Mercurial > vim
comparison src/regexp_nfa.c @ 13192:9bd4151e5aeb v8.0.1470
patch 8.0.1470: integer overflow when using regexp pattern
commit https://github.com/vim/vim/commit/2c7b906afb86b986476cfc959732e433b1b4a3b1
Author: Bram Moolenaar <Bram@vim.org>
Date: Sun Feb 4 18:22:46 2018 +0100
patch 8.0.1470: integer overflow when using regexp pattern
Problem: Integer overflow when using regexp pattern. (geeknik)
Solution: Use a long instead of int. (Christian Brabandt, closes https://github.com/vim/vim/issues/2251)
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Sun, 04 Feb 2018 18:30:05 +0100 |
| parents | 307f2622826f |
| children | e96663c35bab |
comparison
equal
deleted
inserted
replaced
| 13191:da2eafedb3c6 | 13192:9bd4151e5aeb |
|---|---|
| 1598 break; | 1598 break; |
| 1599 } | 1599 } |
| 1600 | 1600 |
| 1601 default: | 1601 default: |
| 1602 { | 1602 { |
| 1603 int n = 0; | 1603 long n = 0; |
| 1604 int cmp = c; | 1604 int cmp = c; |
| 1605 | 1605 |
| 1606 if (c == '<' || c == '>') | 1606 if (c == '<' || c == '>') |
| 1607 c = getchr(); | 1607 c = getchr(); |
| 1608 while (VIM_ISDIGIT(c)) | 1608 while (VIM_ISDIGIT(c)) |
| 1626 cmp == '>' ? NFA_COL_GT : NFA_COL); | 1626 cmp == '>' ? NFA_COL_GT : NFA_COL); |
| 1627 else | 1627 else |
| 1628 /* \%{n}v \%{n}<v \%{n}>v */ | 1628 /* \%{n}v \%{n}<v \%{n}>v */ |
| 1629 EMIT(cmp == '<' ? NFA_VCOL_LT : | 1629 EMIT(cmp == '<' ? NFA_VCOL_LT : |
| 1630 cmp == '>' ? NFA_VCOL_GT : NFA_VCOL); | 1630 cmp == '>' ? NFA_VCOL_GT : NFA_VCOL); |
| 1631 EMIT(n); | 1631 #if VIM_SIZEOF_INT < VIM_SIZEOF_LONG |
| 1632 if (n > INT_MAX) | |
| 1633 { | |
| 1634 EMSG(_("E951: \\% value too large")); | |
| 1635 return FAIL; | |
| 1636 } | |
| 1637 #endif | |
| 1638 EMIT((int)n); | |
| 1632 break; | 1639 break; |
| 1633 } | 1640 } |
| 1634 else if (c == '\'' && n == 0) | 1641 else if (c == '\'' && n == 0) |
| 1635 { | 1642 { |
| 1636 /* \%'m \%<'m \%>'m */ | 1643 /* \%'m \%<'m \%>'m */ |
| 3968 /* Used during execution: whether a match has been found. */ | 3975 /* Used during execution: whether a match has been found. */ |
| 3969 static int nfa_match; | 3976 static int nfa_match; |
| 3970 #ifdef FEAT_RELTIME | 3977 #ifdef FEAT_RELTIME |
| 3971 static proftime_T *nfa_time_limit; | 3978 static proftime_T *nfa_time_limit; |
| 3972 static int *nfa_timed_out; | 3979 static int *nfa_timed_out; |
| 3973 static int nfa_time_count; | 3980 static int nfa_time_count; |
| 3974 #endif | 3981 #endif |
| 3975 | 3982 |
| 3976 static void copy_pim(nfa_pim_T *to, nfa_pim_T *from); | 3983 static void copy_pim(nfa_pim_T *to, nfa_pim_T *from); |
| 3977 static void clear_sub(regsub_T *sub); | 3984 static void clear_sub(regsub_T *sub); |
| 3978 static void copy_sub(regsub_T *to, regsub_T *from); | 3985 static void copy_sub(regsub_T *to, regsub_T *from); |
| 4066 if (nfa_has_zend) | 4073 if (nfa_has_zend) |
| 4067 { | 4074 { |
| 4068 if (REG_MULTI) | 4075 if (REG_MULTI) |
| 4069 { | 4076 { |
| 4070 if (from->list.multi[0].end_lnum >= 0) | 4077 if (from->list.multi[0].end_lnum >= 0) |
| 4071 { | 4078 { |
| 4072 to->list.multi[0].end_lnum = from->list.multi[0].end_lnum; | 4079 to->list.multi[0].end_lnum = from->list.multi[0].end_lnum; |
| 4073 to->list.multi[0].end_col = from->list.multi[0].end_col; | 4080 to->list.multi[0].end_col = from->list.multi[0].end_col; |
| 4074 } | 4081 } |
| 4075 } | 4082 } |
| 4076 else | 4083 else |
| 4077 { | 4084 { |
| 4078 if (from->list.line[0].end != NULL) | 4085 if (from->list.line[0].end != NULL) |
| 4079 to->list.line[0].end = from->list.line[0].end; | 4086 to->list.line[0].end = from->list.line[0].end; |
| 5122 else | 5129 else |
| 5123 reginput = pim->end.ptr; | 5130 reginput = pim->end.ptr; |
| 5124 } | 5131 } |
| 5125 | 5132 |
| 5126 if (state->c == NFA_START_INVISIBLE_BEFORE | 5133 if (state->c == NFA_START_INVISIBLE_BEFORE |
| 5127 || state->c == NFA_START_INVISIBLE_BEFORE_FIRST | 5134 || state->c == NFA_START_INVISIBLE_BEFORE_FIRST |
| 5128 || state->c == NFA_START_INVISIBLE_BEFORE_NEG | 5135 || state->c == NFA_START_INVISIBLE_BEFORE_NEG |
| 5129 || state->c == NFA_START_INVISIBLE_BEFORE_NEG_FIRST) | 5136 || state->c == NFA_START_INVISIBLE_BEFORE_NEG_FIRST) |
| 5130 { | 5137 { |
| 5131 /* The recursive match must end at the current position. When "pim" is | 5138 /* The recursive match must end at the current position. When "pim" is |
| 5132 * not NULL it specifies the current position. */ | 5139 * not NULL it specifies the current position. */ |
| 5133 endposp = &endpos; | 5140 endposp = &endpos; |
| 5134 if (REG_MULTI) | 5141 if (REG_MULTI) |
| 6300 if (done) | 6307 if (done) |
| 6301 break; | 6308 break; |
| 6302 } | 6309 } |
| 6303 } | 6310 } |
| 6304 else if (state->c < 0 ? check_char_class(state->c, curc) | 6311 else if (state->c < 0 ? check_char_class(state->c, curc) |
| 6305 : (curc == state->c | 6312 : (curc == state->c |
| 6306 || (rex.reg_ic && MB_TOLOWER(curc) | 6313 || (rex.reg_ic && MB_TOLOWER(curc) |
| 6307 == MB_TOLOWER(state->c)))) | 6314 == MB_TOLOWER(state->c)))) |
| 6308 { | 6315 { |
| 6309 result = result_if_matched; | 6316 result = result_if_matched; |
| 6310 break; | 6317 break; |
| 6861 || (colnr_T)(reginput - regline) < rex.reg_maxcol)) | 6868 || (colnr_T)(reginput - regline) < rex.reg_maxcol)) |
| 6862 || (nfa_endp != NULL | 6869 || (nfa_endp != NULL |
| 6863 && (REG_MULTI | 6870 && (REG_MULTI |
| 6864 ? (reglnum < nfa_endp->se_u.pos.lnum | 6871 ? (reglnum < nfa_endp->se_u.pos.lnum |
| 6865 || (reglnum == nfa_endp->se_u.pos.lnum | 6872 || (reglnum == nfa_endp->se_u.pos.lnum |
| 6866 && (int)(reginput - regline) | 6873 && (int)(reginput - regline) |
| 6867 < nfa_endp->se_u.pos.col)) | 6874 < nfa_endp->se_u.pos.col)) |
| 6868 : reginput < nfa_endp->se_u.ptr)))) | 6875 : reginput < nfa_endp->se_u.ptr)))) |
| 6869 { | 6876 { |
| 6870 #ifdef ENABLE_LOG | 6877 #ifdef ENABLE_LOG |
| 6871 fprintf(log_fd, "(---) STARTSTATE\n"); | 6878 fprintf(log_fd, "(---) STARTSTATE\n"); |