From c95bc3349b6df13d8a4b5c1c7f3440e4578b266c Mon Sep 17 00:00:00 2001 From: Thiago de Arruda Date: Tue, 28 Oct 2014 09:17:57 -0300 Subject: input: Fix conversion error in `convert_input()` The `rbuffer_consumed` was being passed a consumed count from another buffer, causing integer overflow in `rbuffer_relocate`. Fixes #1343 --- src/nvim/os/input.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'src/nvim/os/input.c') diff --git a/src/nvim/os/input.c b/src/nvim/os/input.c index 2c8026d099..e4501aeb82 100644 --- a/src/nvim/os/input.c +++ b/src/nvim/os/input.c @@ -1,3 +1,4 @@ +#include #include #include #include @@ -237,18 +238,23 @@ static void convert_input(void) if (convert) { // Perform input conversion according to `input_conv` - size_t unconverted_length; + size_t unconverted_length = 0; data = (char *)string_convert_ext(&input_conv, (uint8_t *)data, (int *)&converted_length, (int *)&unconverted_length); - data_length = rbuffer_pending(read_buffer) - unconverted_length; + data_length -= unconverted_length; } - // Write processed data to input buffer - size_t consumed = rbuffer_write(input_buffer, data, data_length); + // The conversion code will be gone eventually, for now assume `input_buffer` + // always has space for the converted data(it's many times the size of + // `read_buffer`, so it's hard to imagine a scenario where the converted data + // doesn't fit) + assert(converted_length <= rbuffer_available(input_buffer)); + // Write processed data to input buffer. + (void)rbuffer_write(input_buffer, data, converted_length); // Adjust raw buffer pointers - rbuffer_consumed(read_buffer, consumed); + rbuffer_consumed(read_buffer, data_length); if (convert) { // data points to memory allocated by `string_convert_ext`, free it. -- cgit