59 lines
1.7 KiB
Diff
59 lines
1.7 KiB
Diff
From d88934406c5375d88f8f1b65331c9f0cab68cc6c Mon Sep 17 00:00:00 2001
|
|
From: Bram Moolenaar <Bram@vim.org>
|
|
Date: Fri, 6 May 2022 20:38:47 +0100
|
|
Subject: [PATCH] patch 8.2.4895: buffer overflow with invalid command with
|
|
composing chars
|
|
|
|
Problem: Buffer overflow with invalid command with composing chars.
|
|
Solution: Check that the whole character fits in the buffer.
|
|
---
|
|
src/ex_docmd.c | 4 +++-
|
|
src/testdir/test_cmdline.vim | 11 +++++++++++
|
|
2 files changed, 14 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
|
|
index dfcbf37..f142c46 100644
|
|
--- a/src/ex_docmd.c
|
|
+++ b/src/ex_docmd.c
|
|
@@ -3092,7 +3092,7 @@ append_command(char_u *cmd)
|
|
|
|
STRCAT(IObuff, ": ");
|
|
d = IObuff + STRLEN(IObuff);
|
|
- while (*s != NUL && d - IObuff < IOSIZE - 7)
|
|
+ while (*s != NUL && d - IObuff + 5 < IOSIZE)
|
|
{
|
|
if (enc_utf8 ? (s[0] == 0xc2 && s[1] == 0xa0) : *s == 0xa0)
|
|
{
|
|
@@ -3100,6 +3100,8 @@ append_command(char_u *cmd)
|
|
STRCPY(d, "<a0>");
|
|
d += 4;
|
|
}
|
|
+ else if (d - IObuff + (*mb_ptr2len)(s) + 1 >= IOSIZE)
|
|
+ break;
|
|
else
|
|
MB_COPY_CHAR(s, d);
|
|
}
|
|
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
|
|
index 5297951..41a73d2 100644
|
|
--- a/src/testdir/test_cmdline.vim
|
|
+++ b/src/testdir/test_cmdline.vim
|
|
@@ -870,4 +870,15 @@ func Test_cmdwin_cedit()
|
|
delfunc CmdWinType
|
|
endfunc
|
|
|
|
+" this was going over the end of IObuff
|
|
+func Test_report_error_with_composing()
|
|
+ let caught = 'no'
|
|
+ try
|
|
+ exe repeat('0', 987) .. "0\xdd\x80\xdd\x80\xdd\x80\xdd\x80"
|
|
+ catch /E492:/
|
|
+ let caught = 'yes'
|
|
+ endtry
|
|
+ call assert_equal('yes', caught)
|
|
+endfunc
|
|
+
|
|
" vim: shiftwidth=2 sts=2 expandtab
|
|
--
|
|
2.27.0
|
|
|