On 18/09/12 8:49 AM, Dominique Pellé wrote:
Raymond Ko <[email protected]> wrote:
Hello all,
After compiling VIM with Visual Studio 2012,
apparently a buffer overflow was detected
and caused VIM to crash.
...snip...
mb_unescape() seems to meant for only
decoding individual characters, and stores
its results inside a static local array buf, which
is only meant to be MB_MAXBYTES + 1 big
(22 bytes).
..snip...
I don't understand the function mb_unescape(),
but what I can see that it can overflow buf[ ] by
1 bytes:
mbytes.c:
3796 static char_u buf[MB_MAXBYTES + 1];
3802 for (n = 0; str[n] != NUL && m <= MB_MAXBYTES; ++n)
...
3828 else
3829 buf[m++] = str[n];
3830 buf[m] = NUL; <--- where it crashes
....
3838 }
Notice that we may write 2 bytes within the for loop
(at lines 3829 and line 3830 for example). So the
check at line 3802 (m <= MB_MAXBYTES) is not
enough to prevent overflows. If m is MB_MAXBYTES
at line 3802, we enter the for loop, which may writes
at buf[MB_MAXBYTES] at line 3829 then write at
buf[MB_MAXBYTES+1] at line 3830 (overflow
by 1 byte!)
This overflow can be avoided by adding one more
byte to buf:
3796 static char_u buf[MB_MAXBYTES + 2];
But since I don't understand the function, I'm not
sure whether that's the correct fix.
I think the correct fix is to change the condition of the for loop. It
should be a strict inequality (m < MB_MAXBYTES). There is no need to
check that a character sequence one character longer than the maximum is
illegal: it always will be, and we can just skip the loop body and
return NULL in that case.
Ben.
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
