Patch 8.2.4255
Problem: Theoretical computation overflow.
Solution: Perform multiplication in a wider type. (closes #9657)
Files: src/alloc.c, src/drawline.c, src/eval.c, src/evalfunc.c,
src/ex_docmd.c, src/hardcopy.c, src/list.c, src/memfile.c,
src/memline.c, src/popupwin.c
*** ../vim-8.2.4254/src/alloc.c 2022-01-26 16:45:16.930506772 +0000
--- src/alloc.c 2022-01-29 15:15:44.657344407 +0000
***************
*** 737,747 ****
if (n < gap->ga_len / 2)
n = gap->ga_len / 2;
! new_len = gap->ga_itemsize * (gap->ga_len + n);
pp = vim_realloc(gap->ga_data, new_len);
if (pp == NULL)
return FAIL;
! old_len = gap->ga_itemsize * gap->ga_maxlen;
vim_memset(pp + old_len, 0, new_len - old_len);
gap->ga_maxlen = gap->ga_len + n;
gap->ga_data = pp;
--- 737,747 ----
if (n < gap->ga_len / 2)
n = gap->ga_len / 2;
! new_len = (size_t)gap->ga_itemsize * (gap->ga_len + n);
pp = vim_realloc(gap->ga_data, new_len);
if (pp == NULL)
return FAIL;
! old_len = (size_t)gap->ga_itemsize * gap->ga_maxlen;
vim_memset(pp + old_len, 0, new_len - old_len);
gap->ga_maxlen = gap->ga_len + n;
gap->ga_data = pp;
*** ../vim-8.2.4254/src/drawline.c 2022-01-28 15:28:00.200927841 +0000
--- src/drawline.c 2022-01-29 15:17:03.196184476 +0000
***************
*** 2800,2806 ****
if (((wp->w_p_cuc
&& (int)wp->w_virtcol >= VCOL_HLC - eol_hl_off
&& (int)wp->w_virtcol <
! wp->w_width * (row - startrow + 1) + v
&& lnum != wp->w_cursor.lnum)
|| draw_color_col
|| win_attr != 0)
--- 2800,2806 ----
if (((wp->w_p_cuc
&& (int)wp->w_virtcol >= VCOL_HLC - eol_hl_off
&& (int)wp->w_virtcol <
! (long)wp->w_width * (row - startrow + 1) + v
&& lnum != wp->w_cursor.lnum)
|| draw_color_col
|| win_attr != 0)
*** ../vim-8.2.4254/src/eval.c 2022-01-26 21:17:00.552771590 +0000
--- src/eval.c 2022-01-29 15:15:44.657344407 +0000
***************
*** 4632,4638 ****
// Don't make it bigger though.
if (exestack.ga_len + n < exestack.ga_maxlen)
{
! new_len = exestack.ga_itemsize * (exestack.ga_len + n);
pp = vim_realloc(exestack.ga_data, new_len);
if (pp == NULL)
return FAIL;
--- 4632,4638 ----
// Don't make it bigger though.
if (exestack.ga_len + n < exestack.ga_maxlen)
{
! new_len = (size_t)exestack.ga_itemsize * (exestack.ga_len + n);
pp = vim_realloc(exestack.ga_data, new_len);
if (pp == NULL)
return FAIL;
*** ../vim-8.2.4254/src/evalfunc.c 2022-01-29 13:06:19.340028690 +0000
--- src/evalfunc.c 2022-01-29 15:15:44.657344407 +0000
***************
*** 7327,7333 ****
if ((l->lv_u.nonmat.lv_stride > 0) ^ domax)
n = l->lv_u.nonmat.lv_start;
else
! n = l->lv_u.nonmat.lv_start + (l->lv_len - 1)
* l->lv_u.nonmat.lv_stride;
}
else
--- 7327,7333 ----
if ((l->lv_u.nonmat.lv_stride > 0) ^ domax)
n = l->lv_u.nonmat.lv_start;
else
! n = l->lv_u.nonmat.lv_start + ((varnumber_T)l->lv_len - 1)
* l->lv_u.nonmat.lv_stride;
}
else
*** ../vim-8.2.4254/src/ex_docmd.c 2022-01-28 15:28:00.208927722 +0000
--- src/ex_docmd.c 2022-01-29 15:15:44.661344350 +0000
***************
*** 4738,4744 ****
while ((pos = (char_u *)strstr((char *)pos + 2, "$*")) != NULL)
++i;
len = (int)STRLEN(p);
! new_cmdline = alloc(STRLEN(program) + i * (len - 2) + 1);
if (new_cmdline == NULL)
return NULL; // out of memory
ptr = new_cmdline;
--- 4738,4744 ----
while ((pos = (char_u *)strstr((char *)pos + 2, "$*")) != NULL)
++i;
len = (int)STRLEN(p);
! new_cmdline = alloc(STRLEN(program) + (size_t)i * (len - 2) + 1);
if (new_cmdline == NULL)
return NULL; // out of memory
ptr = new_cmdline;
*** ../vim-8.2.4254/src/hardcopy.c 2022-01-08 16:19:18.505639885 +0000
--- src/hardcopy.c 2022-01-29 15:17:41.423620153 +0000
***************
*** 2769,2777 ****
// derive the bbox from that point. We have the expected cpl chars
// across the media and lpp lines down the media.
bbox[1] = (int)(top - (psettings->lines_per_page + prt_header_height())
! * prt_line_height);
! bbox[2] = (int)(left + psettings->chars_per_line * prt_char_width
! + 0.5);
bbox[3] = (int)(top + 0.5);
}
else
--- 2769,2777 ----
// derive the bbox from that point. We have the expected cpl chars
// across the media and lpp lines down the media.
bbox[1] = (int)(top - (psettings->lines_per_page + prt_header_height())
! * (double)prt_line_height);
! bbox[2] = (int)(left + psettings->chars_per_line
! * (double)prt_char_width + 0.5);
bbox[3] = (int)(top + 0.5);
}
else
***************
*** 2782,2789 ****
bbox[1] = (int)bottom;
bbox[2] = (int)(left + ((psettings->lines_per_page
+ prt_header_height()) * prt_line_height) + 0.5);
! bbox[3] = (int)(bottom + psettings->chars_per_line * prt_char_width
! + 0.5);
}
prt_dsc_ints("BoundingBox", 4, bbox);
// The media width and height does not change with landscape printing!
--- 2782,2789 ----
bbox[1] = (int)bottom;
bbox[2] = (int)(left + ((psettings->lines_per_page
+ prt_header_height()) * prt_line_height) + 0.5);
! bbox[3] = (int)(bottom + psettings->chars_per_line
! * (double)prt_char_width + 0.5);
}
prt_dsc_ints("BoundingBox", 4, bbox);
// The media width and height does not change with landscape printing!
***************
*** 2797,2803 ****
if (prt_out_mbyte)
{
prt_dsc_font_resource((prt_use_courier ? NULL
! : "DocumentNeededResources"), &prt_ps_mb_font);
if (!prt_custom_cmap)
prt_dsc_resources(NULL, "cmap", prt_cmap);
}
--- 2797,2803 ----
if (prt_out_mbyte)
{
prt_dsc_font_resource((prt_use_courier ? NULL
! : "DocumentNeededResources"), &prt_ps_mb_font);
if (!prt_custom_cmap)
prt_dsc_resources(NULL, "cmap", prt_cmap);
}
*** ../vim-8.2.4254/src/list.c 2022-01-27 17:37:37.759862584 +0000
--- src/list.c 2022-01-29 15:15:44.661344350 +0000
***************
*** 2902,2908 ****
if (l->lv_first == &range_list_item)
{
varnumber_T new_start = l->lv_u.nonmat.lv_start
! + (l->lv_len - 1) * l->lv_u.nonmat.lv_stride;
l->lv_u.nonmat.lv_end = new_start
- (l->lv_u.nonmat.lv_end - l->lv_u.nonmat.lv_start);
l->lv_u.nonmat.lv_start = new_start;
--- 2902,2908 ----
if (l->lv_first == &range_list_item)
{
varnumber_T new_start = l->lv_u.nonmat.lv_start
! + ((varnumber_T)l->lv_len - 1) * l->lv_u.nonmat.lv_stride;
l->lv_u.nonmat.lv_end = new_start
- (l->lv_u.nonmat.lv_end - l->lv_u.nonmat.lv_start);
l->lv_u.nonmat.lv_start = new_start;
*** ../vim-8.2.4254/src/memfile.c 2022-01-02 17:00:37.002093302 +0000
--- src/memfile.c 2022-01-29 15:18:21.579027565 +0000
***************
*** 249,255 ****
// free entries in used list
for (hp = mfp->mf_used_first; hp != NULL; hp = nextp)
{
! total_mem_used -= hp->bh_page_count * mfp->mf_page_size;
nextp = hp->bh_next;
mf_free_bhdr(hp);
}
--- 249,255 ----
// free entries in used list
for (hp = mfp->mf_used_first; hp != NULL; hp = nextp)
{
! total_mem_used -= (long_u)hp->bh_page_count * mfp->mf_page_size;
nextp = hp->bh_next;
mf_free_bhdr(hp);
}
***************
*** 359,365 ****
}
else if (hp == NULL) // need to allocate memory for this block
{
! if ((p = alloc(mfp->mf_page_size * page_count)) == NULL)
return NULL;
hp = mf_rem_free(mfp);
hp->bh_data = p;
--- 359,365 ----
}
else if (hp == NULL) // need to allocate memory for this block
{
! if ((p = alloc((size_t)mfp->mf_page_size * page_count)) == NULL)
return NULL;
hp = mf_rem_free(mfp);
hp->bh_data = p;
***************
*** 718,724 ****
else
hp->bh_next->bh_prev = hp;
mfp->mf_used_count += hp->bh_page_count;
! total_mem_used += hp->bh_page_count * mfp->mf_page_size;
}
/*
--- 718,724 ----
else
hp->bh_next->bh_prev = hp;
mfp->mf_used_count += hp->bh_page_count;
! total_mem_used += (long_u)hp->bh_page_count * mfp->mf_page_size;
}
/*
***************
*** 736,742 ****
else
hp->bh_prev->bh_next = hp->bh_next;
mfp->mf_used_count -= hp->bh_page_count;
! total_mem_used -= hp->bh_page_count * mfp->mf_page_size;
}
/*
--- 736,742 ----
else
hp->bh_prev->bh_next = hp->bh_next;
mfp->mf_used_count -= hp->bh_page_count;
! total_mem_used -= (long_u)hp->bh_page_count * mfp->mf_page_size;
}
/*
***************
*** 814,820 ****
if (hp->bh_page_count != page_count)
{
vim_free(hp->bh_data);
! if ((hp->bh_data = alloc(mfp->mf_page_size * page_count)) == NULL)
{
vim_free(hp);
return NULL;
--- 814,821 ----
if (hp->bh_page_count != page_count)
{
vim_free(hp->bh_data);
! if ((hp->bh_data = alloc((size_t)mfp->mf_page_size * page_count))
! == NULL)
{
vim_free(hp);
return NULL;
***************
*** 881,887 ****
if ((hp = ALLOC_ONE(bhdr_T)) != NULL)
{
! if ((hp->bh_data = alloc(mfp->mf_page_size * page_count)) == NULL)
{
vim_free(hp); // not enough memory
return NULL;
--- 882,889 ----
if ((hp = ALLOC_ONE(bhdr_T)) != NULL)
{
! if ((hp->bh_data = alloc((size_t)mfp->mf_page_size * page_count))
! == NULL)
{
vim_free(hp); // not enough memory
return NULL;
*** ../vim-8.2.4254/src/memline.c 2022-01-28 15:28:00.208927722 +0000
--- src/memline.c 2022-01-29 15:18:37.106798465 +0000
***************
*** 5778,5784 ****
&& lnum >= curline + buf->b_ml.ml_chunksize[curix].mlcs_numlines)
|| (offset != 0
&& offset > size + buf->b_ml.ml_chunksize[curix].mlcs_totalsize
! + ffdos * buf->b_ml.ml_chunksize[curix].mlcs_numlines)))
{
curline += buf->b_ml.ml_chunksize[curix].mlcs_numlines;
size += buf->b_ml.ml_chunksize[curix].mlcs_totalsize;
--- 5778,5784 ----
&& lnum >= curline + buf->b_ml.ml_chunksize[curix].mlcs_numlines)
|| (offset != 0
&& offset > size + buf->b_ml.ml_chunksize[curix].mlcs_totalsize
! + (long)ffdos * buf->b_ml.ml_chunksize[curix].mlcs_numlines)))
{
curline += buf->b_ml.ml_chunksize[curix].mlcs_numlines;
size += buf->b_ml.ml_chunksize[curix].mlcs_totalsize;
*** ../vim-8.2.4254/src/popupwin.c 2022-01-06 21:41:07.653593304 +0000
--- src/popupwin.c 2022-01-29 15:18:53.342558949 +0000
***************
*** 3427,3433 ****
return; // cache is still valid
vim_free(wp->w_popup_mask_cells);
! wp->w_popup_mask_cells = alloc_clear(width * height);
if (wp->w_popup_mask_cells == NULL)
return;
cells = wp->w_popup_mask_cells;
--- 3427,3433 ----
return; // cache is still valid
vim_free(wp->w_popup_mask_cells);
! wp->w_popup_mask_cells = alloc_clear((size_t)width * height);
if (wp->w_popup_mask_cells == NULL)
return;
cells = wp->w_popup_mask_cells;
***************
*** 3639,3645 ****
mask = popup_mask;
else
mask = popup_mask_next;
! vim_memset(mask, 0, screen_Rows * screen_Columns * sizeof(short));
// Find the window with the lowest zindex that hasn't been handled yet,
// so that the window with a higher zindex overwrites the value in
--- 3639,3645 ----
mask = popup_mask;
else
mask = popup_mask_next;
! vim_memset(mask, 0, (size_t)screen_Rows * screen_Columns * sizeof(short));
// Find the window with the lowest zindex that hasn't been handled yet,
// so that the window with a higher zindex overwrites the value in
***************
*** 4008,4014 ****
linenr_T linecount = wp->w_buffer->b_ml.ml_line_count;
int height = wp->w_height;
! sb_thumb_height = (height * height + linecount / 2) / linecount;
if (wp->w_topline > 1 && sb_thumb_height == height)
--sb_thumb_height; // scrolled, no full thumb
if (sb_thumb_height == 0)
--- 4008,4015 ----
linenr_T linecount = wp->w_buffer->b_ml.ml_line_count;
int height = wp->w_height;
! sb_thumb_height = ((linenr_T)height * height + linecount / 2)
! / linecount;
if (wp->w_topline > 1 && sb_thumb_height == height)
--sb_thumb_height; // scrolled, no full thumb
if (sb_thumb_height == 0)
*** ../vim-8.2.4254/src/version.c 2022-01-29 15:12:35.172146951 +0000
--- src/version.c 2022-01-29 15:15:21.637684547 +0000
***************
*** 752,753 ****
--- 752,755 ----
{ /* Add new patch number below this line */
+ /**/
+ 4255,
/**/
--
LARGE MAN: Who's that then?
CART DRIVER: (Grudgingly) I dunno, Must be a king.
LARGE MAN: Why?
CART DRIVER: He hasn't got shit all over him.
"Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// \\\
\\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/vim_dev/20220129151952.12D3F1C1918%40moolenaar.net.
