To: vim_dev@googlegroups.com Subject: Patch 8.2.4895 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.2.4895 Problem: Buffer overflow with invalid command with composing chars. Solution: Check that the whole character fits in the buffer. Files: src/ex_docmd.c, src/testdir/test_cmdline.vim *** ../vim-8.2.4894/src/ex_docmd.c 2022-05-06 14:29:04.637209906 +0100 --- src/ex_docmd.c 2022-05-06 20:36:10.728167726 +0100 *************** *** 3435,3441 **** STRCAT(IObuff, ": "); d = IObuff + STRLEN(IObuff); ! while (*s != NUL && d - IObuff < IOSIZE - 7) { if (enc_utf8 ? (s[0] == 0xc2 && s[1] == 0xa0) : *s == 0xa0) { --- 3435,3441 ---- STRCAT(IObuff, ": "); d = IObuff + STRLEN(IObuff); ! while (*s != NUL && d - IObuff + 5 < IOSIZE) { if (enc_utf8 ? (s[0] == 0xc2 && s[1] == 0xa0) : *s == 0xa0) { *************** *** 3443,3448 **** --- 3443,3450 ---- STRCPY(d, ""); d += 4; } + else if (d - IObuff + (*mb_ptr2len)(s) + 1 >= IOSIZE) + break; else MB_COPY_CHAR(s, d); } *** ../vim-8.2.4894/src/testdir/test_cmdline.vim 2022-04-19 11:38:01.484066480 +0100 --- src/testdir/test_cmdline.vim 2022-05-06 20:36:52.980131021 +0100 *************** *** 3353,3358 **** --- 3353,3369 ---- set wildmenu& endfunc + " this was going over the end of IObuff + func Test_report_error_with_composing() + let caught = 'no' + try + exe repeat('0', 987) .. "0\xdd\x80\xdd\x80\xdd\x80\xdd\x80" + catch /E492:/ + let caught = 'yes' + endtry + call assert_equal('yes', caught) + endfunc + " Test for expanding 2-letter and 3-letter :substitute command arguments. " These commands don't accept an argument. func Test_cmdline_complete_substitute_short() *** ../vim-8.2.4894/src/version.c 2022-05-06 18:38:37.111605790 +0100 --- src/version.c 2022-05-06 20:02:57.517763707 +0100 *************** *** 748,749 **** --- 748,751 ---- { /* Add new patch number below this line */ + /**/ + 4895, /**/ -- "Computers in the future may weigh no more than 1.5 tons." Popular Mechanics, 1949 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// \\\ \\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///