diff options
| author | Jan Edmund Lazo <janedmundlazo@hotmail.com> | 2018-08-09 00:51:40 -0400 |
|---|---|---|
| committer | Jan Edmund Lazo <janedmundlazo@hotmail.com> | 2018-08-09 00:55:20 -0400 |
| commit | 4420dc3067a776271a94080a4b1b42a1e74bb2dc (patch) | |
| tree | d826e0940f3888930b30da1edfc0e8484581713f /src | |
| parent | a44588798564dae1dc28b31af49e38399888d9a2 (diff) | |
| download | rneovim-4420dc3067a776271a94080a4b1b42a1e74bb2dc.tar.gz rneovim-4420dc3067a776271a94080a4b1b42a1e74bb2dc.tar.bz2 rneovim-4420dc3067a776271a94080a4b1b42a1e74bb2dc.zip | |
vim-patch:8.0.1421: accessing invalid memory with overlong byte sequence
Problem: Accessing invalid memory with overlong byte sequence.
Solution: Check for NUL character. (test by Dominique Pelle, closes vim/vim#2485)
https://github.com/vim/vim/commit/e6640ad44e2186bd3642b972115496d347cd1fdd
Diffstat (limited to 'src')
| -rw-r--r-- | src/nvim/strings.c | 9 | ||||
| -rw-r--r-- | src/nvim/testdir/test_functions.vim | 10 |
2 files changed, 16 insertions, 3 deletions
diff --git a/src/nvim/strings.c b/src/nvim/strings.c index 3f31914c03..d812aba048 100644 --- a/src/nvim/strings.c +++ b/src/nvim/strings.c @@ -344,14 +344,17 @@ char *strcase_save(const char *const orig, bool upper) char *p = res; while (*p != NUL) { - int l; - int c = utf_ptr2char((const char_u *)p); + int l = utf_ptr2len((const char_u *)p); + if (c == 0) { + // overlong sequence, use only the first byte + c = *p; + l = 1; + } int uc = upper ? mb_toupper(c) : mb_tolower(c); // Reallocate string when byte count changes. This is rare, // thus it's OK to do another malloc()/free(). - l = utf_ptr2len((const char_u *)p); int newl = utf_char2len(uc); if (newl != l) { // TODO(philix): use xrealloc() in strup_save() diff --git a/src/nvim/testdir/test_functions.vim b/src/nvim/testdir/test_functions.vim index 63794a7a85..59445ebfe6 100644 --- a/src/nvim/testdir/test_functions.vim +++ b/src/nvim/testdir/test_functions.vim @@ -299,6 +299,11 @@ func Test_tolower() " Ⱥ (U+023A) and Ⱦ (U+023E) are the *only* code points to increase " in length (2 to 3 bytes) when lowercased. So let's test them. call assert_equal("ⱥ ⱦ", tolower("Ⱥ Ⱦ")) + + " This call to tolower with invalid utf8 sequence used to cause access to + " invalid memory. + call tolower("\xC0\x80\xC0") + call tolower("123\xC0\x80\xC0") endfunc func Test_toupper() @@ -369,6 +374,11 @@ func Test_toupper() call assert_equal("ZŹŻŽƵẐẔ", toupper("ZŹŻŽƵẐẔ")) call assert_equal("Ⱥ Ⱦ", toupper("ⱥ ⱦ")) + + " This call to toupper with invalid utf8 sequence used to cause access to + " invalid memory. + call toupper("\xC0\x80\xC0") + call toupper("123\xC0\x80\xC0") endfunc " Tests for the mode() function |