Mercurial > vim
comparison src/misc2.c @ 13092:d5647746c267 v8.0.1421
patch 8.0.1421: accessing invalid memory with overlong byte sequence
commit https://github.com/vim/vim/commit/e6640ad44e2186bd3642b972115496d347cd1fdd
Author: Bram Moolenaar <Bram@vim.org>
Date: Fri Dec 22 21:06:56 2017 +0100
patch 8.0.1421: accessing invalid memory with overlong byte sequence
Problem: Accessing invalid memory with overlong byte sequence.
Solution: Check for NUL character. (test by Dominique Pelle, closes https://github.com/vim/vim/issues/2485)
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Fri, 22 Dec 2017 21:15:05 +0100 |
parents | 25ab78f14c8b |
children | 7ab8c5983983 |
comparison
equal
deleted
inserted
replaced
13091:2c1ce698df03 | 13092:d5647746c267 |
---|---|
1620 int c, uc; | 1620 int c, uc; |
1621 int newl; | 1621 int newl; |
1622 char_u *s; | 1622 char_u *s; |
1623 | 1623 |
1624 c = utf_ptr2char(p); | 1624 c = utf_ptr2char(p); |
1625 l = utf_ptr2len(p); | |
1626 if (c == 0) | |
1627 { | |
1628 /* overlong sequence, use only the first byte */ | |
1629 c = *p; | |
1630 l = 1; | |
1631 } | |
1625 uc = utf_toupper(c); | 1632 uc = utf_toupper(c); |
1626 | 1633 |
1627 /* Reallocate string when byte count changes. This is rare, | 1634 /* Reallocate string when byte count changes. This is rare, |
1628 * thus it's OK to do another malloc()/free(). */ | 1635 * thus it's OK to do another malloc()/free(). */ |
1629 l = utf_ptr2len(p); | |
1630 newl = utf_char2len(uc); | 1636 newl = utf_char2len(uc); |
1631 if (newl != l) | 1637 if (newl != l) |
1632 { | 1638 { |
1633 s = alloc((unsigned)STRLEN(res) + 1 + newl - l); | 1639 s = alloc((unsigned)STRLEN(res) + 1 + newl - l); |
1634 if (s == NULL) | 1640 if (s == NULL) |
1683 int c, lc; | 1689 int c, lc; |
1684 int newl; | 1690 int newl; |
1685 char_u *s; | 1691 char_u *s; |
1686 | 1692 |
1687 c = utf_ptr2char(p); | 1693 c = utf_ptr2char(p); |
1694 l = utf_ptr2len(p); | |
1695 if (c == 0) | |
1696 { | |
1697 /* overlong sequence, use only the first byte */ | |
1698 c = *p; | |
1699 l = 1; | |
1700 } | |
1688 lc = utf_tolower(c); | 1701 lc = utf_tolower(c); |
1689 | 1702 |
1690 /* Reallocate string when byte count changes. This is rare, | 1703 /* Reallocate string when byte count changes. This is rare, |
1691 * thus it's OK to do another malloc()/free(). */ | 1704 * thus it's OK to do another malloc()/free(). */ |
1692 l = utf_ptr2len(p); | |
1693 newl = utf_char2len(lc); | 1705 newl = utf_char2len(lc); |
1694 if (newl != l) | 1706 if (newl != l) |
1695 { | 1707 { |
1696 s = alloc((unsigned)STRLEN(res) + 1 + newl - l); | 1708 s = alloc((unsigned)STRLEN(res) + 1 + newl - l); |
1697 if (s == NULL) | 1709 if (s == NULL) |