From 0cf0be302beb3029d245814eca427f4a4ebd2f67 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 24 Jun 2022 06:25:34 +0800 Subject: vim-patch:8.2.4895: buffer overflow with invalid command with composing chars Problem: Buffer overflow with invalid command with composing chars. Solution: Check that the whole character fits in the buffer. https://github.com/vim/vim/commit/d88934406c5375d88f8f1b65331c9f0cab68cc6c --- src/nvim/ex_docmd.c | 4 +++- src/nvim/testdir/test_cmdline.vim | 11 +++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/nvim/ex_docmd.c b/src/nvim/ex_docmd.c index 53a05ccc04..671e83def6 100644 --- a/src/nvim/ex_docmd.c +++ b/src/nvim/ex_docmd.c @@ -2892,11 +2892,13 @@ static void append_command(char *cmd) STRCAT(IObuff, ": "); d = (char *)IObuff + STRLEN(IObuff); - while (*s != NUL && (char_u *)d - IObuff < IOSIZE - 7) { + while (*s != NUL && (char_u *)d - IObuff + 5 < IOSIZE) { if ((char_u)s[0] == 0xc2 && (char_u)s[1] == 0xa0) { s += 2; STRCPY(d, ""); d += 4; + } else if ((char_u *)d - IObuff + utfc_ptr2len(s) + 1 >= IOSIZE) { + break; } else { mb_copy_char((const char_u **)&s, (char_u **)&d); } diff --git a/src/nvim/testdir/test_cmdline.vim b/src/nvim/testdir/test_cmdline.vim index 4630ddd6e7..887c8e1593 100644 --- a/src/nvim/testdir/test_cmdline.vim +++ b/src/nvim/testdir/test_cmdline.vim @@ -1220,6 +1220,17 @@ func Test_recalling_cmdline() cunmap (save-cmdline) endfunc +" this was going over the end of IObuff +func Test_report_error_with_composing() + let caught = 'no' + try + exe repeat('0', 987) .. "0\xdd\x80\xdd\x80\xdd\x80\xdd\x80" + catch /E492:/ + let caught = 'yes' + endtry + call assert_equal('yes', caught) +endfunc + " Test for expanding 2-letter and 3-letter :substitute command arguments. " These commands don't accept an argument. func Test_cmdline_complete_substitute_short() -- cgit