Commit d2f51284 authored by Jan Edmund Lazo's avatar Jan Edmund Lazo Committed by James McCoy

vim-patch:8.1.0205: invalid memory access with invalid modeline

Problem:    Invalid memory access with invalid modeline.
Solution:   Pass pointer limit. Add a test. (closes vim/vim#3241)
https://github.com/vim/vim/commit/9cf4b5005f12ce1d6692266140bdda05d0312d79

(cherry picked from commit a72c05a6)
Signed-off-by: James McCoy's avatarJames McCoy <jamessan@debian.org>
parent e2608b70
......@@ -1200,7 +1200,7 @@ do_set (
}
len++;
if (opt_idx == -1) {
key = find_key_option(arg + 1);
key = find_key_option(arg + 1, true);
}
} else {
len = 0;
......@@ -1214,7 +1214,7 @@ do_set (
}
opt_idx = findoption_len((const char *)arg, (size_t)len);
if (opt_idx == -1) {
key = find_key_option(arg);
key = find_key_option(arg, false);
}
}
......@@ -1931,10 +1931,12 @@ static char_u *illegal_char(char_u *errbuf, size_t errbuflen, int c)
*/
static int string_to_key(char_u *arg)
{
if (*arg == '<')
return find_key_option(arg + 1);
if (*arg == '^')
if (*arg == '<') {
return find_key_option(arg + 1, true);
}
if (*arg == '^') {
return Ctrl_chr(arg[1]);
}
return *arg;
}
......@@ -4952,19 +4954,20 @@ char *set_option_value(const char *const name, const long number,
return NULL;
}
/*
* Translate a string like "t_xx", "<t_xx>" or "<S-Tab>" to a key number.
*/
int find_key_option_len(const char_u *arg, size_t len)
// Translate a string like "t_xx", "<t_xx>" or "<S-Tab>" to a key number.
// When "has_lt" is true there is a '<' before "*arg_arg".
// Returns 0 when the key is not recognized.
int find_key_option_len(const char_u *arg_arg, size_t len, bool has_lt)
{
int key;
int key = 0;
int modifiers;
const char_u *arg = arg_arg;
// Don't use get_special_key_code() for t_xx, we don't want it to call
// add_termcap_entry().
if (len >= 4 && arg[0] == 't' && arg[1] == '_') {
key = TERMCAP2KEY(arg[2], arg[3]);
} else {
} else if (has_lt) {
arg--; // put arg at the '<'
modifiers = 0;
key = find_special_key(&arg, len + 1, &modifiers, true, true, false);
......@@ -4975,9 +4978,9 @@ int find_key_option_len(const char_u *arg, size_t len)
return key;
}
static int find_key_option(const char_u *arg)
static int find_key_option(const char_u *arg, bool has_lt)
{
return find_key_option_len(arg, STRLEN(arg));
return find_key_option_len(arg, STRLEN(arg), has_lt);
}
/*
......
......@@ -28,6 +28,7 @@ source test_lambda.vim
source test_mapping.vim
source test_menu.vim
source test_messages.vim
source test_modeline.vim
source test_move.vim
source test_partial.vim
source test_popup.vim
......
" Tests for parsing the modeline.
func Test_modeline_invalid()
let modeline = &modeline
set modeline
call assert_fails('set Xmodeline', 'E518:')
" This was reading before allocated memory.
call writefile(['vi:0', 'nothing'], 'Xmodeline')
let modeline = &modeline
set modeline
call assert_fails('set Xmodeline', 'E518:')
let &modeline = modeline
bwipe!
call delete('Xmodeline')
let &modeline = modeline
bwipe!
call delete('Xmodeline')
endfunc
func Test_modeline_filetype()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment