# HG changeset patch # User Bram Moolenaar # Date 1660669204 -7200 # Node ID 0cea0cdcce92224e4c881026adc66eedcf816b96 # Parent 946d96da668b6127d93ff66b70bae2c84f10af2b patch 9.0.0220: invalid memory access with for loop over NULL string Commit: https://github.com/vim/vim/commit/f6d39c31d2177549a986d170e192d8351bd571e2 Author: Bram Moolenaar Date: Tue Aug 16 17:50:38 2022 +0100 patch 9.0.0220: invalid memory access with for loop over NULL string Problem: Invalid memory access with for loop over NULL string. Solution: Make sure mb_ptr2len() consistently returns zero for NUL. diff --git a/src/globals.h b/src/globals.h --- a/src/globals.h +++ b/src/globals.h @@ -1035,7 +1035,8 @@ EXTERN vimconv_T output_conv; // type * (DBCS). * The value is set in mb_init(); */ -// length of char in bytes, including following composing chars +// Length of char in bytes, including any following composing chars. +// NUL has length zero. EXTERN int (*mb_ptr2len)(char_u *p) INIT(= latin_ptr2len); // idem, with limit on string length diff --git a/src/mbyte.c b/src/mbyte.c --- a/src/mbyte.c +++ b/src/mbyte.c @@ -1077,24 +1077,28 @@ dbcs_char2bytes(int c, char_u *buf) } /* - * mb_ptr2len() function pointer. - * Get byte length of character at "*p" but stop at a NUL. - * For UTF-8 this includes following composing characters. - * Returns 0 when *p is NUL. + * Get byte length of character at "*p". Returns zero when "*p" is NUL. + * Used for mb_ptr2len() when 'encoding' latin. */ int latin_ptr2len(char_u *p) { - return MB_BYTE2LEN(*p); + return *p == NUL ? 0 : 1; } +/* + * Get byte length of character at "*p". Returns zero when "*p" is NUL. + * Used for mb_ptr2len() when 'encoding' DBCS. + */ static int -dbcs_ptr2len( - char_u *p) +dbcs_ptr2len(char_u *p) { int len; - // Check if second byte is not missing. + if (*p == NUL) + return 0; + + // if the second byte is missing the length is 1 len = MB_BYTE2LEN(*p); if (len == 2 && p[1] == NUL) len = 1; @@ -2105,6 +2109,7 @@ utf_ptr2len_len(char_u *p, int size) /* * Return the number of bytes the UTF-8 encoding of the character at "p" takes. * This includes following composing characters. + * Returns zero for NUL. */ int utfc_ptr2len(char_u *p) diff --git a/src/testdir/test_eval_stuff.vim b/src/testdir/test_eval_stuff.vim index c63082e8e8b6dcc823d2fee3f3054ee363e8f11e..313d791850c003bfbe907b33d89e440567ea3d13 GIT binary patch literal 23887 zc%02#{c_{Dk{5{wBr!vgI+Bv@ z%x+bl<{sf*;NB!plEw$|K>`##ldX++MYpK6$>hm-G40QZCF3K@Zzl&4cdy~LtVTQW;IE(Y?TIxv)dhU<(`v~|- zJOgp=+O3U$hHVjJ|FM6(`oI?p629D@P z)sc)doZu4o>heUfFkC)ww8p$=aKM`?sRM74WLlIt=nO8t8{db=3f17Ei#kCVfilDd zf^&3CI1L_3oOc>!DRjUlAj6jWDkz46JP%&b7=1WC*!!*XfZ|08qm6`8HgAMHIX@Xvl;HJCTwoMss}%??(53*d zf>xsdu83>JX^Hc+@)NX%u$U79hU1BJtAI2do!IE6VOo;4ybZPYU%~sy4crTK{#XvenZ{Ul}7ElUTJxo`FuRf3Nb;lXo-IOL1~0Tqca*{bG1tM@Tvl2nYb+| z4w%6Gnsgzo)(kMhKfgm0pCLK4jGqq<$bHDkBmk261%b~lozH5@u0_2yDIVy+(hRRegG-)rVqIBjGewf@ro{2N20OX`IGo3{m5+P_e=gxnIb5 zcn>l3atvYA?~ev2$ClnAeWch(X_9qDb2imbwJMpdjJi1wn>n7(@4x?^*cZOo{mu0c z4psXHMS#s4Two&z;S2a`O6UTb8q^wS(_s}nn{>#7bV0}UXkSANts`}gH5FY>w~s#1@rLmd}1C#XSI#R!pvM+x3!vPsF-HE4RYNg z!%h|%y0(QlwF8&MF!`RzL6QRZ=vD@i%gKe6E2v|>4`tZ$;w1ZB231o_%UCi3QZ;J# za}Jrg`H6MydBJHFC3X^4mkHTcJ3`(7{){TZyerx!hAA<>dZ)fkx9cIqrsg_xJ2&6&sAydV z0HTPeZ^_xCebaNAL0;+CU)3c{skDlmn!~tib9DopyL7F_Z&{sfR^|^jYQ%IdKR52< z)}ds~LM>L3Vy@>lRL|Y!M|8c6+;bZJUfFf(b_BJY!)DlPu(n=chbWH>s4Z zt4>naK~9$b6(aw<8=_76G0mRR3eSM=16Db}U$W4i0W?AUMQT<_>c|-_gEYlSox7Gz zD36vls}OQ#Si(+MaXKyHzhbe|92bxqLz|>AM4p$u6eV7f!g85yN^~+pVO%06fBclMg=n@^Cvp>s3 z%1MJ~m_`MqZiegX$<3md1}l7k%9l0St`3q-^#wjeg5a8e!mT+j1Q(2VflClauAzts zwM5w9g15pLIuTPW+^ID-h)6ISG@q_i+zfw>#cL&RY0KknS#~{u6ygESMH2E~4$Zp5 zNNiy!c6S}(ty}ouPjZ|Ol=RVQmS_S=05U&!T(tKHJ#sxxaUrGxE({(?m&qY8nPb9LWgHN_((G zJD?tOO}--;g;iSxs;#btv93io=w${O#6(og2X{;@KPI$e@+6@S=(++FwII6I5K(Fg zfiVkgmfFrJDMLHdgj^&oP~U4%DU0H`N@)#tJ7pIYYD`3_9cK64gIAcHBV?RLoKmh) zw~m~z>#iEVQR9%;-!P?&3Wut~Hv;61P(?4ZfedRPZ`uJd&kwplqT~_-;}+m7wVh#7 zhIXvR7`>Icva}w8zeLuhW8Z?Jzs_{5Dm#O>oqKZxjbsK}x{}wK{Wt zhN6;xNAD4p!{b4R{u|geV3OMP;H|aT;Z;&T!zQT1ALT=OTTSyt9MEk`*pJk(f2)M> zTVaEGsZFOy59hb`Abwksv`t92HDr`tgCc||NL#61gIvJdp+ejAf2+no368Rv5DJk^ zg}U%`QEzPKHtIOz)px8Xj4IC5Ub<5Zep+-un)|9p zwpXTh7-7wo?gid^p_5)_Lp-l_$-NQVeTA(pLf)(C$~`sZeWZX8A|5-@bVe+gjL;Xn z`Wre3ynz|}LfX`;vW{;Au5Scnz03x2QG@tRHPajLEjhk#Ww!$YBgmxz18%VZ)=F&R#+T#yUl^#TMnm(>BsWSN-r_$7`;$p}nuqf<8;7M8tfDOZp}X zd3;yw4w-D^4(X%HPFu1=Io^jd4%A9J@1PB>dj@RCGGG?p4OOSO8LC5FLTi?HSOz*`2;;t5eR$-b4Ax|Ja7rJYxSX8X-5cy~kg1Nt3HKGj5b5>>Oj>$0!KbTn1= z4v^1C;cjS#hy_INA@ym>_>c-j{HMY~h|6JjrtOl-8yH*Dc&?X4p?OUq13pa&OMRF8 zSmjU=s|i(y0C6n?MAQ}`^u78a+h`v~YE0nM{!n>XvXib$E-|jL?TRM}3n*TI_%{)9{+O9Z-=5$Ht38nzQP4Aq#!^NC@o#H3wxU6K?Q zrQ~{_a+(tr9%g(?$kHdH5aq1W(s&C$*Lt$925{MKlpXYb0;VXWo>R9!{JLD!YDbLMXpuxltLZOMwhC=g?d ze{0*_>L{zO62rKB4R6;4g_*x~fx$;q*p><1HRF&vFqr`J@T{&vXBKr?Pg1 zJ5_n!_%A5=6`}Ptf3`5JcL4`s-~9OFcb#`ZMu!72U>sJ!Lm-QYqr;)B8C7LK6nVFh!~weHk<**3x=b#6`#&Rfr7rzgqiUe>(R0=C{rfa^W|MYSKxG zDxTaAmAa8Ar5$XaSoB}(kalFuXKg5VLn&30FD3?#Q<(>t3}I?2MXA%|$cgAz$IX;>gD$5D6F+WO4Js}{ZOeJiPEb3+kTnym3OZ2O0)A; zl)IsntF<7eTaHwjU6~AFbSg!u)8xqc{a44)`PVh1rP_4QCw2$vJ%#kHLgv1*Y&8>{ zlTqjmYM#K#R9|2vL#=+K)CiBT{g?nVpBQKoWN(NTwfmvkLanu`S0sMfFG8B=87@z& zuSt{-$^Ip=b^iSjYqRb$T9=}FpCWswitI7Sqa{7yi@Yp@3;Kp#-K&l&uR5~q?hyj9 zzjY)GbtH_hm)Vp)swsVBjCGWX3I(;h;87wyTuV%i@(#G1F{3t4!edIu^tD)O+-9kY z^+3EEbHrbcF}CDzlJvo`*kQcW4vGl1)l{|%PD0Wd-9z?QO4izOYsx> z31w;W^7Wp0-%mU7N^p>u>PnoJ1;HqesX#a>_z_sN>0pbgck*K+`TKhkOP>?IouibT zew3z|9gJCK=*Po%INxG&+y+`_;M!qAUX3FMaTLpJlgv=Di6V@-5b|Erln4gXkrQa# z|8T{-W^lc)y%R?Y9(A^CO->(s6NRD}uE*{sC9faN*m)h^i!_VcQKTuhRob*q)oljL z(Jp)?2QzIMgtH7?JjE&bqVG97%h;iH{!Wm3cU8^RJJIP*xv$x*GN*(=K6)CzC-mgNC@3ta|GDaDV(*!Hp8YjhmD+nHIeR`z4u#@;*5mawK62QX z-|+-Vt*OrEPI4}XM4=CkM|y@#43zoo%y4F*iFy15%p@Mru;Z|EFC9mRZg|@++T_X0 z6hy|0bOjDAj|jXdwn0u_N+jRa!6=K11utDFr3rl>uvWM*6@GGy3%5_{f2QY8EZ~+> z{#;X!A2&dm$w9c}LSm~>2)RfKMpQDAqR~G?HtM6gbSU~~$~QIex)y+FlgiFhZWrn; z>qO(hAsDYAG=WnT)k$9tJ?a!a1qI3>@{$lkUh~f8s3?QzqtPiH{EU$cQySGE$7>wG zq~8Oi-eBPKV==vx^9wW)ITFk-8RAWE@dfJjREKrYe^1~2X>$Aa`a60E<&qqo3c)ER zFOV;TJcvq|mgt#%Ax5}}f;FBUpr>UF$rwEcwE!8jYy&gaA+08g&^^65%vT@rOVQgW zZ>fWtL^wavnZ8_2bPZB;N%FZXvxIV=|1L6?6x{QKYj_X=I!u4Y%f=Q5Bn#R-J#0=k79 zw|RN{!&TJ{LK)|QGZSMskBs2wfG9))^}ZbHdRx`8*Vbm9ZS6o@s!Jn;)GGJz!Osxo zMwc?#6hu7$tU@iqI^pu(zml8{NKo5~$2a4d;Y2_p4Q^PIAWa=Q8k<7KFdGli05_@* zt0KoKu&$m0+WH9F6!i3Ja6tEy3yxmIGmI{;DzAhQmzUff>6yOkED1{Rc_w^M9{Nr5 zkHIJJ@b_SjcZY|cuKq3kDgFQd`}g0dV`>|(E+BJ@=jBs8E0<#*1QqZJMh4%8jArj2 DsI^G< diff --git a/src/version.c b/src/version.c --- a/src/version.c +++ b/src/version.c @@ -736,6 +736,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 220, +/**/ 219, /**/ 218,