diff options
| author | Bram Moolenaar <Bram@vim.org> | 2017-12-22 21:06:56 +0100 |
|---|---|---|
| committer | Bram Moolenaar <Bram@vim.org> | 2017-12-22 21:06:56 +0100 |
| commit | e6640ad44e2186bd3642b972115496d347cd1fdd (patch) | |
| tree | 647370d0a60e9adbdd4acb9ef0b6235be513d1e1 | |
| parent | 3c09722600e3218905b5d4a7b635a9e6560f87b3 (diff) | |
patch 8.0.1421: accessing invalid memory with overlong byte sequencev8.0.1421
Problem: Accessing invalid memory with overlong byte sequence.
Solution: Check for NUL character. (test by Dominique Pelle, closes #2485)
| -rw-r--r-- | src/misc2.c | 16 | ||||
| -rw-r--r-- | src/testdir/test_functions.vim | 10 | ||||
| -rw-r--r-- | src/version.c | 2 |
3 files changed, 26 insertions, 2 deletions
diff --git a/src/misc2.c b/src/misc2.c index 460ea74895..66aeee01b7 100644 --- a/src/misc2.c +++ b/src/misc2.c @@ -1622,11 +1622,17 @@ strup_save(char_u *orig) char_u *s; c = utf_ptr2char(p); + l = utf_ptr2len(p); + if (c == 0) + { + /* overlong sequence, use only the first byte */ + c = *p; + l = 1; + } uc = utf_toupper(c); /* Reallocate string when byte count changes. This is rare, * thus it's OK to do another malloc()/free(). */ - l = utf_ptr2len(p); newl = utf_char2len(uc); if (newl != l) { @@ -1685,11 +1691,17 @@ strlow_save(char_u *orig) char_u *s; c = utf_ptr2char(p); + l = utf_ptr2len(p); + if (c == 0) + { + /* overlong sequence, use only the first byte */ + c = *p; + l = 1; + } lc = utf_tolower(c); /* Reallocate string when byte count changes. This is rare, * thus it's OK to do another malloc()/free(). */ - l = utf_ptr2len(p); newl = utf_char2len(lc); if (newl != l) { diff --git a/src/testdir/test_functions.vim b/src/testdir/test_functions.vim index 20e4280c15..ffc3bc3785 100644 --- a/src/testdir/test_functions.vim +++ b/src/testdir/test_functions.vim @@ -268,6 +268,11 @@ func Test_tolower() " Ⱥ (U+023A) and Ⱦ (U+023E) are the *only* code points to increase " in length (2 to 3 bytes) when lowercased. So let's test them. call assert_equal("ⱥ ⱦ", tolower("Ⱥ Ⱦ")) + + " This call to tolower with invalid utf8 sequence used to cause access to + " invalid memory. + call tolower("\xC0\x80\xC0") + call tolower("123\xC0\x80\xC0") endfunc func Test_toupper() @@ -338,6 +343,11 @@ func Test_toupper() call assert_equal("ZŹŻŽƵẐẔ", toupper("ZŹŻŽƵẐẔ")) call assert_equal("Ⱥ Ⱦ", toupper("ⱥ ⱦ")) + + " This call to toupper with invalid utf8 sequence used to cause access to + " invalid memory. + call toupper("\xC0\x80\xC0") + call toupper("123\xC0\x80\xC0") endfunc " Tests for the mode() function diff --git a/src/version.c b/src/version.c index 1a217e7b67..943469fb9b 100644 --- a/src/version.c +++ b/src/version.c @@ -772,6 +772,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 1421, +/**/ 1420, /**/ 1419, |