diff options
| author | Yegappan Lakshmanan <yegappan@yahoo.com> | 2021-12-19 19:19:31 +0000 |
|---|---|---|
| committer | Bram Moolenaar <Bram@vim.org> | 2021-12-19 19:19:31 +0000 |
| commit | bc404bfb32cf2bef34050d2aeae0ea72ccf980cc (patch) | |
| tree | 31d8afcbb43b5cde41311e847caddcc199d42178 | |
| parent | 86b3ab4fa0de3e8884ab6a6ced2a70592b937d0f (diff) | |
patch 8.2.3855: illegal memory access when displaying a blobv8.2.3855
Problem: Illegal memory access when displaying a blob.
Solution: Append a NUL at the end. (Yegappan Lakshmanan, closes #9372)
| -rw-r--r-- | src/blob.c | 1 | ||||
| -rw-r--r-- | src/regexp_nfa.c | 6 | ||||
| -rw-r--r-- | src/testdir/test_blob.vim | 7 | ||||
| -rw-r--r-- | src/testdir/test_messages.vim | 2 | ||||
| -rw-r--r-- | src/version.c | 2 |
5 files changed, 14 insertions, 4 deletions
diff --git a/src/blob.c b/src/blob.c index 0458571181..5658370527 100644 --- a/src/blob.c +++ b/src/blob.c @@ -240,6 +240,7 @@ blob2string(blob_T *blob, char_u **tofree, char_u *numbuf) vim_snprintf((char *)numbuf, NUMBUFLEN, "%02X", (int)blob_get(blob, i)); ga_concat(&ga, numbuf); } + ga_append(&ga, NUL); // append a NUL at the end *tofree = ga.ga_data; return *tofree; } diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c index 9dc246d287..4d7d553bdc 100644 --- a/src/regexp_nfa.c +++ b/src/regexp_nfa.c @@ -2917,20 +2917,20 @@ nfa_print_state2(FILE *debugf, nfa_state_T *state, garray_T *indent) ga_concat(indent, (char_u *)"| "); else ga_concat(indent, (char_u *)" "); - ga_append(indent, '\0'); + ga_append(indent, NUL); nfa_print_state2(debugf, state->out, indent); // replace last part of indent for state->out1 indent->ga_len -= 3; ga_concat(indent, (char_u *)" "); - ga_append(indent, '\0'); + ga_append(indent, NUL); nfa_print_state2(debugf, state->out1, indent); // shrink indent indent->ga_len -= 3; - ga_append(indent, '\0'); + ga_append(indent, NUL); } /* diff --git a/src/testdir/test_blob.vim b/src/testdir/test_blob.vim index bd816af4a5..3ce95756f1 100644 --- a/src/testdir/test_blob.vim +++ b/src/testdir/test_blob.vim @@ -680,5 +680,12 @@ func Test_list2blob() call assert_equal(0z00010203, list2blob(range(4))) endfunc +" The following used to cause an out-of-bounds memory access +func Test_blob2string() + let v = '0z' .. repeat('01010101.', 444) + let v ..= '01' + exe 'let b = ' .. v + call assert_equal(v, string(b)) +endfunc " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/testdir/test_messages.vim b/src/testdir/test_messages.vim index 5724eb6a3a..62b5b2910e 100644 --- a/src/testdir/test_messages.vim +++ b/src/testdir/test_messages.vim @@ -341,7 +341,7 @@ endfunc func Test_echo_string_partial() function CountSpaces() endfunction - echomsg function('CountSpaces', [#{aaaaaaaaaaa: v:false, bbbbbbbbbbbb: '', ccccccccccc: ['ab', 'cd']}]) + call assert_equal("function('CountSpaces', [{'ccccccccccc': ['ab', 'cd'], 'aaaaaaaaaaa': v:false, 'bbbbbbbbbbbb': ''}])", string(function('CountSpaces', [#{aaaaaaaaaaa: v:false, bbbbbbbbbbbb: '', ccccccccccc: ['ab', 'cd']}]))) endfunc " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index 52cc584e03..873b972145 100644 --- a/src/version.c +++ b/src/version.c @@ -750,6 +750,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 3855, +/**/ 3854, /**/ 3853, |