Mercurial > vim

diff src/misc2.c @ 13092:d5647746c267 v8.0.1421

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 8.0.1421: accessing invalid memory with overlong byte sequence commit https://github.com/vim/vim/commit/e6640ad44e2186bd3642b972115496d347cd1fdd Author: Bram Moolenaar <Bram@vim.org> Date: Fri Dec 22 21:06:56 2017 +0100 patch 8.0.1421: accessing invalid memory with overlong byte sequence Problem: Accessing invalid memory with overlong byte sequence. Solution: Check for NUL character. (test by Dominique Pelle, closes https://github.com/vim/vim/issues/2485)
author Christian Brabandt <cb@256bit.org>
date Fri, 22 Dec 2017 21:15:05 +0100
parents 25ab78f14c8b
children 7ab8c5983983
line wrap: on
line diff
--- a/src/misc2.c
+++ b/src/misc2.c
@@ -1622,11 +1622,17 @@ strup_save(char_u *orig)
 		char_u	*s;
 
 		c = utf_ptr2char(p);
+		l = utf_ptr2len(p);
+		if (c == 0)
+		{
+		    /* overlong sequence, use only the first byte */
+		    c = *p;
+		    l = 1;
+		}
 		uc = utf_toupper(c);
 
 		/* Reallocate string when byte count changes.  This is rare,
 		 * thus it's OK to do another malloc()/free(). */
-		l = utf_ptr2len(p);
 		newl = utf_char2len(uc);
 		if (newl != l)
 		{
@@ -1685,11 +1691,17 @@ strlow_save(char_u *orig)
 		char_u	*s;
 
 		c = utf_ptr2char(p);
+		l = utf_ptr2len(p);
+		if (c == 0)
+		{
+		    /* overlong sequence, use only the first byte */
+		    c = *p;
+		    l = 1;
+		}
 		lc = utf_tolower(c);
 
 		/* Reallocate string when byte count changes.  This is rare,
 		 * thus it's OK to do another malloc()/free(). */
-		l = utf_ptr2len(p);
 		newl = utf_char2len(lc);
 		if (newl != l)
 		{