Mercurial > vim

changeset 3812:f86619764a1e v7.3.664

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
updated for version 7.3.664 Problem: Buffer overflow in unescaping text. (Raymond Ko) Solution: Limit check for multi-byte character to 4 bytes.
author Bram Moolenaar <bram@vim.org>
date Tue, 18 Sep 2012 18:03:37 +0200
parents 996f1a928627
children d979db245f57
files src/mbyte.c src/version.c
diffstat 2 files changed, 12 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/src/mbyte.c
+++ b/src/mbyte.c
@@ -3793,13 +3793,15 @@ mb_charlen_len(str, len)
 mb_unescape(pp)
     char_u **pp;
 {
-    static char_u	buf[MB_MAXBYTES + 1];
-    int			n, m = 0;
+    static char_u	buf[6];
+    int			n;
+    int			m = 0;
     char_u		*str = *pp;
 
     /* Must translate K_SPECIAL KS_SPECIAL KE_FILLER to K_SPECIAL and CSI
-     * KS_EXTRA KE_CSI to CSI. */
-    for (n = 0; str[n] != NUL && m <= MB_MAXBYTES; ++n)
+     * KS_EXTRA KE_CSI to CSI.
+     * Maximum length of a utf-8 character is 4 bytes. */
+    for (n = 0; str[n] != NUL && m < 4; ++n)
     {
 	if (str[n] == K_SPECIAL
 		&& str[n + 1] == KS_SPECIAL
@@ -3836,6 +3838,10 @@ mb_unescape(pp)
 	    *pp = str + n + 1;
 	    return buf;
 	}
+
+	/* Bail out quickly for ASCII. */
+	if (buf[0] < 128)
+	    break;
     }
     return NULL;
 }
--- a/src/version.c
+++ b/src/version.c
@@ -720,6 +720,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    664,
+/**/
     663,
 /**/
     662,