Mercurial > vim
changeset 28741:b44f15083faf v8.2.4895
patch 8.2.4895: buffer overflow with invalid command with composing chars
Commit: https://github.com/vim/vim/commit/d88934406c5375d88f8f1b65331c9f0cab68cc6c
Author: Bram Moolenaar <Bram@vim.org>
Date: Fri May 6 20:38:47 2022 +0100
patch 8.2.4895: buffer overflow with invalid command with composing chars
Problem: Buffer overflow with invalid command with composing chars.
Solution: Check that the whole character fits in the buffer.
author | Bram Moolenaar <Bram@vim.org> |
---|---|
date | Fri, 06 May 2022 21:45:02 +0200 |
parents | da9f84bdc1c8 |
children | 0b11342bb900 |
files | src/ex_docmd.c src/testdir/test_cmdline.vim src/version.c |
diffstat | 3 files changed, 16 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/ex_docmd.c +++ b/src/ex_docmd.c @@ -3435,7 +3435,7 @@ append_command(char_u *cmd) STRCAT(IObuff, ": "); d = IObuff + STRLEN(IObuff); - while (*s != NUL && d - IObuff < IOSIZE - 7) + while (*s != NUL && d - IObuff + 5 < IOSIZE) { if (enc_utf8 ? (s[0] == 0xc2 && s[1] == 0xa0) : *s == 0xa0) { @@ -3443,6 +3443,8 @@ append_command(char_u *cmd) STRCPY(d, "<a0>"); d += 4; } + else if (d - IObuff + (*mb_ptr2len)(s) + 1 >= IOSIZE) + break; else MB_COPY_CHAR(s, d); }
--- a/src/testdir/test_cmdline.vim +++ b/src/testdir/test_cmdline.vim @@ -3353,6 +3353,17 @@ func Test_cmdline_complete_scriptnames() set wildmenu& endfunc +" this was going over the end of IObuff +func Test_report_error_with_composing() + let caught = 'no' + try + exe repeat('0', 987) .. "0\xdd\x80\xdd\x80\xdd\x80\xdd\x80" + catch /E492:/ + let caught = 'yes' + endtry + call assert_equal('yes', caught) +endfunc + " Test for expanding 2-letter and 3-letter :substitute command arguments. " These commands don't accept an argument. func Test_cmdline_complete_substitute_short()