Raymond Ko <[email protected]> wrote: > Hello all, > > After compiling VIM with Visual Studio 2012, > apparently a buffer overflow was detected > and caused VIM to crash. ...snip... > mb_unescape() seems to meant for only > decoding individual characters, and stores > its results inside a static local array buf, which > is only meant to be MB_MAXBYTES + 1 big > (22 bytes). ..snip...
I don't understand the function mb_unescape(), but what I can see that it can overflow buf[ ] by 1 bytes: mbytes.c: 3796 static char_u buf[MB_MAXBYTES + 1]; 3802 for (n = 0; str[n] != NUL && m <= MB_MAXBYTES; ++n) ... 3828 else 3829 buf[m++] = str[n]; 3830 buf[m] = NUL; <--- where it crashes .... 3838 } Notice that we may write 2 bytes within the for loop (at lines 3829 and line 3830 for example). So the check at line 3802 (m <= MB_MAXBYTES) is not enough to prevent overflows. If m is MB_MAXBYTES at line 3802, we enter the for loop, which may writes at buf[MB_MAXBYTES] at line 3829 then write at buf[MB_MAXBYTES+1] at line 3830 (overflow by 1 byte!) This overflow can be avoided by adding one more byte to buf: 3796 static char_u buf[MB_MAXBYTES + 2]; But since I don't understand the function, I'm not sure whether that's the correct fix. Can you explain how to reproduce the bug? Regards -- Dominique -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php
