diff options
| author | Thiago de Arruda <tpadilha84@gmail.com> | 2014-10-28 09:17:57 -0300 |
|---|---|---|
| committer | Thiago de Arruda <tpadilha84@gmail.com> | 2014-10-28 10:21:05 -0300 |
| commit | c95bc3349b6df13d8a4b5c1c7f3440e4578b266c (patch) | |
| tree | 67cdd4270fc25b542841949d2d6aa571b1c51aee /src | |
| parent | 53ce5493faa4f3675dfd3c912d418ff9dc52f740 (diff) | |
| download | rneovim-c95bc3349b6df13d8a4b5c1c7f3440e4578b266c.tar.gz rneovim-c95bc3349b6df13d8a4b5c1c7f3440e4578b266c.tar.bz2 rneovim-c95bc3349b6df13d8a4b5c1c7f3440e4578b266c.zip | |
input: Fix conversion error in `convert_input()`
The `rbuffer_consumed` was being passed a consumed count from another buffer,
causing integer overflow in `rbuffer_relocate`.
Fixes #1343
Diffstat (limited to 'src')
| -rw-r--r-- | src/nvim/os/input.c | 16 | ||||
| -rw-r--r-- | src/nvim/os/rstream.c | 1 |
2 files changed, 12 insertions, 5 deletions
diff --git a/src/nvim/os/input.c b/src/nvim/os/input.c index 2c8026d099..e4501aeb82 100644 --- a/src/nvim/os/input.c +++ b/src/nvim/os/input.c @@ -1,3 +1,4 @@ +#include <assert.h> #include <string.h> #include <stdint.h> #include <stdbool.h> @@ -237,18 +238,23 @@ static void convert_input(void) if (convert) { // Perform input conversion according to `input_conv` - size_t unconverted_length; + size_t unconverted_length = 0; data = (char *)string_convert_ext(&input_conv, (uint8_t *)data, (int *)&converted_length, (int *)&unconverted_length); - data_length = rbuffer_pending(read_buffer) - unconverted_length; + data_length -= unconverted_length; } - // Write processed data to input buffer - size_t consumed = rbuffer_write(input_buffer, data, data_length); + // The conversion code will be gone eventually, for now assume `input_buffer` + // always has space for the converted data(it's many times the size of + // `read_buffer`, so it's hard to imagine a scenario where the converted data + // doesn't fit) + assert(converted_length <= rbuffer_available(input_buffer)); + // Write processed data to input buffer. + (void)rbuffer_write(input_buffer, data, converted_length); // Adjust raw buffer pointers - rbuffer_consumed(read_buffer, consumed); + rbuffer_consumed(read_buffer, data_length); if (convert) { // data points to memory allocated by `string_convert_ext`, free it. diff --git a/src/nvim/os/rstream.c b/src/nvim/os/rstream.c index d96b3d931c..beff404fd0 100644 --- a/src/nvim/os/rstream.c +++ b/src/nvim/os/rstream.c @@ -396,6 +396,7 @@ static void close_cb(uv_handle_t *handle) static void rbuffer_relocate(RBuffer *rbuffer) { + assert(rbuffer->rpos <= rbuffer->wpos); // Move data ... memmove( rbuffer->data, // ...to the beginning of the buffer(rpos 0) |