2]])', 'E965:') call assert_fails('call prop_add_list(#{type: "one"}, test_null_list())', 'E1298:') call assert_fails('call prop_add_list(#{type: "one"}, [test_null_list()])', 'E714:') + call assert_fails('call prop_add_list(#{type: "one", id: 2147483648}, [[2, 2, 2, 2], [3, 20, 3, 22]])', 'E1510:') + call assert_fails('call prop_add_list(#{type: "one", id: -2147483648}, [[2, 2, 2, 2], [3, 20, 3, 22]])', 'E1510:') " only one error for multiple wrong values call assert_fails('call prop_add_list(#{type: "one"}, [[{}, [], 0z00, 0.3]])', ['E728:', 'E728:']) @@ -1780,6 +1782,8 @@ func Test_prop_func_invalid_args() call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'length':-1})", 'E475:') call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'end_col':0})", 'E475:') call assert_fails("call prop_add(2, 3, {'length':1})", 'E965:') + call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'id': 2147483648})", 'E1510:') + call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'id': -2147483648})", 'E1510:') call prop_type_delete('xxx') bwipe!
--- a/src/textprop.c +++ b/src/textprop.c @@ -372,7 +372,16 @@ f_prop_add_list(typval_T *argvars, typva type_name = dict_get_string(dict, "type", FALSE); if (dict_has_key(dict, "id")) - id = dict_get_number(dict, "id"); + { + vimlong_T x; + x = dict_get_number(dict, "id"); + if (x > INT_MAX || x <= INT_MIN) + { + semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE)); + return; + } + id = (int)x; + } if (get_bufnr_from_arg(&argvars[0], &buf) == FAIL) return; @@ -497,7 +506,16 @@ prop_add_common( end_col = 1; if (dict_has_key(dict, "id")) - id = dict_get_number(dict, "id"); + { + vimlong_T x; + x = dict_get_number(dict, "id"); + if (x > INT_MAX || x <= INT_MIN) + { + semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE)); + goto theend; + } + id = (int)x; + } if (dict_has_key(dict, "text")) {