To: vim_dev@googlegroups.com Subject: Patch 8.0.1421 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.0.1421 Problem: Accessing invalid memory with overlong byte sequence. Solution: Check for NUL character. (test by Dominique Pelle, closes #2485) Files: src/misc2.c, src/testdir/test_functions.vim *** ../vim-8.0.1420/src/misc2.c 2017-12-19 22:25:35.267003085 +0100 --- src/misc2.c 2017-12-22 21:02:51.826243309 +0100 *************** *** 1622,1632 **** char_u *s; c = utf_ptr2char(p); uc = utf_toupper(c); /* Reallocate string when byte count changes. This is rare, * thus it's OK to do another malloc()/free(). */ - l = utf_ptr2len(p); newl = utf_char2len(uc); if (newl != l) { --- 1622,1638 ---- char_u *s; c = utf_ptr2char(p); + l = utf_ptr2len(p); + if (c == 0) + { + /* overlong sequence, use only the first byte */ + c = *p; + l = 1; + } uc = utf_toupper(c); /* Reallocate string when byte count changes. This is rare, * thus it's OK to do another malloc()/free(). */ newl = utf_char2len(uc); if (newl != l) { *************** *** 1685,1695 **** char_u *s; c = utf_ptr2char(p); lc = utf_tolower(c); /* Reallocate string when byte count changes. This is rare, * thus it's OK to do another malloc()/free(). */ - l = utf_ptr2len(p); newl = utf_char2len(lc); if (newl != l) { --- 1691,1707 ---- char_u *s; c = utf_ptr2char(p); + l = utf_ptr2len(p); + if (c == 0) + { + /* overlong sequence, use only the first byte */ + c = *p; + l = 1; + } lc = utf_tolower(c); /* Reallocate string when byte count changes. This is rare, * thus it's OK to do another malloc()/free(). */ newl = utf_char2len(lc); if (newl != l) { *** ../vim-8.0.1420/src/testdir/test_functions.vim 2017-12-19 11:54:59.726923324 +0100 --- src/testdir/test_functions.vim 2017-12-22 20:28:41.730381995 +0100 *************** *** 268,273 **** --- 268,278 ---- " Ⱥ (U+023A) and Ⱦ (U+023E) are the *only* code points to increase " in length (2 to 3 bytes) when lowercased. So let's test them. call assert_equal("ⱥ ⱦ", tolower("Ⱥ Ⱦ")) + + " This call to tolower with invalid utf8 sequence used to cause access to + " invalid memory. + call tolower("\xC0\x80\xC0") + call tolower("123\xC0\x80\xC0") endfunc func Test_toupper() *************** *** 338,343 **** --- 343,353 ---- call assert_equal("ZŹŻŽƵẐẔ", toupper("ZŹŻŽƵẐẔ")) call assert_equal("Ⱥ Ⱦ", toupper("ⱥ ⱦ")) + + " This call to toupper with invalid utf8 sequence used to cause access to + " invalid memory. + call toupper("\xC0\x80\xC0") + call toupper("123\xC0\x80\xC0") endfunc " Tests for the mode() function *** ../vim-8.0.1420/src/version.c 2017-12-21 20:54:45.133204521 +0100 --- src/version.c 2017-12-22 20:18:27.457891732 +0100 *************** *** 773,774 **** --- 773,778 ---- { /* Add new patch number below this line */ + /**/ + 1422, /**/ 1420, /**/ -- hundred-and-one symptoms of being an internet addict: 147. You finally give up smoking...because it made the monitor dirty. /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///