diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2023-11-17 06:55:08 +0800 |
|---|---|---|
| committer | zeertzjq <zeertzjq@outlook.com> | 2023-11-17 07:06:52 +0800 |
| commit | d2f2e2725c6f8d3263516e7fdf7655ef1c379172 (patch) | |
| tree | f12023a2810919779829b09940ae05f3df251dee /src/nvim/regexp.c | |
| parent | a388c852c40682123698f1f55cefc426aa3f70e3 (diff) | |
| download | rneovim-d2f2e2725c6f8d3263516e7fdf7655ef1c379172.tar.gz rneovim-d2f2e2725c6f8d3263516e7fdf7655ef1c379172.tar.bz2 rneovim-d2f2e2725c6f8d3263516e7fdf7655ef1c379172.zip | |
vim-patch:9.0.1532: crash when expanding "~" in substitute causes very long text
Problem: Crash when expanding "~" in substitute causes very long text.
Solution: Limit the text length to MAXCOL.
https://github.com/vim/vim/commit/ab9a2d884b3a4abe319606ea95a5a6d6b01cd73a
Co-authored-by: Bram Moolenaar <Bram@vim.org>
Diffstat (limited to 'src/nvim/regexp.c')
| -rw-r--r-- | src/nvim/regexp.c | 39 |
1 files changed, 22 insertions, 17 deletions
diff --git a/src/nvim/regexp.c b/src/nvim/regexp.c index 48cde447b5..9e08d2615b 100644 --- a/src/nvim/regexp.c +++ b/src/nvim/regexp.c @@ -1642,41 +1642,46 @@ static void do_lower(int *d, int c) char *regtilde(char *source, int magic, bool preview) { char *newsub = source; - char *tmpsub; - char *p; - int len; - int prevlen; - for (p = newsub; *p; p++) { + for (char *p = newsub; *p; p++) { if ((*p == '~' && magic) || (*p == '\\' && *(p + 1) == '~' && !magic)) { if (reg_prev_sub != NULL) { // length = len(newsub) - 1 + len(prev_sub) + 1 - prevlen = (int)strlen(reg_prev_sub); - tmpsub = xmalloc(strlen(newsub) + (size_t)prevlen); + // Avoid making the text longer than MAXCOL, it will cause + // trouble at some point. + size_t prevsublen = strlen(reg_prev_sub); + size_t newsublen = strlen(newsub); + if (prevsublen > MAXCOL || newsublen > MAXCOL + || newsublen + prevsublen > MAXCOL) { + emsg(_(e_resulting_text_too_long)); + break; + } + + char *tmpsub = xmalloc(newsublen + prevsublen); // copy prefix - len = (int)(p - newsub); // not including ~ - memmove(tmpsub, newsub, (size_t)len); + size_t prefixlen = (size_t)(p - newsub); // not including ~ + memmove(tmpsub, newsub, prefixlen); // interpret tilde - memmove(tmpsub + len, reg_prev_sub, (size_t)prevlen); + memmove(tmpsub + prefixlen, reg_prev_sub, prevsublen); // copy postfix if (!magic) { - p++; // back off backslash + p++; // back off backslash } - STRCPY(tmpsub + len + prevlen, p + 1); + STRCPY(tmpsub + prefixlen + prevsublen, p + 1); - if (newsub != source) { // already allocated newsub + if (newsub != source) { // allocated newsub before xfree(newsub); } newsub = tmpsub; - p = newsub + len + prevlen; + p = newsub + prefixlen + prevsublen; } else if (magic) { - STRMOVE(p, p + 1); // remove '~' + STRMOVE(p, p + 1); // remove '~' } else { - STRMOVE(p, p + 2); // remove '\~' + STRMOVE(p, p + 2); // remove '\~' } p--; } else { - if (*p == '\\' && p[1]) { // skip escaped characters + if (*p == '\\' && p[1]) { // skip escaped characters p++; } p += utfc_ptr2len(p) - 1; |