diff options
| author | erw7 <erw7.github@gmail.com> | 2020-05-25 12:48:17 +0900 |
|---|---|---|
| committer | erw7 <erw7.github@gmail.com> | 2020-05-25 14:59:27 +0900 |
| commit | 237c9da666082210b425882d3b34974a8dae4047 (patch) | |
| tree | 2a9b3a48ebfe0fcdb1bf1a549af6000e4e1167f9 /src | |
| parent | 37ee95504e43d246f4fa971fb7a38c2a1bc6b16f (diff) | |
| download | rneovim-237c9da666082210b425882d3b34974a8dae4047.tar.gz rneovim-237c9da666082210b425882d3b34974a8dae4047.tar.bz2 rneovim-237c9da666082210b425882d3b34974a8dae4047.zip | |
input: fix stack overflow
fixes #12287, #11788
Diffstat (limited to 'src')
| -rw-r--r-- | src/nvim/os/input.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/nvim/os/input.c b/src/nvim/os/input.c index c1580c5fc3..139169f1c2 100644 --- a/src/nvim/os/input.c +++ b/src/nvim/os/input.c @@ -188,8 +188,15 @@ size_t input_enqueue(String keys) char *ptr = keys.data; char *end = ptr + keys.size; - while (rbuffer_space(input_buffer) >= 6 && ptr < end) { - uint8_t buf[6] = { 0 }; + while (rbuffer_space(input_buffer) >= 19 && ptr < end) { + // A "\<x>" form occupies at least 1 characters, and produces up + // to 19 characters (1 + 5 * 3 for the char and 3 for a modifier). + // In the case of K_SPECIAL(0x80) or CSI(0x9B), 3 bytes are escaped and + // needed, but since the keys are UTF-8, so the first byte cannot be + // K_SPECIAL(0x80) or CSI(0x9B). + // In UTF-8, a 5-6 byte representation is now an invalid sequence, but we + // reserve a 19-byte buffer for maximum security. + uint8_t buf[19] = { 0 }; unsigned int new_size = trans_special((const uint8_t **)&ptr, (size_t)(end - ptr), buf, true, false); |