From f3f94d2c373e2560f84082c11ced2c3f5c7736bb Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Sat, 22 Feb 2025 06:49:59 +0800 Subject: vim-patch:partial:9.1.1131: potential out-of-memory issue in search.c (#32565) Problem: potential out-of-memory issue in search.c Solution: improve situation and refactor search.c slightly (John Marriott) - In function update_search_stat(): add a check for a theoretical null pointer reference, set and remember the length of lastpat, remove the three calls to STRLEN() and use the various string's associated lengths instead, add a check for an out-of-memory condition. - In function search_for_fuzz_match(): remove a call to strnsave() and thus avoid having to add a check for an out-of-memory condition, also replace the call to STRLEN() by ml_get_buf_len(). closes: vim/vim#16689 https://github.com/vim/vim/commit/b79fa3d9c8a08f15267797511d779e33bd33e68e Co-authored-by: John Marriott --- src/nvim/search.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/nvim/search.c b/src/nvim/search.c index 9f8ceae2a0..04f33b9445 100644 --- a/src/nvim/search.c +++ b/src/nvim/search.c @@ -2704,6 +2704,7 @@ static void update_search_stat(int dirc, pos_T *pos, pos_T *cursor_pos, searchst static int last_maxcount = SEARCH_STAT_DEF_MAX_COUNT; static int chgtick = 0; static char *lastpat = NULL; + static size_t lastpatlen = 0; static buf_T *lbuf = NULL; CLEAR_POINTER(stat); @@ -2725,9 +2726,9 @@ static void update_search_stat(int dirc, pos_T *pos, pos_T *cursor_pos, searchst // Unfortunately, there is no STRNICMP function. // XXX: above comment should be "no MB_STRCMP function" ? if (!(chgtick == buf_get_changedtick(curbuf) - && lastpat != NULL // suppress clang/NULL passed as nonnull parameter - && STRNICMP(lastpat, spats[last_idx].pat, strlen(lastpat)) == 0 - && strlen(lastpat) == strlen(spats[last_idx].pat) + && (lastpat != NULL // suppress clang/NULL passed as nonnull parameter + && mb_strnicmp(lastpat, spats[last_idx].pat, lastpatlen) == 0 + && lastpatlen == spats[last_idx].patlen) && equalpos(lastpos, *cursor_pos) && lbuf == curbuf) || wraparound || cur < 0 || (maxcount > 0 && cur > maxcount) @@ -2780,7 +2781,8 @@ static void update_search_stat(int dirc, pos_T *pos, pos_T *cursor_pos, searchst } if (done_search) { xfree(lastpat); - lastpat = xstrdup(spats[last_idx].pat); + lastpat = xstrnsave(spats[last_idx].pat, spats[last_idx].patlen); + lastpatlen = spats[last_idx].patlen; chgtick = (int)buf_get_changedtick(curbuf); lbuf = curbuf; lastpos = p; -- cgit