diff options
| author | Jan Edmund Lazo <jan.lazo@mail.utoronto.ca> | 2020-09-18 21:05:08 -0400 |
|---|---|---|
| committer | Jan Edmund Lazo <jan.lazo@mail.utoronto.ca> | 2020-09-19 10:57:57 -0400 |
| commit | ccfb69ab3676bca927744bae2f7462a6464fe4ce (patch) | |
| tree | 0e58fd1b6b4ba30bec7b2433bad9f8af93bdcdb6 /src/nvim/eval.c | |
| parent | 31513a6f2df7cce9a7ae19fcd7c0e9c2404ea1e9 (diff) | |
| download | rneovim-ccfb69ab3676bca927744bae2f7462a6464fe4ce.tar.gz rneovim-ccfb69ab3676bca927744bae2f7462a6464fe4ce.tar.bz2 rneovim-ccfb69ab3676bca927744bae2f7462a6464fe4ce.zip | |
vim-patch:8.2.0817: not enough memory allocated when converting string
Problem: Not enough memory allocated when converting string with special
character.
Solution: Reserve space for modifier code. (closes vim/vim#6130)
https://github.com/vim/vim/commit/f7271e831614d15d173c7f562cc26f48c2554ce9
Cherry-pick Test_eval(), Test_nr2char() from patch 8.2.0448.
Diffstat (limited to 'src/nvim/eval.c')
| -rw-r--r-- | src/nvim/eval.c | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/src/nvim/eval.c b/src/nvim/eval.c index b395d7bb8a..f3b6818464 100644 --- a/src/nvim/eval.c +++ b/src/nvim/eval.c @@ -4518,7 +4518,6 @@ int get_option_tv(const char **const arg, typval_T *const rettv, static int get_string_tv(char_u **arg, typval_T *rettv, int evaluate) { char_u *p; - char_u *name; unsigned int extra = 0; /* @@ -4526,11 +4525,13 @@ static int get_string_tv(char_u **arg, typval_T *rettv, int evaluate) */ for (p = *arg + 1; *p != NUL && *p != '"'; MB_PTR_ADV(p)) { if (*p == '\\' && p[1] != NUL) { - ++p; - /* A "\<x>" form occupies at least 4 characters, and produces up - * to 6 characters: reserve space for 2 extra */ - if (*p == '<') - extra += 2; + p++; + // A "\<x>" form occupies at least 4 characters, and produces up + // to 9 characters (6 for the char and 3 for a modifier): reserve + // space for 5 extra. + if (*p == '<') { + extra += 5; + } } } @@ -4549,7 +4550,8 @@ static int get_string_tv(char_u **arg, typval_T *rettv, int evaluate) * Copy the string into allocated memory, handling backslashed * characters. */ - name = xmalloc(p - *arg + extra); + const int len = (int)(p - *arg + extra); + char_u *name = xmalloc(len); rettv->v_type = VAR_STRING; rettv->vval.v_string = name; @@ -4616,6 +4618,9 @@ static int get_string_tv(char_u **arg, typval_T *rettv, int evaluate) extra = trans_special((const char_u **)&p, STRLEN(p), name, true, true); if (extra != 0) { name += extra; + if (name >= rettv->vval.v_string + len) { + iemsg("get_string_tv() used more space than allocated"); + } break; } FALLTHROUGH; |