From dbb386e1b277004e37902fd1c794727277312765 Mon Sep 17 00:00:00 2001 From: Jan Edmund Lazo Date: Wed, 18 Mar 2020 00:47:46 -0400 Subject: vim-patch:8.1.2280: crash when passing partial to substitute() Problem: Crash when passing partial to substitute(). Solution: Take extra arguments into account. (closes vim/vim#5186) https://github.com/vim/vim/commit/b0745b221d284e381f1bd4b591cd68ea54b6a51d --- src/nvim/eval.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'src/nvim/eval.c') diff --git a/src/nvim/eval.c b/src/nvim/eval.c index dc20940166..7c7e9da8ac 100644 --- a/src/nvim/eval.c +++ b/src/nvim/eval.c @@ -6382,7 +6382,9 @@ call_func( error = ERROR_DELETED; } else if (fp != NULL) { if (argv_func != NULL) { - argcount = argv_func(argcount, argvars, fp->uf_args.ga_len); + // postponed filling in the arguments, do it now + argcount = argv_func(argcount, argvars, argv_clear, + fp->uf_args.ga_len); } if (fp->uf_flags & FC_RANGE) { *doesrange = true; -- cgit From 16a4581349f45f4030a4a361228bc1d69fb7e45f Mon Sep 17 00:00:00 2001 From: Jan Edmund Lazo Date: Wed, 18 Mar 2020 01:15:27 -0400 Subject: vim-patch:8.1.2282: crash when passing many arguments through a partial Problem: Crash when passing many arguments through a partial. (Andy Massimino) Solution: Check the number of arguments. (closes vim/vim#5186) https://github.com/vim/vim/commit/4c054e9fb23027b55a09ee647a3a2c91936aeb1b --- src/nvim/eval.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'src/nvim/eval.c') diff --git a/src/nvim/eval.c b/src/nvim/eval.c index 7c7e9da8ac..f301d29335 100644 --- a/src/nvim/eval.c +++ b/src/nvim/eval.c @@ -6328,6 +6328,10 @@ call_func( } if (error == ERROR_NONE && partial->pt_argc > 0) { for (argv_clear = 0; argv_clear < partial->pt_argc; argv_clear++) { + if (argv_clear + argcount_in >= MAX_FUNC_ARGS) { + error = ERROR_TOOMANY; + goto theend; + } tv_copy(&partial->pt_argv[argv_clear], &argv[argv_clear]); } for (int i = 0; i < argcount_in; i++) { @@ -6432,10 +6436,9 @@ call_func( if (error == ERROR_NONE) ret = OK; - /* - * Report an error unless the argument evaluation or function call has been - * cancelled due to an aborting error, an interrupt, or an exception. - */ +theend: + // Report an error unless the argument evaluation or function call has been + // cancelled due to an aborting error, an interrupt, or an exception. if (!aborting()) { switch (error) { case ERROR_UNKNOWN: @@ -7132,6 +7135,10 @@ void common_function(typval_T *argvars, typval_T *rettv, list = argvars[arg_idx].vval.v_list; if (tv_list_len(list) == 0) { arg_idx = 0; + } else if (tv_list_len(list) > MAX_FUNC_ARGS) { + emsg_funcname((char *)e_toomanyarg, name); + xfree(name); + goto theend; } } } -- cgit From 572627255983b7733b6ad05da52b3e704aae8a2f Mon Sep 17 00:00:00 2001 From: Jan Edmund Lazo Date: Fri, 3 Apr 2020 20:36:11 -0400 Subject: vim-patch:8.2.0507: getbufvar() may get the wrong dictionary Problem: Getbufvar() may get the wrong dictionary. (David le Blanc) Solution: Check for empty name. (closes vim/vim#5878) https://github.com/vim/vim/commit/5259275347667a90fb88d8ea74331f88ad68edfc --- src/nvim/eval.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/nvim/eval.c') diff --git a/src/nvim/eval.c b/src/nvim/eval.c index f301d29335..12b13a1f08 100644 --- a/src/nvim/eval.c +++ b/src/nvim/eval.c @@ -9536,7 +9536,8 @@ dictitem_T *find_var(const char *const name, const size_t name_len, return find_var_in_scoped_ht(name, name_len, no_autoload || htp != NULL); } -/// Find variable in hashtab +/// Find variable in hashtab. +/// When "varname" is empty returns curwin/curtab/etc vars dictionary. /// /// @param[in] ht Hashtab to find variable in. /// @param[in] htname Hashtab name (first character). -- cgit