From ccfb69ab3676bca927744bae2f7462a6464fe4ce Mon Sep 17 00:00:00 2001 From: Jan Edmund Lazo Date: Fri, 18 Sep 2020 21:05:08 -0400 Subject: vim-patch:8.2.0817: not enough memory allocated when converting string Problem: Not enough memory allocated when converting string with special character. Solution: Reserve space for modifier code. (closes vim/vim#6130) https://github.com/vim/vim/commit/f7271e831614d15d173c7f562cc26f48c2554ce9 Cherry-pick Test_eval(), Test_nr2char() from patch 8.2.0448. --- src/nvim/eval.c | 19 ++++++++++++------- src/nvim/testdir/test_functions.vim | 18 ++++++++++++++++++ 2 files changed, 30 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/nvim/eval.c b/src/nvim/eval.c index b395d7bb8a..f3b6818464 100644 --- a/src/nvim/eval.c +++ b/src/nvim/eval.c @@ -4518,7 +4518,6 @@ int get_option_tv(const char **const arg, typval_T *const rettv, static int get_string_tv(char_u **arg, typval_T *rettv, int evaluate) { char_u *p; - char_u *name; unsigned int extra = 0; /* @@ -4526,11 +4525,13 @@ static int get_string_tv(char_u **arg, typval_T *rettv, int evaluate) */ for (p = *arg + 1; *p != NUL && *p != '"'; MB_PTR_ADV(p)) { if (*p == '\\' && p[1] != NUL) { - ++p; - /* A "\" form occupies at least 4 characters, and produces up - * to 6 characters: reserve space for 2 extra */ - if (*p == '<') - extra += 2; + p++; + // A "\" form occupies at least 4 characters, and produces up + // to 9 characters (6 for the char and 3 for a modifier): reserve + // space for 5 extra. + if (*p == '<') { + extra += 5; + } } } @@ -4549,7 +4550,8 @@ static int get_string_tv(char_u **arg, typval_T *rettv, int evaluate) * Copy the string into allocated memory, handling backslashed * characters. */ - name = xmalloc(p - *arg + extra); + const int len = (int)(p - *arg + extra); + char_u *name = xmalloc(len); rettv->v_type = VAR_STRING; rettv->vval.v_string = name; @@ -4616,6 +4618,9 @@ static int get_string_tv(char_u **arg, typval_T *rettv, int evaluate) extra = trans_special((const char_u **)&p, STRLEN(p), name, true, true); if (extra != 0) { name += extra; + if (name >= rettv->vval.v_string + len) { + iemsg("get_string_tv() used more space than allocated"); + } break; } FALLTHROUGH; diff --git a/src/nvim/testdir/test_functions.vim b/src/nvim/testdir/test_functions.vim index 9a05db1188..c8140d1c52 100644 --- a/src/nvim/testdir/test_functions.vim +++ b/src/nvim/testdir/test_functions.vim @@ -1359,3 +1359,21 @@ func Test_readdir() call delete('Xdir', 'rf') endfunc + +" Test for the eval() function +func Test_eval() + call assert_fails("call eval('5 a')", 'E488:') +endfunc + +" Test for the nr2char() function +func Test_nr2char() + " set encoding=latin1 + call assert_equal('@', nr2char(64)) + set encoding=utf8 + call assert_equal('a', nr2char(97, 1)) + call assert_equal('a', nr2char(97, 0)) + + call assert_equal("\x80\xfc\b\xf4\x80\xfeX\x80\xfeX\x80\xfeX", eval('"\"')) +endfunc + +" vim: shiftwidth=2 sts=2 expandtab -- cgit