To: vim_dev@googlegroups.com Subject: Patch 8.1.0205 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.1.0205 Problem: Invalid memory access with invalid modeline. Solution: Pass pointer limit. Add a test. (closes #3241) Files: src/Make_all.mak, src/testdir/test_alot.vim, src/testdir/test_modeline.vim, src/option.c *** ../vim-8.1.0204/src/Make_all.mak 2018-07-04 23:05:19.221931527 +0200 --- src/Make_all.mak 2018-07-23 03:54:45.950888854 +0200 *************** *** 118,123 **** --- 118,124 ---- test_messages \ test_mksession \ test_mksession_utf8 \ + test_modeline \ test_nested_function \ test_netbeans \ test_normal \ *** ../vim-8.1.0204/src/testdir/test_alot.vim 2018-05-19 15:00:48.841017887 +0200 --- src/testdir/test_alot.vim 2018-07-23 03:56:07.742401442 +0200 *************** *** 37,42 **** --- 37,43 ---- source test_match.vim source test_menu.vim source test_messages.vim + source test_modeline.vim source test_partial.vim source test_popup.vim source test_put.vim *** ../vim-8.1.0204/src/testdir/test_modeline.vim 2018-07-23 04:10:49.533248182 +0200 --- src/testdir/test_modeline.vim 2018-07-23 04:02:57.055992973 +0200 *************** *** 0 **** --- 1,8 ---- + " Tests for parsing the modeline. + + func Test_invalid() + " This was reading before allocated memory. + call writefile(['vi:0', 'nothing'], 'Xmodeline') + call assert_fails('split Xmodeline', 'E518:') + bwipe! + endfunc *** ../vim-8.1.0204/src/option.c 2018-07-08 21:46:52.859037899 +0200 --- src/option.c 2018-07-23 04:09:28.641716577 +0200 *************** *** 3316,3322 **** static char_u *set_num_option(int opt_idx, char_u *varp, long value, char_u *errbuf, size_t errbuflen, int opt_flags); static void check_redraw(long_u flags); static int findoption(char_u *); ! static int find_key_option(char_u *); static void showoptions(int all, int opt_flags); static int optval_default(struct vimoption *, char_u *varp); static void showoneopt(struct vimoption *, int opt_flags); --- 3316,3322 ---- static char_u *set_num_option(int opt_idx, char_u *varp, long value, char_u *errbuf, size_t errbuflen, int opt_flags); static void check_redraw(long_u flags); static int findoption(char_u *); ! static int find_key_option(char_u *arg_arg, int has_lt); static void showoptions(int all, int opt_flags); static int optval_default(struct vimoption *, char_u *varp); static void showoneopt(struct vimoption *, int opt_flags); *************** *** 4492,4498 **** opt_idx = findoption(arg + 1); arg[len++] = '>'; /* restore '>' */ if (opt_idx == -1) ! key = find_key_option(arg + 1); } else { --- 4492,4498 ---- opt_idx = findoption(arg + 1); arg[len++] = '>'; /* restore '>' */ if (opt_idx == -1) ! key = find_key_option(arg + 1, TRUE); } else { *************** *** 4510,4516 **** opt_idx = findoption(arg); arg[len] = nextchar; /* restore nextchar */ if (opt_idx == -1) ! key = find_key_option(arg); } /* remember character after option name */ --- 4510,4516 ---- opt_idx = findoption(arg); arg[len] = nextchar; /* restore nextchar */ if (opt_idx == -1) ! key = find_key_option(arg, FALSE); } /* remember character after option name */ *************** *** 5362,5368 **** string_to_key(char_u *arg, int multi_byte) { if (*arg == '<') ! return find_key_option(arg + 1); if (*arg == '^') return Ctrl_chr(arg[1]); if (multi_byte) --- 5362,5368 ---- string_to_key(char_u *arg, int multi_byte) { if (*arg == '<') ! return find_key_option(arg + 1, TRUE); if (*arg == '^') return Ctrl_chr(arg[1]); if (multi_byte) *************** *** 9541,9547 **** int key; if (STRLEN(name) == 4 && name[0] == 't' && name[1] == '_' ! && (key = find_key_option(name)) != 0) { char_u key_name[2]; char_u *p; --- 9541,9547 ---- int key; if (STRLEN(name) == 4 && name[0] == 't' && name[1] == '_' ! && (key = find_key_option(name, FALSE)) != 0) { char_u key_name[2]; char_u *p; *************** *** 9831,9837 **** int key; if (STRLEN(name) == 4 && name[0] == 't' && name[1] == '_' ! && (key = find_key_option(name)) != 0) { char_u key_name[2]; --- 9831,9837 ---- int key; if (STRLEN(name) == 4 && name[0] == 't' && name[1] == '_' ! && (key = find_key_option(name, FALSE)) != 0) { char_u key_name[2]; *************** *** 9952,9963 **** /* * Translate a string like "t_xx", "" or "" to a key number. */ static int ! find_key_option(char_u *arg) { ! int key; int modifiers; /* * Don't use get_special_key_code() for t_xx, we don't want it to call --- 9952,9966 ---- /* * Translate a string like "t_xx", "" or "" to a key number. + * When "has_lt" is true there is a '<' before "*arg_arg". + * Returns 0 when the key is not recognized. */ static int ! find_key_option(char_u *arg_arg, int has_lt) { ! int key = 0; int modifiers; + char_u *arg = arg_arg; /* * Don't use get_special_key_code() for t_xx, we don't want it to call *************** *** 9965,9971 **** */ if (arg[0] == 't' && arg[1] == '_' && arg[2] && arg[3]) key = TERMCAP2KEY(arg[2], arg[3]); ! else { --arg; /* put arg at the '<' */ modifiers = 0; --- 9968,9974 ---- */ if (arg[0] == 't' && arg[1] == '_' && arg[2] && arg[3]) key = TERMCAP2KEY(arg[2], arg[3]); ! else if (has_lt) { --arg; /* put arg at the '<' */ modifiers = 0; *** ../vim-8.1.0204/src/version.c 2018-07-22 19:36:29.255125833 +0200 --- src/version.c 2018-07-23 03:55:34.482599313 +0200 *************** *** 795,796 **** --- 795,798 ---- { /* Add new patch number below this line */ + /**/ + 205, /**/ -- DINGO: You must spank her well and after you have spanked her you may deal with her as you like and then ... spank me. AMAZING: And spank me! STUNNER: And me. LOVELY: And me. "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///