Mercurial > vim

comparison src/misc2.c @ 13092:d5647746c267 v8.0.1421

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 8.0.1421: accessing invalid memory with overlong byte sequence commit https://github.com/vim/vim/commit/e6640ad44e2186bd3642b972115496d347cd1fdd Author: Bram Moolenaar <Bram@vim.org> Date: Fri Dec 22 21:06:56 2017 +0100 patch 8.0.1421: accessing invalid memory with overlong byte sequence Problem: Accessing invalid memory with overlong byte sequence. Solution: Check for NUL character. (test by Dominique Pelle, closes https://github.com/vim/vim/issues/2485)
author Christian Brabandt <cb@256bit.org>
date Fri, 22 Dec 2017 21:15:05 +0100
parents 25ab78f14c8b
children 7ab8c5983983
comparison
equal deleted inserted replaced
13091:2c1ce698df03 13092:d5647746c267
1620 int c, uc; 1620 int c, uc;
1621 int newl; 1621 int newl;
1622 char_u *s; 1622 char_u *s;
1623 1623
1624 c = utf_ptr2char(p); 1624 c = utf_ptr2char(p);
1625 l = utf_ptr2len(p);
1626 if (c == 0)
1627 {
1628 /* overlong sequence, use only the first byte */
1629 c = *p;
1630 l = 1;
1631 }
1625 uc = utf_toupper(c); 1632 uc = utf_toupper(c);
1626 1633
1627 /* Reallocate string when byte count changes. This is rare, 1634 /* Reallocate string when byte count changes. This is rare,
1628 * thus it's OK to do another malloc()/free(). */ 1635 * thus it's OK to do another malloc()/free(). */
1629 l = utf_ptr2len(p);
1630 newl = utf_char2len(uc); 1636 newl = utf_char2len(uc);
1631 if (newl != l) 1637 if (newl != l)
1632 { 1638 {
1633 s = alloc((unsigned)STRLEN(res) + 1 + newl - l); 1639 s = alloc((unsigned)STRLEN(res) + 1 + newl - l);
1634 if (s == NULL) 1640 if (s == NULL)
1683 int c, lc; 1689 int c, lc;
1684 int newl; 1690 int newl;
1685 char_u *s; 1691 char_u *s;
1686 1692
1687 c = utf_ptr2char(p); 1693 c = utf_ptr2char(p);
1694 l = utf_ptr2len(p);
1695 if (c == 0)
1696 {
1697 /* overlong sequence, use only the first byte */
1698 c = *p;
1699 l = 1;
1700 }
1688 lc = utf_tolower(c); 1701 lc = utf_tolower(c);
1689 1702
1690 /* Reallocate string when byte count changes. This is rare, 1703 /* Reallocate string when byte count changes. This is rare,
1691 * thus it's OK to do another malloc()/free(). */ 1704 * thus it's OK to do another malloc()/free(). */
1692 l = utf_ptr2len(p);
1693 newl = utf_char2len(lc); 1705 newl = utf_char2len(lc);
1694 if (newl != l) 1706 if (newl != l)
1695 { 1707 {
1696 s = alloc((unsigned)STRLEN(res) + 1 + newl - l); 1708 s = alloc((unsigned)STRLEN(res) + 1 + newl - l);
1697 if (s == NULL) 1709 if (s == NULL)