vim: src/eval.c comparison

comparison src/eval.c @ 20526:9fd5414e294c v8.2.0817

patch 8.2.0817: not enough memory allocated when converting string Commit: https://github.com/vim/vim/commit/f7271e831614d15d173c7f562cc26f48c2554ce9 Author: Bram Moolenaar <Bram@vim.org> Date: Sun May 24 18:45:07 2020 +0200 patch 8.2.0817: not enough memory allocated when converting string Problem: Not enough memory allocated when converting string with special character. Solution: Reserve space for modifier code. (closes #6130)

author	Bram Moolenaar <Bram@vim.org>
date	Sun, 24 May 2020 19:00:03 +0200
parents	5950284a517f
children	489cb75c76b6

comparison

equal deleted inserted replaced

-:42e5347ff9b6
+:9fd5414e294c
 get_string_tv(char_u **arg, typval_T *rettv, int evaluate)
 {
 char_u	*p;
 char_u	*name;
 int		extra = 0;
+int		len;
 /*
 * Find the end of the string, skipping backslashed characters.
 */
 for (p = *arg + 1; *p != NUL && *p != '"'; MB_PTR_ADV(p))
 {
 	if (*p == '\\' && p[1] != NUL)
 	{
 	    ++p;
 	    // A "\<x>" form occupies at least 4 characters, and produces up
-	    // to 6 characters: reserve space for 2 extra
+	    // to 9 characters (6 for the char and 3 for a modifier): reserve
+	    // space for 5 extra.
 	    if (*p == '<')
-		extra += 2;
+		extra += 5;
 	}
 }
 if (*p != '"')
 {
 /*
 * Copy the string into allocated memory, handling backslashed
 * characters.
 */
-name = alloc(p - *arg + extra);
+len = (int)(p - *arg + extra);
+name = alloc(len);
 if (name == NULL)
 	return FAIL;
 rettv->v_type = VAR_STRING;
 rettv->vval.v_string = name;
 		case '<': extra = trans_special(&p, name, TRUE, TRUE,
 								   TRUE, NULL);
 			  if (extra != 0)
 			  {
 			      name += extra;
+			      if (name >= rettv->vval.v_string + len)
+				  iemsg("get_string_tv() used more space than allocated");
 			      break;
 			  }
 			  // FALLTHROUGH
 		default:  MB_COPY_CHAR(p, name);

Mercurial > vim

comparison src/eval.c @ 20526:9fd5414e294c v8.2.0817