Patch 8.0.1421
Problem: Accessing invalid memory with overlong byte sequence.
Solution: Check for NUL character. (test by Dominique Pelle, closes #2485)
Files: src/misc2.c, src/testdir/test_functions.vim
*** ../vim-8.0.1420/src/misc2.c 2017-12-19 22:25:35.267003085 +0100
--- src/misc2.c 2017-12-22 21:02:51.826243309 +0100
***************
*** 1622,1632 ****
char_u *s;
c = utf_ptr2char(p);
uc = utf_toupper(c);
/* Reallocate string when byte count changes. This is rare,
* thus it's OK to do another malloc()/free(). */
- l = utf_ptr2len(p);
newl = utf_char2len(uc);
if (newl != l)
{
--- 1622,1638 ----
char_u *s;
c = utf_ptr2char(p);
+ l = utf_ptr2len(p);
+ if (c == 0)
+ {
+ /* overlong sequence, use only the first byte */
+ c = *p;
+ l = 1;
+ }
uc = utf_toupper(c);
/* Reallocate string when byte count changes. This is rare,
* thus it's OK to do another malloc()/free(). */
newl = utf_char2len(uc);
if (newl != l)
{
***************
*** 1685,1695 ****
char_u *s;
c = utf_ptr2char(p);
lc = utf_tolower(c);
/* Reallocate string when byte count changes. This is rare,
* thus it's OK to do another malloc()/free(). */
- l = utf_ptr2len(p);
newl = utf_char2len(lc);
if (newl != l)
{
--- 1691,1707 ----
char_u *s;
c = utf_ptr2char(p);
+ l = utf_ptr2len(p);
+ if (c == 0)
+ {
+ /* overlong sequence, use only the first byte */
+ c = *p;
+ l = 1;
+ }
lc = utf_tolower(c);
/* Reallocate string when byte count changes. This is rare,
* thus it's OK to do another malloc()/free(). */
newl = utf_char2len(lc);
if (newl != l)
{
*** ../vim-8.0.1420/src/testdir/test_functions.vim 2017-12-19
11:54:59.726923324 +0100
--- src/testdir/test_functions.vim 2017-12-22 20:28:41.730381995 +0100
***************
*** 268,273 ****
--- 268,278 ----
" Ⱥ (U+023A) and Ⱦ (U+023E) are the *only* code points to increase
" in length (2 to 3 bytes) when lowercased. So let's test them.
call assert_equal("ⱥ ⱦ", tolower("Ⱥ Ⱦ"))
+
+ " This call to tolower with invalid utf8 sequence used to cause access to
+ " invalid memory.
+ call tolower("\xC0\x80\xC0")
+ call tolower("123\xC0\x80\xC0")
endfunc
func Test_toupper()
***************
*** 338,343 ****
--- 343,353 ----
call assert_equal("ZŹŻŽƵẐẔ", toupper("ZŹŻŽƵẐẔ"))
call assert_equal("Ⱥ Ⱦ", toupper("ⱥ ⱦ"))
+
+ " This call to toupper with invalid utf8 sequence used to cause access to
+ " invalid memory.
+ call toupper("\xC0\x80\xC0")
+ call toupper("123\xC0\x80\xC0")
endfunc
" Tests for the mode() function
*** ../vim-8.0.1420/src/version.c 2017-12-21 20:54:45.133204521 +0100
--- src/version.c 2017-12-22 20:18:27.457891732 +0100
***************
*** 773,774 ****
--- 773,778 ----
{ /* Add new patch number below this line */
+ /**/
+ 1422,
/**/
1420,
/**/
--
hundred-and-one symptoms of being an internet addict:
147. You finally give up smoking...because it made the monitor dirty.
/// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
