diff options
| author | Bram Moolenaar <Bram@vim.org> | 2017-04-02 15:45:17 +0200 |
|---|---|---|
| committer | Bram Moolenaar <Bram@vim.org> | 2017-04-02 15:45:17 +0200 |
| commit | fa0ad0bb0b4255e64ebcf9269d60a942e0ae7ff9 (patch) | |
| tree | ae65d2686b40af1da994593c849770d973651095 | |
| parent | 69f40be64555d50f603c6f22722cf762aaa6bbc1 (diff) | |
patch 8.0.0537: illegal memory access with :z and large countv8.0.0537
Problem: Illegal memory access with :z and large count.
Solution: Check for number overflow, using long instead of int. (Dominique
Pelle, closes #1612)
| -rw-r--r-- | src/Makefile | 3 | ||||
| -rw-r--r-- | src/ex_cmds.c | 9 | ||||
| -rw-r--r-- | src/testdir/test_alot.vim | 5 | ||||
| -rw-r--r-- | src/testdir/test_ex_z.vim | 78 | ||||
| -rw-r--r-- | src/version.c | 2 |
5 files changed, 92 insertions, 5 deletions
diff --git a/src/Makefile b/src/Makefile index 82da653e74..5ceae2fff9 100644 --- a/src/Makefile +++ b/src/Makefile @@ -2122,10 +2122,10 @@ test_arglist \ test_delete \ test_diffmode \ test_digraph \ - test_functions \ test_display \ test_edit \ test_ex_undo \ + test_ex_z \ test_execute_func \ test_expand \ test_expand_dllpath \ @@ -2142,6 +2142,7 @@ test_arglist \ test_fnameescape \ test_fnamemodify \ test_fold \ + test_functions \ test_ga \ test_gf \ test_glob2regpat \ diff --git a/src/ex_cmds.c b/src/ex_cmds.c index 6940e55277..4b0bdef59c 100644 --- a/src/ex_cmds.c +++ b/src/ex_cmds.c @@ -4564,7 +4564,7 @@ ex_change(exarg_T *eap) ex_z(exarg_T *eap) { char_u *x; - int bigness; + long bigness; char_u *kind; int minus = 0; linenr_T start, end, curs, i; @@ -4601,7 +4601,12 @@ ex_z(exarg_T *eap) } else { - bigness = atoi((char *)x); + bigness = atol((char *)x); + + /* bigness could be < 0 if atol(x) overflows. */ + if (bigness > 2 * curbuf->b_ml.ml_line_count || bigness < 0) + bigness = 2 * curbuf->b_ml.ml_line_count; + p_window = bigness; if (*kind == '=') bigness += 2; diff --git a/src/testdir/test_alot.vim b/src/testdir/test_alot.vim index 56a3f8edf5..e961e99451 100644 --- a/src/testdir/test_alot.vim +++ b/src/testdir/test_alot.vim @@ -8,10 +8,11 @@ source test_changedtick.vim source test_cursor_func.vim source test_delete.vim source test_ex_undo.vim +source test_ex_z.vim source test_execute_func.vim source test_expand.vim -source test_expr.vim source test_expand_dllpath.vim +source test_expr.vim source test_feedkeys.vim source test_file_perm.vim source test_fileformat.vim @@ -30,9 +31,9 @@ source test_join.vim source test_jumps.vim source test_lambda.vim source test_lispwords.vim +source test_mapping.vim source test_match.vim source test_menu.vim -source test_mapping.vim source test_messages.vim source test_partial.vim source test_popup.vim diff --git a/src/testdir/test_ex_z.vim b/src/testdir/test_ex_z.vim new file mode 100644 index 0000000000..608a36c490 --- /dev/null +++ b/src/testdir/test_ex_z.vim @@ -0,0 +1,78 @@ +" Test :z + +func Test_z() + call setline(1, range(1, 100)) + + let a = execute('20z3') + call assert_equal("\n20\n21\n22", a) + call assert_equal(22, line('.')) + " 'window' should be set to the {count} value. + call assert_equal(3, &window) + + " If there is only one window, then twice the amount of 'scroll' is used. + set scroll=2 + let a = execute('20z') + call assert_equal("\n20\n21\n22\n23", a) + call assert_equal(23, line('.')) + + let a = execute('20z+3') + " FIXME: I would expect the same result as '20z3' but it + " gives "\n21\n22\n23" instead. Bug in Vim or in ":help :z"? + "call assert_equal("\n20\n21\n22", a) + "call assert_equal(22, line('.')) + + let a = execute('20z-3') + call assert_equal("\n18\n19\n20", a) + call assert_equal(20, line('.')) + + let a = execute('20z=3') + call assert_match("^\n18\n19\n-\\+\n20\n-\\+\n21\n22$", a) + call assert_equal(20, line('.')) + + let a = execute('20z^3') + call assert_equal("\n14\n15\n16\n17", a) + call assert_equal(17, line('.')) + + let a = execute('20z.3') + call assert_equal("\n19\n20\n21", a) + call assert_equal(21, line('.')) + + let a = execute('20z#3') + call assert_equal("\n 20 20\n 21 21\n 22 22", a) + call assert_equal(22, line('.')) + + let a = execute('20z#-3') + call assert_equal("\n 18 18\n 19 19\n 20 20", a) + call assert_equal(20, line('.')) + + let a = execute('20z#=3') + call assert_match("^\n 18 18\n 19 19\n-\\+\n 20 20\n-\\+\n 21 21\n 22 22$", a) + call assert_equal(20, line('.')) + + " Test with {count} bigger than the number of lines in buffer. + let a = execute('20z1000') + call assert_match("^\n20\n21\n.*\n99\n100$", a) + call assert_equal(100, line('.')) + + let a = execute('20z-1000') + call assert_match("^\n1\n2\n.*\n19\n20$", a) + call assert_equal(20, line('.')) + + let a = execute('20z=1000') + call assert_match("^\n1\n.*\n-\\+\n20\n-\\\+\n.*\n100$", a) + call assert_equal(20, line('.')) + + call assert_fails('20z=a', 'E144:') + + set window& scroll& + bw! +endfunc + +func Test_z_bug() + " This used to access invalid memory as a result of an integer overflow + " and freeze vim. + normal ox + normal Heat + z777777776666666 + ') +endfunc diff --git a/src/version.c b/src/version.c index fd62728699..dc7cfb53cf 100644 --- a/src/version.c +++ b/src/version.c @@ -765,6 +765,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 537, +/**/ 536, /**/ 535, |