From 6853690c78c8fcbe0d5d3265cf9badaa7307c7cf Mon Sep 17 00:00:00 2001 From: Jan Edmund Lazo Date: Thu, 9 Aug 2018 15:14:09 -0400 Subject: vim-patch:8.0.1433: illegal memory access after undo Problem: Illegal memory access after undo. (Dominique Pelle) Solution: Avoid the column becomes negative. (Christian Brabandt, closes vim/vim#2533) https://github.com/vim/vim/commit/95dbcbea6d85a5b79d9617ab3863458fdf0217a0 --- src/nvim/mark.c | 6 +++++- src/nvim/mbyte.c | 4 +++- src/nvim/testdir/test_undo.vim | 9 +++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/src/nvim/mark.c b/src/nvim/mark.c index b9c91de2a8..3861d9ceb8 100644 --- a/src/nvim/mark.c +++ b/src/nvim/mark.c @@ -1465,7 +1465,11 @@ void mark_mb_adjustpos(buf_T *buf, pos_T *lp) { if (lp->col > 0 || lp->coladd > 1) { const char_u *const p = ml_get_buf(buf, lp->lnum, false); - lp->col -= (*mb_head_off)(p, p + lp->col); + if (*p == NUL || (int)STRLEN(p) < lp->col) { + lp->col = 0; + } else { + lp->col -= (*mb_head_off)(p, p + lp->col); + } // Reset "coladd" when the cursor would be on the right half of a // double-wide character. if (lp->coladd == 1 diff --git a/src/nvim/mbyte.c b/src/nvim/mbyte.c index 7c196831ba..15fe51cad1 100644 --- a/src/nvim/mbyte.c +++ b/src/nvim/mbyte.c @@ -566,7 +566,9 @@ int utf_off2cells(unsigned off, unsigned max_off) /// Convert a UTF-8 byte sequence to a wide character /// /// If the sequence is illegal or truncated by a NUL then the first byte is -/// returned. Does not include composing characters for obvious reasons. +/// returned. +/// For an overlong sequence this may return zero. +/// Does not include composing characters for obvious reasons. /// /// @param[in] p String to convert. /// diff --git a/src/nvim/testdir/test_undo.vim b/src/nvim/testdir/test_undo.vim index 38610f8002..3e6e276751 100644 --- a/src/nvim/testdir/test_undo.vim +++ b/src/nvim/testdir/test_undo.vim @@ -348,3 +348,12 @@ func Test_redo_empty_line() exe "norm." bwipe! endfunc + +" This used to cause an illegal memory access +func Test_undo_append() + new + call feedkeys("axx\v", 'xt') + undo + norm o + quit +endfunc -- cgit