mirror of
https://github.com/vim/vim.git
synced 2025-07-25 10:54:51 -04:00
patch 8.0.1421: accessing invalid memory with overlong byte sequence
Problem: Accessing invalid memory with overlong byte sequence. Solution: Check for NUL character. (test by Dominique Pelle, closes #2485)
This commit is contained in:
parent
3c09722600
commit
e6640ad44e
16
src/misc2.c
16
src/misc2.c
@ -1622,11 +1622,17 @@ strup_save(char_u *orig)
|
|||||||
char_u *s;
|
char_u *s;
|
||||||
|
|
||||||
c = utf_ptr2char(p);
|
c = utf_ptr2char(p);
|
||||||
|
l = utf_ptr2len(p);
|
||||||
|
if (c == 0)
|
||||||
|
{
|
||||||
|
/* overlong sequence, use only the first byte */
|
||||||
|
c = *p;
|
||||||
|
l = 1;
|
||||||
|
}
|
||||||
uc = utf_toupper(c);
|
uc = utf_toupper(c);
|
||||||
|
|
||||||
/* Reallocate string when byte count changes. This is rare,
|
/* Reallocate string when byte count changes. This is rare,
|
||||||
* thus it's OK to do another malloc()/free(). */
|
* thus it's OK to do another malloc()/free(). */
|
||||||
l = utf_ptr2len(p);
|
|
||||||
newl = utf_char2len(uc);
|
newl = utf_char2len(uc);
|
||||||
if (newl != l)
|
if (newl != l)
|
||||||
{
|
{
|
||||||
@ -1685,11 +1691,17 @@ strlow_save(char_u *orig)
|
|||||||
char_u *s;
|
char_u *s;
|
||||||
|
|
||||||
c = utf_ptr2char(p);
|
c = utf_ptr2char(p);
|
||||||
|
l = utf_ptr2len(p);
|
||||||
|
if (c == 0)
|
||||||
|
{
|
||||||
|
/* overlong sequence, use only the first byte */
|
||||||
|
c = *p;
|
||||||
|
l = 1;
|
||||||
|
}
|
||||||
lc = utf_tolower(c);
|
lc = utf_tolower(c);
|
||||||
|
|
||||||
/* Reallocate string when byte count changes. This is rare,
|
/* Reallocate string when byte count changes. This is rare,
|
||||||
* thus it's OK to do another malloc()/free(). */
|
* thus it's OK to do another malloc()/free(). */
|
||||||
l = utf_ptr2len(p);
|
|
||||||
newl = utf_char2len(lc);
|
newl = utf_char2len(lc);
|
||||||
if (newl != l)
|
if (newl != l)
|
||||||
{
|
{
|
||||||
|
@ -268,6 +268,11 @@ func Test_tolower()
|
|||||||
" Ⱥ (U+023A) and Ⱦ (U+023E) are the *only* code points to increase
|
" Ⱥ (U+023A) and Ⱦ (U+023E) are the *only* code points to increase
|
||||||
" in length (2 to 3 bytes) when lowercased. So let's test them.
|
" in length (2 to 3 bytes) when lowercased. So let's test them.
|
||||||
call assert_equal("ⱥ ⱦ", tolower("Ⱥ Ⱦ"))
|
call assert_equal("ⱥ ⱦ", tolower("Ⱥ Ⱦ"))
|
||||||
|
|
||||||
|
" This call to tolower with invalid utf8 sequence used to cause access to
|
||||||
|
" invalid memory.
|
||||||
|
call tolower("\xC0\x80\xC0")
|
||||||
|
call tolower("123\xC0\x80\xC0")
|
||||||
endfunc
|
endfunc
|
||||||
|
|
||||||
func Test_toupper()
|
func Test_toupper()
|
||||||
@ -338,6 +343,11 @@ func Test_toupper()
|
|||||||
call assert_equal("ZŹŻŽƵẐẔ", toupper("ZŹŻŽƵẐẔ"))
|
call assert_equal("ZŹŻŽƵẐẔ", toupper("ZŹŻŽƵẐẔ"))
|
||||||
|
|
||||||
call assert_equal("Ⱥ Ⱦ", toupper("ⱥ ⱦ"))
|
call assert_equal("Ⱥ Ⱦ", toupper("ⱥ ⱦ"))
|
||||||
|
|
||||||
|
" This call to toupper with invalid utf8 sequence used to cause access to
|
||||||
|
" invalid memory.
|
||||||
|
call toupper("\xC0\x80\xC0")
|
||||||
|
call toupper("123\xC0\x80\xC0")
|
||||||
endfunc
|
endfunc
|
||||||
|
|
||||||
" Tests for the mode() function
|
" Tests for the mode() function
|
||||||
|
@ -771,6 +771,8 @@ static char *(features[]) =
|
|||||||
|
|
||||||
static int included_patches[] =
|
static int included_patches[] =
|
||||||
{ /* Add new patch number below this line */
|
{ /* Add new patch number below this line */
|
||||||
|
/**/
|
||||||
|
1421,
|
||||||
/**/
|
/**/
|
||||||
1420,
|
1420,
|
||||||
/**/
|
/**/
|
||||||
|
Loading…
x
Reference in New Issue
Block a user