118 lines
3.5 KiB
Diff
118 lines
3.5 KiB
Diff
From 652dee448618589de5528a9e9a36995803f5557a Mon Sep 17 00:00:00 2001
|
|
From: Bram Moolenaar <Bram@vim.org>
|
|
Date: Fri, 28 Jan 2022 20:47:49 +0000
|
|
Subject: [PATCH] patch 8.2.4245: ":retab 0" may cause illegal memory access
|
|
|
|
Problem: ":retab 0" may cause illegal memory access.
|
|
Solution: Limit the value of 'tabstop' to 10000.
|
|
|
|
---
|
|
src/indent.c | 4 ++--
|
|
src/option.c | 16 +++++++++-------
|
|
src/testdir/test_options.vim | 2 ++
|
|
src/vim.h | 2 ++
|
|
4 files changed, 15 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/src/indent.c b/src/indent.c
|
|
index 7d04373..e8e93b9 100644
|
|
--- a/src/indent.c
|
|
+++ b/src/indent.c
|
|
@@ -71,7 +71,7 @@ tabstop_set(char_u *var, int **array)
|
|
int n = atoi((char *)cp);
|
|
|
|
// Catch negative values, overflow and ridiculous big values.
|
|
- if (n < 0 || n > 9999)
|
|
+ if (n < 0 || n > TABSTOP_MAX)
|
|
{
|
|
semsg(_(e_invarg2), cp);
|
|
vim_free(*array);
|
|
@@ -1590,7 +1590,7 @@ ex_retab(exarg_T *eap)
|
|
emsg(_(e_positive));
|
|
return;
|
|
}
|
|
- if (new_ts < 0 || new_ts > 9999)
|
|
+ if (new_ts < 0 || new_ts > TABSTOP_MAX)
|
|
{
|
|
semsg(_(e_invarg2), eap->arg);
|
|
return;
|
|
diff --git a/src/option.c b/src/option.c
|
|
index e9598d6..382b01b 100644
|
|
--- a/src/option.c
|
|
+++ b/src/option.c
|
|
@@ -3557,6 +3557,11 @@ set_num_option(
|
|
errmsg = e_positive;
|
|
curbuf->b_p_ts = 8;
|
|
}
|
|
+ else if (curbuf->b_p_ts > TABSTOP_MAX)
|
|
+ {
|
|
+ errmsg = e_invalid_argument;
|
|
+ curbuf->b_p_ts = 8;
|
|
+ }
|
|
if (p_tm < 0)
|
|
{
|
|
errmsg = e_positive;
|
|
@@ -5758,7 +5763,7 @@ buf_copy_options(buf_T *buf, int flags)
|
|
if (p_vsts && p_vsts != empty_option)
|
|
(void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
|
|
else
|
|
- buf->b_p_vsts_array = 0;
|
|
+ buf->b_p_vsts_array = NULL;
|
|
buf->b_p_vsts_nopaste = p_vsts_nopaste
|
|
? vim_strsave(p_vsts_nopaste) : NULL;
|
|
#endif
|
|
@@ -6583,9 +6588,7 @@ paste_option_changed(void)
|
|
if (buf->b_p_vsts)
|
|
free_string_option(buf->b_p_vsts);
|
|
buf->b_p_vsts = empty_option;
|
|
- if (buf->b_p_vsts_array)
|
|
- vim_free(buf->b_p_vsts_array);
|
|
- buf->b_p_vsts_array = 0;
|
|
+ VIM_CLEAR(buf->b_p_vsts_array);
|
|
#endif
|
|
}
|
|
|
|
@@ -6631,12 +6634,11 @@ paste_option_changed(void)
|
|
free_string_option(buf->b_p_vsts);
|
|
buf->b_p_vsts = buf->b_p_vsts_nopaste
|
|
? vim_strsave(buf->b_p_vsts_nopaste) : empty_option;
|
|
- if (buf->b_p_vsts_array)
|
|
- vim_free(buf->b_p_vsts_array);
|
|
+ vim_free(buf->b_p_vsts_array);
|
|
if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
|
|
(void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
|
|
else
|
|
- buf->b_p_vsts_array = 0;
|
|
+ buf->b_p_vsts_array = NULL;
|
|
#endif
|
|
}
|
|
|
|
diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim
|
|
index 65600ee..d4213c1 100644
|
|
--- a/src/testdir/test_options.vim
|
|
+++ b/src/testdir/test_options.vim
|
|
@@ -263,6 +263,8 @@ func Test_set_errors()
|
|
call assert_fails('set shiftwidth=-1', 'E487:')
|
|
call assert_fails('set sidescroll=-1', 'E487:')
|
|
call assert_fails('set tabstop=-1', 'E487:')
|
|
+ call assert_fails('set tabstop=10000', 'E474:')
|
|
+ call assert_fails('set tabstop=5500000000', 'E474:')
|
|
call assert_fails('set textwidth=-1', 'E487:')
|
|
call assert_fails('set timeoutlen=-1', 'E487:')
|
|
call assert_fails('set updatecount=-1', 'E487:')
|
|
diff --git a/src/vim.h b/src/vim.h
|
|
index 68e2de1..cd917a3 100644
|
|
--- a/src/vim.h
|
|
+++ b/src/vim.h
|
|
@@ -2031,6 +2031,8 @@ typedef int sock_T;
|
|
|
|
#define DICT_MAXNEST 100 // maximum nesting of lists and dicts
|
|
|
|
+#define TABSTOP_MAX 9999
|
|
+
|
|
#ifdef FEAT_CLIPBOARD
|
|
|
|
// VIM_ATOM_NAME is the older Vim-specific selection type for X11. Still
|
|
--
|
|
2.27.0
|
|
|