Patch 8.0.0537

Bram Moolenaar Sun, 02 Apr 2017 06:46:12 -0700

Patch 8.0.0537
Problem:    Illegal memory access with :z and large count.
Solution:   Check for number overflow, using long instead of int. (Dominique
            Pelle, closes #1612)
Files:      src/Makefile, src/ex_cmds.c, src/testdir/test_alot.vim,
            src/testdir/test_ex_z.vim



*** ../vim-8.0.0536/src/Makefile        2017-03-29 19:20:25.385015086 +0200
--- src/Makefile        2017-04-02 15:40:36.983518442 +0200
***************
*** 2122,2131 ****
        test_delete \
        test_diffmode \
        test_digraph \
-       test_functions \
        test_display \
        test_edit \
        test_ex_undo \
        test_execute_func \
        test_expand \
        test_expand_dllpath \
--- 2123,2132 ----
        test_delete \
        test_diffmode \
        test_digraph \
        test_display \
        test_edit \
        test_ex_undo \
+       test_ex_z \
        test_execute_func \
        test_expand \
        test_expand_dllpath \
***************
*** 2142,2147 ****
--- 2143,2149 ----
        test_fnameescape \
        test_fnamemodify \
        test_fold \
+       test_functions \
        test_ga \
        test_gf \
        test_glob2regpat \
*** ../vim-8.0.0536/src/ex_cmds.c       2017-03-26 13:50:02.536929400 +0200
--- src/ex_cmds.c       2017-04-02 15:41:44.443096865 +0200
***************
*** 4564,4570 ****
  ex_z(exarg_T *eap)
  {
      char_u    *x;
!     int               bigness;
      char_u    *kind;
      int               minus = 0;
      linenr_T  start, end, curs, i;
--- 4564,4570 ----
  ex_z(exarg_T *eap)
  {
      char_u    *x;
!     long      bigness;
      char_u    *kind;
      int               minus = 0;
      linenr_T  start, end, curs, i;
***************
*** 4601,4607 ****
        }
        else
        {
!           bigness = atoi((char *)x);
            p_window = bigness;
            if (*kind == '=')
                bigness += 2;
--- 4601,4612 ----
        }
        else
        {
!           bigness = atol((char *)x);
! 
!           /* bigness could be < 0 if atol(x) overflows. */
!           if (bigness > 2 * curbuf->b_ml.ml_line_count || bigness < 0)
!               bigness = 2 * curbuf->b_ml.ml_line_count;
! 
            p_window = bigness;
            if (*kind == '=')
                bigness += 2;
*** ../vim-8.0.0536/src/testdir/test_alot.vim   2017-03-29 19:20:25.389015062 
+0200
--- src/testdir/test_alot.vim   2017-04-02 15:40:56.999392658 +0200
***************
*** 8,17 ****
  source test_cursor_func.vim
  source test_delete.vim
  source test_ex_undo.vim
  source test_execute_func.vim
  source test_expand.vim
- source test_expr.vim
  source test_expand_dllpath.vim
  source test_feedkeys.vim
  source test_file_perm.vim
  source test_fileformat.vim
--- 8,18 ----
  source test_cursor_func.vim
  source test_delete.vim
  source test_ex_undo.vim
+ source test_ex_z.vim
  source test_execute_func.vim
  source test_expand.vim
  source test_expand_dllpath.vim
+ source test_expr.vim
  source test_feedkeys.vim
  source test_file_perm.vim
  source test_fileformat.vim
***************
*** 30,38 ****
  source test_jumps.vim
  source test_lambda.vim
  source test_lispwords.vim
  source test_match.vim
  source test_menu.vim
- source test_mapping.vim
  source test_messages.vim
  source test_partial.vim
  source test_popup.vim
--- 31,39 ----
  source test_jumps.vim
  source test_lambda.vim
  source test_lispwords.vim
+ source test_mapping.vim
  source test_match.vim
  source test_menu.vim
  source test_messages.vim
  source test_partial.vim
  source test_popup.vim
*** ../vim-8.0.0536/src/testdir/test_ex_z.vim   2017-04-02 15:44:23.726105152 
+0200
--- src/testdir/test_ex_z.vim   2017-04-02 15:43:05.010595003 +0200
***************
*** 0 ****
--- 1,78 ----
+ " Test :z
+ 
+ func Test_z()
+   call setline(1, range(1, 100))
+ 
+   let a = execute('20z3')
+   call assert_equal("\n20\n21\n22", a)
+   call assert_equal(22, line('.'))
+   " 'window' should be set to the {count} value.
+   call assert_equal(3, &window)
+ 
+   " If there is only one window, then twice the amount of 'scroll' is used.
+   set scroll=2
+   let a = execute('20z')
+   call assert_equal("\n20\n21\n22\n23", a)
+   call assert_equal(23, line('.'))
+ 
+   let a = execute('20z+3')
+   " FIXME: I would expect the same result as '20z3' but it
+   " gives "\n21\n22\n23" instead. Bug in Vim or in ":help :z"?
+   "call assert_equal("\n20\n21\n22", a)
+   "call assert_equal(22, line('.'))
+ 
+   let a = execute('20z-3')
+   call assert_equal("\n18\n19\n20", a)
+   call assert_equal(20, line('.'))
+ 
+   let a = execute('20z=3')
+   call assert_match("^\n18\n19\n-\\+\n20\n-\\+\n21\n22$", a)
+   call assert_equal(20, line('.'))
+ 
+   let a = execute('20z^3')
+   call assert_equal("\n14\n15\n16\n17", a)
+   call assert_equal(17, line('.'))
+ 
+   let a = execute('20z.3')
+   call assert_equal("\n19\n20\n21", a)
+   call assert_equal(21, line('.'))
+ 
+   let a = execute('20z#3')
+   call assert_equal("\n 20 20\n 21 21\n 22 22", a)
+   call assert_equal(22, line('.'))
+ 
+   let a = execute('20z#-3')
+   call assert_equal("\n 18 18\n 19 19\n 20 20", a)
+   call assert_equal(20, line('.'))
+ 
+   let a = execute('20z#=3')
+   call assert_match("^\n 18 18\n 19 19\n-\\+\n 20 20\n-\\+\n 21 21\n 22 22$", 
a)
+   call assert_equal(20, line('.'))
+ 
+   " Test with {count} bigger than the number of lines in buffer.
+   let a = execute('20z1000')
+   call assert_match("^\n20\n21\n.*\n99\n100$", a)
+   call assert_equal(100, line('.'))
+ 
+   let a = execute('20z-1000')
+   call assert_match("^\n1\n2\n.*\n19\n20$", a)
+   call assert_equal(20, line('.'))
+ 
+   let a = execute('20z=1000')
+   call assert_match("^\n1\n.*\n-\\+\n20\n-\\\+\n.*\n100$", a)
+   call assert_equal(20, line('.'))
+ 
+   call assert_fails('20z=a', 'E144:')
+ 
+   set window& scroll&
+   bw!
+ endfunc
+ 
+ func Test_z_bug()
+   " This used to access invalid memory as a result of an integer overflow
+   " and freeze vim.
+   normal ox
+   normal Heat
+   z777777776666666
+   ')
+ endfunc
*** ../vim-8.0.0536/src/version.c       2017-04-02 15:15:44.825083189 +0200
--- src/version.c       2017-04-02 15:43:45.854340777 +0200
***************
*** 766,767 ****
--- 766,769 ----
  {   /* Add new patch number below this line */
+ /**/
+     537,
  /**/

-- 
hundred-and-one symptoms of being an internet addict:
256. You are able to write down over 250 symptoms of being an internet
     addict, even though they only asked for 101.

 /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\  an exciting new programming language -- http://www.Zimbu.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Patch 8.0.0537

Raspunde prin e-mail lui