aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-07-25 10:54:51 -04:00
Code

patch 8.0.1421: accessing invalid memory with overlong byte sequence

Browse Source 
Problem:    Accessing invalid memory with overlong byte sequence.
Solution:   Check for NUL character. (test by Dominique Pelle, closes #2485)
This commit is contained in:
Bram Moolenaar 2017-12-22 21:06:56 +01:00
parent 3c09722600
commit e6640ad44e
3 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/misc2.c
View File

@ -1622,11 +1622,17 @@ strup_save(char_u *orig)
char_u *s; char_u *s;
c = utf_ptr2char(p); c = utf_ptr2char(p);
l = utf_ptr2len(p);
if (c == 0)
{
/* overlong sequence, use only the first byte */
c = *p;
l = 1;
}
uc = utf_toupper(c); uc = utf_toupper(c);
/* Reallocate string when byte count changes. This is rare, /* Reallocate string when byte count changes. This is rare,
* thus it's OK to do another malloc()/free(). */ * thus it's OK to do another malloc()/free(). */
l = utf_ptr2len(p);
newl = utf_char2len(uc); newl = utf_char2len(uc);
if (newl != l) if (newl != l)
{ {
@ -1685,11 +1691,17 @@ strlow_save(char_u *orig)
char_u *s; char_u *s;
c = utf_ptr2char(p); c = utf_ptr2char(p);
l = utf_ptr2len(p);
if (c == 0)
{
/* overlong sequence, use only the first byte */
c = *p;
l = 1;
}
lc = utf_tolower(c); lc = utf_tolower(c);
/* Reallocate string when byte count changes. This is rare, /* Reallocate string when byte count changes. This is rare,
* thus it's OK to do another malloc()/free(). */ * thus it's OK to do another malloc()/free(). */
l = utf_ptr2len(p);
newl = utf_char2len(lc); newl = utf_char2len(lc);
if (newl != l) if (newl != l)
{ {

10
src/testdir/test_functions.vim
View File

@ -268,6 +268,11 @@ func Test_tolower()
" Ⱥ (U+023A) and Ⱦ (U+023E) are the *only* code points to increase " Ⱥ (U+023A) and Ⱦ (U+023E) are the *only* code points to increase
" in length (2 to 3 bytes) when lowercased. So let's test them. " in length (2 to 3 bytes) when lowercased. So let's test them.
call assert_equal("ⱥ ⱦ", tolower("Ⱥ Ⱦ")) call assert_equal("ⱥ ⱦ", tolower("Ⱥ Ⱦ"))
" This call to tolower with invalid utf8 sequence used to cause access to
" invalid memory.
call tolower("\xC0\x80\xC0")
call tolower("123\xC0\x80\xC0")
endfunc endfunc
func Test_toupper() func Test_toupper()
@ -338,6 +343,11 @@ func Test_toupper()
call assert_equal("ZŹŻŽƵẐẔ", toupper("ZŹŻŽƵẐẔ")) call assert_equal("ZŹŻŽƵẐẔ", toupper("ZŹŻŽƵẐẔ"))
call assert_equal("Ⱥ Ⱦ", toupper("ⱥ ⱦ")) call assert_equal("Ⱥ Ⱦ", toupper("ⱥ ⱦ"))
" This call to toupper with invalid utf8 sequence used to cause access to
" invalid memory.
call toupper("\xC0\x80\xC0")
call toupper("123\xC0\x80\xC0")
endfunc endfunc
" Tests for the mode() function " Tests for the mode() function

2
src/version.c
View File

@ -771,6 +771,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
1421,
/**/ /**/
1420, 1420,
/**/ /**/