Patch 8.2.4245
Problem: ":retab 0" may cause illegal memory access.
Solution: Limit the value of 'tabstop' to 10000.
Files: src/option.c, src/vim.h, src/indent.c,
src/testdir/test_options.vim
*** ../vim-8.2.4244/src/option.c 2022-01-28 15:28:00.212927659 +0000
--- src/option.c 2022-01-28 20:36:47.009469689 +0000
***************
*** 3752,3757 ****
--- 3752,3762 ----
errmsg = e_argument_must_be_positive;
curbuf->b_p_ts = 8;
}
+ else if (curbuf->b_p_ts > TABSTOP_MAX)
+ {
+ errmsg = e_invalid_argument;
+ curbuf->b_p_ts = 8;
+ }
if (p_tm < 0)
{
errmsg = e_argument_must_be_positive;
***************
*** 5983,5989 ****
if (p_vsts && p_vsts != empty_option)
(void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
else
! buf->b_p_vsts_array = 0;
buf->b_p_vsts_nopaste = p_vsts_nopaste
? vim_strsave(p_vsts_nopaste) : NULL;
#endif
--- 5988,5994 ----
if (p_vsts && p_vsts != empty_option)
(void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
else
! buf->b_p_vsts_array = NULL;
buf->b_p_vsts_nopaste = p_vsts_nopaste
? vim_strsave(p_vsts_nopaste) : NULL;
#endif
***************
*** 6803,6811 ****
if (buf->b_p_vsts)
free_string_option(buf->b_p_vsts);
buf->b_p_vsts = empty_option;
! if (buf->b_p_vsts_array)
! vim_free(buf->b_p_vsts_array);
! buf->b_p_vsts_array = 0;
#endif
}
--- 6808,6814 ----
if (buf->b_p_vsts)
free_string_option(buf->b_p_vsts);
buf->b_p_vsts = empty_option;
! VIM_CLEAR(buf->b_p_vsts_array);
#endif
}
***************
*** 6851,6862 ****
free_string_option(buf->b_p_vsts);
buf->b_p_vsts = buf->b_p_vsts_nopaste
? vim_strsave(buf->b_p_vsts_nopaste) : empty_option;
! if (buf->b_p_vsts_array)
! vim_free(buf->b_p_vsts_array);
if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
(void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
else
! buf->b_p_vsts_array = 0;
#endif
}
--- 6854,6864 ----
free_string_option(buf->b_p_vsts);
buf->b_p_vsts = buf->b_p_vsts_nopaste
? vim_strsave(buf->b_p_vsts_nopaste) : empty_option;
! vim_free(buf->b_p_vsts_array);
if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
(void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
else
! buf->b_p_vsts_array = NULL;
#endif
}
*** ../vim-8.2.4244/src/vim.h 2022-01-26 11:16:48.659593594 +0000
--- src/vim.h 2022-01-28 20:34:57.099104517 +0000
***************
*** 2085,2090 ****
--- 2085,2092 ----
#define DICT_MAXNEST 100 // maximum nesting of lists and dicts
+ #define TABSTOP_MAX 9999
+
#ifdef FEAT_CLIPBOARD
// VIM_ATOM_NAME is the older Vim-specific selection type for X11. Still
*** ../vim-8.2.4244/src/indent.c 2022-01-22 20:31:56.315870158 +0000
--- src/indent.c 2022-01-28 20:36:16.733919854 +0000
***************
*** 71,77 ****
int n = atoi((char *)cp);
// Catch negative values, overflow and ridiculous big values.
! if (n < 0 || n > 9999)
{
semsg(_(e_invalid_argument_str), cp);
vim_free(*array);
--- 71,77 ----
int n = atoi((char *)cp);
// Catch negative values, overflow and ridiculous big values.
! if (n < 0 || n > TABSTOP_MAX)
{
semsg(_(e_invalid_argument_str), cp);
vim_free(*array);
***************
*** 1649,1655 ****
emsg(_(e_argument_must_be_positive));
return;
}
! if (new_ts < 0 || new_ts > 9999)
{
semsg(_(e_invalid_argument_str), eap->arg);
return;
--- 1649,1655 ----
emsg(_(e_argument_must_be_positive));
return;
}
! if (new_ts < 0 || new_ts > TABSTOP_MAX)
{
semsg(_(e_invalid_argument_str), eap->arg);
return;
*** ../vim-8.2.4244/src/testdir/test_options.vim 2021-12-11
12:26:55.924402407 +0000
--- src/testdir/test_options.vim 2022-01-28 20:32:39.641150821 +0000
***************
*** 368,373 ****
--- 368,375 ----
call assert_fails('set shiftwidth=-1', 'E487:')
call assert_fails('set sidescroll=-1', 'E487:')
call assert_fails('set tabstop=-1', 'E487:')
+ call assert_fails('set tabstop=10000', 'E474:')
+ call assert_fails('set tabstop=5500000000', 'E474:')
call assert_fails('set textwidth=-1', 'E487:')
call assert_fails('set timeoutlen=-1', 'E487:')
call assert_fails('set updatecount=-1', 'E487:')
*** ../vim-8.2.4244/src/version.c 2022-01-28 18:54:10.125520952 +0000
--- src/version.c 2022-01-28 20:30:00.275526431 +0000
***************
*** 752,753 ****
--- 752,755 ----
{ /* Add new patch number below this line */
+ /**/
+ 4245,
/**/
--
Clothes make the man. Naked people have little or no influence on society.
-- Mark Twain (Samuel Clemens) (1835-1910)
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// \\\
\\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/vim_dev/20220128204930.BBB941C1908%40moolenaar.net.
