From 237c9da666082210b425882d3b34974a8dae4047 Mon Sep 17 00:00:00 2001 From: erw7 Date: Mon, 25 May 2020 12:48:17 +0900 Subject: input: fix stack overflow fixes #12287, #11788 --- src/nvim/os/input.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/nvim/os/input.c b/src/nvim/os/input.c index c1580c5fc3..139169f1c2 100644 --- a/src/nvim/os/input.c +++ b/src/nvim/os/input.c @@ -188,8 +188,15 @@ size_t input_enqueue(String keys) char *ptr = keys.data; char *end = ptr + keys.size; - while (rbuffer_space(input_buffer) >= 6 && ptr < end) { - uint8_t buf[6] = { 0 }; + while (rbuffer_space(input_buffer) >= 19 && ptr < end) { + // A "\" form occupies at least 1 characters, and produces up + // to 19 characters (1 + 5 * 3 for the char and 3 for a modifier). + // In the case of K_SPECIAL(0x80) or CSI(0x9B), 3 bytes are escaped and + // needed, but since the keys are UTF-8, so the first byte cannot be + // K_SPECIAL(0x80) or CSI(0x9B). + // In UTF-8, a 5-6 byte representation is now an invalid sequence, but we + // reserve a 19-byte buffer for maximum security. + uint8_t buf[19] = { 0 }; unsigned int new_size = trans_special((const uint8_t **)&ptr, (size_t)(end - ptr), buf, true, false); -- cgit From e01fc33515d5cd3a9a595d0e6905bd16d3a861e5 Mon Sep 17 00:00:00 2001 From: erw7 Date: Tue, 26 May 2020 17:23:04 +0900 Subject: [squash] fix comment [skip ci] --- src/nvim/keymap.c | 4 ++-- src/nvim/os/input.c | 4 +--- 2 files changed, 3 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/nvim/keymap.c b/src/nvim/keymap.c index 4b8b9992f5..a553110552 100644 --- a/src/nvim/keymap.c +++ b/src/nvim/keymap.c @@ -517,8 +517,8 @@ char_u *get_special_key_name(int c, int modifiers) /// @param[in,out] srcp Source from which <> are translated. Is advanced to /// after the <> name if there is a match. /// @param[in] src_len Length of the srcp. -/// @param[out] dst Location where translation result will be kept. Must have -/// at least six bytes. +/// @param[out] dst Location where translation result will be kept. It must +// be at least 19 bytes per "" form. /// @param[in] keycode Prefer key code, e.g. K_DEL in place of DEL. /// @param[in] in_string Inside a double quoted string /// diff --git a/src/nvim/os/input.c b/src/nvim/os/input.c index 139169f1c2..b7878d9da8 100644 --- a/src/nvim/os/input.c +++ b/src/nvim/os/input.c @@ -189,13 +189,11 @@ size_t input_enqueue(String keys) char *end = ptr + keys.size; while (rbuffer_space(input_buffer) >= 19 && ptr < end) { - // A "\" form occupies at least 1 characters, and produces up + // A "" form occupies at least 1 characters, and produces up // to 19 characters (1 + 5 * 3 for the char and 3 for a modifier). // In the case of K_SPECIAL(0x80) or CSI(0x9B), 3 bytes are escaped and // needed, but since the keys are UTF-8, so the first byte cannot be // K_SPECIAL(0x80) or CSI(0x9B). - // In UTF-8, a 5-6 byte representation is now an invalid sequence, but we - // reserve a 19-byte buffer for maximum security. uint8_t buf[19] = { 0 }; unsigned int new_size = trans_special((const uint8_t **)&ptr, (size_t)(end - ptr), buf, true, -- cgit