changeset 15959:4feaa025491b v8.1.0985

patch 8.1.0985: crash with large number in regexp commit https://github.com/vim/vim/commit/ab350f89f9646e07aefe16a32ba3ddb847496b4a Author: Bram Moolenaar <Bram@vim.org> Date: Thu Feb 28 06:25:00 2019 +0100 patch 8.1.0985: crash with large number in regexp Problem: Crash with large number in regexp. (Kuang-che Wu) Solution: Check for long becoming negative int. (closes #)
author Bram Moolenaar <Bram@vim.org>
date Thu, 28 Feb 2019 06:30:11 +0100
parents 5b3c0bb37ebc
children ee37b47d6a33
files src/regexp.c src/testdir/test_search.vim src/version.c
diffstat 3 files changed, 28 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -2228,7 +2228,7 @@ regatom(int *flagp)
 				  default:  i = -1; break;
 			      }
 
-			      if (i < 0)
+			      if (i < 0 || i > INT_MAX)
 				  EMSG2_RET_NULL(
 					_("E678: Invalid character after %s%%[dxouU]"),
 					reg_magic == MAGIC_ALL);
@@ -3293,7 +3293,7 @@ coll_get_char(void)
 	case 'u': nr = gethexchrs(4); break;
 	case 'U': nr = gethexchrs(8); break;
     }
-    if (nr < 0)
+    if (nr < 0 || nr > INT_MAX)
     {
 	/* If getting the number fails be backwards compatible: the character
 	 * is a backslash. */
--- a/src/testdir/test_search.vim
+++ b/src/testdir/test_search.vim
@@ -1212,13 +1212,36 @@ func Test_search_Ctrl_L_combining()
   call Incsearch_cleanup()
 endfunc
 
-func Test_large_hex_chars()
+func Test_large_hex_chars1()
   " This used to cause a crash, the character becomes an NFA state.
   try
     /\%Ufffffc23
   catch
     call assert_match('E678:', v:exception)
   endtry
+  try
+    set re=1
+    /\%Ufffffc23
+  catch
+    call assert_match('E678:', v:exception)
+  endtry
+  set re&
+endfunc
+
+func Test_large_hex_chars2()
+  " This used to cause a crash, the character becomes an NFA state.
+  try
+    /[\Ufffffc1f]
+  catch
+    call assert_match('E486:', v:exception)
+  endtry
+  try
+    set re=1
+    /[\Ufffffc1f]
+  catch
+    call assert_match('E486:', v:exception)
+  endtry
+  set re&
 endfunc
 
 func Test_one_error_msg()
--- a/src/version.c
+++ b/src/version.c
@@ -780,6 +780,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    985,
+/**/
     984,
 /**/
     983,