diff options
author | zeertzjq <zeertzjq@outlook.com> | 2022-04-15 13:17:57 +0100 |
---|---|---|
committer | Bram Moolenaar <Bram@vim.org> | 2022-04-15 13:17:57 +0100 |
commit | 5dc294a7b63ed0e508dd360bc4d98173f1a1aeec (patch) | |
tree | e108090b4983ba93c56c9d240d99ca3c4731fb4a | |
parent | 648dd88af67c7abac31915cbf0025f97031c96c1 (diff) |
patch 8.2.4752: wrong 'statusline' value can cause illegal memory accessv8.2.4752
Problem: Wrong 'statusline' value can cause illegal memory access.
Solution: Properly check the value. (closes #10192)
-rw-r--r-- | src/optionstr.c | 18 | ||||
-rw-r--r-- | src/testdir/test_options.vim | 8 | ||||
-rw-r--r-- | src/version.c | 2 |
3 files changed, 20 insertions, 8 deletions
diff --git a/src/optionstr.c b/src/optionstr.c index 3de23ba049..7f130ddf87 100644 --- a/src/optionstr.c +++ b/src/optionstr.c @@ -574,7 +574,7 @@ valid_filetype(char_u *val) #ifdef FEAT_STL_OPT /* * Check validity of options with the 'statusline' format. - * Return error message or NULL. + * Return an untranslated error message or NULL. */ static char * check_stl_option(char_u *s) @@ -625,17 +625,19 @@ check_stl_option(char_u *s) } if (*s == '{') { - int reevaluate = (*s == '%'); + int reevaluate = (*++s == '%'); - s++; + if (reevaluate && *++s == '}') + // "}" is not allowed immediately after "%{%" + return illegal_char(errbuf, '}'); while ((*s != '}' || (reevaluate && s[-1] != '%')) && *s) s++; if (*s != '}') - return N_(e_unclosed_expression_sequence); + return e_unclosed_expression_sequence; } } if (groupdepth != 0) - return N_(e_unbalanced_groups); + return e_unbalanced_groups; return NULL; } #endif @@ -1805,8 +1807,8 @@ ambw_end: } #ifdef FEAT_STL_OPT - // 'statusline' or 'rulerformat' - else if (gvarp == &p_stl || varp == &p_ruf) + // 'statusline', 'tabline' or 'rulerformat' + else if (gvarp == &p_stl || varp == &p_tal || varp == &p_ruf) { int wid; @@ -1824,7 +1826,7 @@ ambw_end: else errmsg = check_stl_option(p_ruf); } - // check 'statusline' only if it doesn't start with "%!" + // check 'statusline' or 'tabline' only if it doesn't start with "%!" else if (varp == &p_ruf || s[0] != '%' || s[1] != '!') errmsg = check_stl_option(s); if (varp == &p_ruf && errmsg == NULL) diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim index 81081f5020..e49afae174 100644 --- a/src/testdir/test_options.vim +++ b/src/testdir/test_options.vim @@ -392,8 +392,16 @@ func Test_set_errors() call assert_fails('set rulerformat=%15(%%', 'E542:') call assert_fails('set statusline=%$', 'E539:') call assert_fails('set statusline=%{', 'E540:') + call assert_fails('set statusline=%{%', 'E540:') + call assert_fails('set statusline=%{%}', 'E539:') call assert_fails('set statusline=%(', 'E542:') call assert_fails('set statusline=%)', 'E542:') + call assert_fails('set tabline=%$', 'E539:') + call assert_fails('set tabline=%{', 'E540:') + call assert_fails('set tabline=%{%', 'E540:') + call assert_fails('set tabline=%{%}', 'E539:') + call assert_fails('set tabline=%(', 'E542:') + call assert_fails('set tabline=%)', 'E542:') if has('cursorshape') " This invalid value for 'guicursor' used to cause Vim to crash. diff --git a/src/version.c b/src/version.c index db82785164..c622f778a6 100644 --- a/src/version.c +++ b/src/version.c @@ -747,6 +747,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 4752, +/**/ 4751, /**/ 4750, |