diff options
| author | Matthieu Coudron <mattator@gmail.com> | 2020-06-08 16:52:56 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-06-08 16:52:56 +0200 |
| commit | d8c5d122f1ba95bc71a78c5d70465bfa88623bd7 (patch) | |
| tree | 55bdbe00fbf6cb84457ad7474392398e2c7eb281 | |
| parent | 980b12edbabc573f72d762dde844a771cc705e84 (diff) | |
| parent | e01fc33515d5cd3a9a595d0e6905bd16d3a861e5 (diff) | |
| download | rneovim-d8c5d122f1ba95bc71a78c5d70465bfa88623bd7.tar.gz rneovim-d8c5d122f1ba95bc71a78c5d70465bfa88623bd7.tar.bz2 rneovim-d8c5d122f1ba95bc71a78c5d70465bfa88623bd7.zip | |
Merge pull request #12376 from erw7/fix-stack-overflow-on-input-enqueue
input: fix stack overflow
| -rw-r--r-- | src/nvim/keymap.c | 4 | ||||
| -rw-r--r-- | src/nvim/os/input.c | 9 | ||||
| -rw-r--r-- | test/functional/api/vim_spec.lua | 5 |
3 files changed, 14 insertions, 4 deletions
diff --git a/src/nvim/keymap.c b/src/nvim/keymap.c index 4b8b9992f5..a553110552 100644 --- a/src/nvim/keymap.c +++ b/src/nvim/keymap.c @@ -517,8 +517,8 @@ char_u *get_special_key_name(int c, int modifiers) /// @param[in,out] srcp Source from which <> are translated. Is advanced to /// after the <> name if there is a match. /// @param[in] src_len Length of the srcp. -/// @param[out] dst Location where translation result will be kept. Must have -/// at least six bytes. +/// @param[out] dst Location where translation result will be kept. It must +// be at least 19 bytes per "<x>" form. /// @param[in] keycode Prefer key code, e.g. K_DEL in place of DEL. /// @param[in] in_string Inside a double quoted string /// diff --git a/src/nvim/os/input.c b/src/nvim/os/input.c index c1580c5fc3..b7878d9da8 100644 --- a/src/nvim/os/input.c +++ b/src/nvim/os/input.c @@ -188,8 +188,13 @@ size_t input_enqueue(String keys) char *ptr = keys.data; char *end = ptr + keys.size; - while (rbuffer_space(input_buffer) >= 6 && ptr < end) { - uint8_t buf[6] = { 0 }; + while (rbuffer_space(input_buffer) >= 19 && ptr < end) { + // A "<x>" form occupies at least 1 characters, and produces up + // to 19 characters (1 + 5 * 3 for the char and 3 for a modifier). + // In the case of K_SPECIAL(0x80) or CSI(0x9B), 3 bytes are escaped and + // needed, but since the keys are UTF-8, so the first byte cannot be + // K_SPECIAL(0x80) or CSI(0x9B). + uint8_t buf[19] = { 0 }; unsigned int new_size = trans_special((const uint8_t **)&ptr, (size_t)(end - ptr), buf, true, false); diff --git a/test/functional/api/vim_spec.lua b/test/functional/api/vim_spec.lua index debdfb9e9a..72e810e3e4 100644 --- a/test/functional/api/vim_spec.lua +++ b/test/functional/api/vim_spec.lua @@ -482,6 +482,11 @@ describe('API', function() eq(true, status) -- nvim_input() did not fail. eq("E117:", v_errnum) -- v:errmsg was updated. end) + + it('does not crash even if trans_special result is largest #11788, #12287', function() + command("call nvim_input('<M-'.nr2char(0x40000000).'>')") + eq(1, eval('1')) + end) end) describe('nvim_paste', function() |