diff options
| author | Jan Edmund Lazo <janedmundlazo@hotmail.com> | 2018-08-24 22:29:59 -0400 |
|---|---|---|
| committer | Jan Edmund Lazo <janedmundlazo@hotmail.com> | 2018-08-24 23:02:51 -0400 |
| commit | 16b55d2e9d074bb3de7505708c30c05fe02d8f12 (patch) | |
| tree | b98175f6003ceaa959be763dcd80c0488cb339be | |
| parent | bdffa01b528ca6093fc8e0e4f54f810f9bb6d3b7 (diff) | |
| download | rneovim-16b55d2e9d074bb3de7505708c30c05fe02d8f12.tar.gz rneovim-16b55d2e9d074bb3de7505708c30c05fe02d8f12.tar.bz2 rneovim-16b55d2e9d074bb3de7505708c30c05fe02d8f12.zip | |
vim-patch:8.0.1468: illegal memory access in del_bytes()
Problem: Illegal memory access in del_bytes().
Solution: Check for negative byte count. (Christian Brabandt, closes vim/vim#2466)
https://github.com/vim/vim/commit/191f18bad0b5c48afa05c3e8a00f3ced993f6a38
| -rw-r--r-- | src/nvim/message.c | 2 | ||||
| -rw-r--r-- | src/nvim/misc1.c | 16 | ||||
| -rw-r--r-- | src/nvim/strings.c | 2 |
3 files changed, 14 insertions, 6 deletions
diff --git a/src/nvim/message.c b/src/nvim/message.c index 947cd0735e..4b0824c90f 100644 --- a/src/nvim/message.c +++ b/src/nvim/message.c @@ -610,7 +610,7 @@ static bool emsgfv(const char *fmt, va_list ap) /// detected when fuzzing vim. void iemsg(const char *s) { - msg((char_u *)s); + emsg((char_u *)s); #ifdef ABORT_ON_INTERNAL_ERROR abort(); #endif diff --git a/src/nvim/misc1.c b/src/nvim/misc1.c index e87c754eb8..caaa310a8b 100644 --- a/src/nvim/misc1.c +++ b/src/nvim/misc1.c @@ -1605,11 +1605,19 @@ int del_bytes(colnr_T count, bool fixpos_arg, bool use_delcombine) char_u *oldp = ml_get(lnum); colnr_T oldlen = (colnr_T)STRLEN(oldp); - /* - * Can't do anything when the cursor is on the NUL after the line. - */ - if (col >= oldlen) + // Can't do anything when the cursor is on the NUL after the line. + if (col >= oldlen) { + return FAIL; + } + // If "count" is zero there is nothing to do. + if (count == 0) { + return OK; + } + // If "count" is negative the caller must be doing something wrong. + if (count < 1) { + IEMSGN("E950: Invalid count for del_bytes(): %ld", count); return FAIL; + } /* If 'delcombine' is set and deleting (less than) one character, only * delete the last combining character. */ diff --git a/src/nvim/strings.c b/src/nvim/strings.c index f24de72743..17c4a75a64 100644 --- a/src/nvim/strings.c +++ b/src/nvim/strings.c @@ -1217,6 +1217,7 @@ int vim_vsnprintf(char *str, size_t str_m, const char *fmt, va_list ap, str_arg_l = 3; zero_padding = 0; } else { + // Regular float number format[0] = '%'; size_t l = 1; if (force_sign) { @@ -1241,7 +1242,6 @@ int vim_vsnprintf(char *str, size_t str_m, const char *fmt, va_list ap, format[l] = (char)(fmt_spec == 'F' ? 'f' : fmt_spec); format[l + 1] = NUL; - // Regular float number str_arg_l = (size_t)snprintf(tmp, sizeof(tmp), format, f); assert(str_arg_l < sizeof(tmp)); |