Mercurial > vim
comparison src/eval.c @ 20526:9fd5414e294c v8.2.0817
patch 8.2.0817: not enough memory allocated when converting string
Commit: https://github.com/vim/vim/commit/f7271e831614d15d173c7f562cc26f48c2554ce9
Author: Bram Moolenaar <Bram@vim.org>
Date: Sun May 24 18:45:07 2020 +0200
patch 8.2.0817: not enough memory allocated when converting string
Problem: Not enough memory allocated when converting string with special
character.
Solution: Reserve space for modifier code. (closes #6130)
author | Bram Moolenaar <Bram@vim.org> |
---|---|
date | Sun, 24 May 2020 19:00:03 +0200 |
parents | 5950284a517f |
children | 489cb75c76b6 |
comparison
equal
deleted
inserted
replaced
20525:42e5347ff9b6 | 20526:9fd5414e294c |
---|---|
3501 get_string_tv(char_u **arg, typval_T *rettv, int evaluate) | 3501 get_string_tv(char_u **arg, typval_T *rettv, int evaluate) |
3502 { | 3502 { |
3503 char_u *p; | 3503 char_u *p; |
3504 char_u *name; | 3504 char_u *name; |
3505 int extra = 0; | 3505 int extra = 0; |
3506 int len; | |
3506 | 3507 |
3507 /* | 3508 /* |
3508 * Find the end of the string, skipping backslashed characters. | 3509 * Find the end of the string, skipping backslashed characters. |
3509 */ | 3510 */ |
3510 for (p = *arg + 1; *p != NUL && *p != '"'; MB_PTR_ADV(p)) | 3511 for (p = *arg + 1; *p != NUL && *p != '"'; MB_PTR_ADV(p)) |
3511 { | 3512 { |
3512 if (*p == '\\' && p[1] != NUL) | 3513 if (*p == '\\' && p[1] != NUL) |
3513 { | 3514 { |
3514 ++p; | 3515 ++p; |
3515 // A "\<x>" form occupies at least 4 characters, and produces up | 3516 // A "\<x>" form occupies at least 4 characters, and produces up |
3516 // to 6 characters: reserve space for 2 extra | 3517 // to 9 characters (6 for the char and 3 for a modifier): reserve |
3518 // space for 5 extra. | |
3517 if (*p == '<') | 3519 if (*p == '<') |
3518 extra += 2; | 3520 extra += 5; |
3519 } | 3521 } |
3520 } | 3522 } |
3521 | 3523 |
3522 if (*p != '"') | 3524 if (*p != '"') |
3523 { | 3525 { |
3534 | 3536 |
3535 /* | 3537 /* |
3536 * Copy the string into allocated memory, handling backslashed | 3538 * Copy the string into allocated memory, handling backslashed |
3537 * characters. | 3539 * characters. |
3538 */ | 3540 */ |
3539 name = alloc(p - *arg + extra); | 3541 len = (int)(p - *arg + extra); |
3542 name = alloc(len); | |
3540 if (name == NULL) | 3543 if (name == NULL) |
3541 return FAIL; | 3544 return FAIL; |
3542 rettv->v_type = VAR_STRING; | 3545 rettv->v_type = VAR_STRING; |
3543 rettv->vval.v_string = name; | 3546 rettv->vval.v_string = name; |
3544 | 3547 |
3608 case '<': extra = trans_special(&p, name, TRUE, TRUE, | 3611 case '<': extra = trans_special(&p, name, TRUE, TRUE, |
3609 TRUE, NULL); | 3612 TRUE, NULL); |
3610 if (extra != 0) | 3613 if (extra != 0) |
3611 { | 3614 { |
3612 name += extra; | 3615 name += extra; |
3616 if (name >= rettv->vval.v_string + len) | |
3617 iemsg("get_string_tv() used more space than allocated"); | |
3613 break; | 3618 break; |
3614 } | 3619 } |
3615 // FALLTHROUGH | 3620 // FALLTHROUGH |
3616 | 3621 |
3617 default: MB_COPY_CHAR(p, name); | 3622 default: MB_COPY_CHAR(p, name); |