To: vim_dev@googlegroups.com Subject: Patch 8.0.0537 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.0.0537 Problem: Illegal memory access with :z and large count. Solution: Check for number overflow, using long instead of int. (Dominique Pelle, closes #1612) Files: src/Makefile, src/ex_cmds.c, src/testdir/test_alot.vim, src/testdir/test_ex_z.vim *** ../vim-8.0.0536/src/Makefile 2017-03-29 19:20:25.385015086 +0200 --- src/Makefile 2017-04-02 15:40:36.983518442 +0200 *************** *** 2122,2131 **** test_delete \ test_diffmode \ test_digraph \ - test_functions \ test_display \ test_edit \ test_ex_undo \ test_execute_func \ test_expand \ test_expand_dllpath \ --- 2123,2132 ---- test_delete \ test_diffmode \ test_digraph \ test_display \ test_edit \ test_ex_undo \ + test_ex_z \ test_execute_func \ test_expand \ test_expand_dllpath \ *************** *** 2142,2147 **** --- 2143,2149 ---- test_fnameescape \ test_fnamemodify \ test_fold \ + test_functions \ test_ga \ test_gf \ test_glob2regpat \ *** ../vim-8.0.0536/src/ex_cmds.c 2017-03-26 13:50:02.536929400 +0200 --- src/ex_cmds.c 2017-04-02 15:41:44.443096865 +0200 *************** *** 4564,4570 **** ex_z(exarg_T *eap) { char_u *x; ! int bigness; char_u *kind; int minus = 0; linenr_T start, end, curs, i; --- 4564,4570 ---- ex_z(exarg_T *eap) { char_u *x; ! long bigness; char_u *kind; int minus = 0; linenr_T start, end, curs, i; *************** *** 4601,4607 **** } else { ! bigness = atoi((char *)x); p_window = bigness; if (*kind == '=') bigness += 2; --- 4601,4612 ---- } else { ! bigness = atol((char *)x); ! ! /* bigness could be < 0 if atol(x) overflows. */ ! if (bigness > 2 * curbuf->b_ml.ml_line_count || bigness < 0) ! bigness = 2 * curbuf->b_ml.ml_line_count; ! p_window = bigness; if (*kind == '=') bigness += 2; *** ../vim-8.0.0536/src/testdir/test_alot.vim 2017-03-29 19:20:25.389015062 +0200 --- src/testdir/test_alot.vim 2017-04-02 15:40:56.999392658 +0200 *************** *** 8,17 **** source test_cursor_func.vim source test_delete.vim source test_ex_undo.vim source test_execute_func.vim source test_expand.vim - source test_expr.vim source test_expand_dllpath.vim source test_feedkeys.vim source test_file_perm.vim source test_fileformat.vim --- 8,18 ---- source test_cursor_func.vim source test_delete.vim source test_ex_undo.vim + source test_ex_z.vim source test_execute_func.vim source test_expand.vim source test_expand_dllpath.vim + source test_expr.vim source test_feedkeys.vim source test_file_perm.vim source test_fileformat.vim *************** *** 30,38 **** source test_jumps.vim source test_lambda.vim source test_lispwords.vim source test_match.vim source test_menu.vim - source test_mapping.vim source test_messages.vim source test_partial.vim source test_popup.vim --- 31,39 ---- source test_jumps.vim source test_lambda.vim source test_lispwords.vim + source test_mapping.vim source test_match.vim source test_menu.vim source test_messages.vim source test_partial.vim source test_popup.vim *** ../vim-8.0.0536/src/testdir/test_ex_z.vim 2017-04-02 15:44:23.726105152 +0200 --- src/testdir/test_ex_z.vim 2017-04-02 15:43:05.010595003 +0200 *************** *** 0 **** --- 1,78 ---- + " Test :z + + func Test_z() + call setline(1, range(1, 100)) + + let a = execute('20z3') + call assert_equal("\n20\n21\n22", a) + call assert_equal(22, line('.')) + " 'window' should be set to the {count} value. + call assert_equal(3, &window) + + " If there is only one window, then twice the amount of 'scroll' is used. + set scroll=2 + let a = execute('20z') + call assert_equal("\n20\n21\n22\n23", a) + call assert_equal(23, line('.')) + + let a = execute('20z+3') + " FIXME: I would expect the same result as '20z3' but it + " gives "\n21\n22\n23" instead. Bug in Vim or in ":help :z"? + "call assert_equal("\n20\n21\n22", a) + "call assert_equal(22, line('.')) + + let a = execute('20z-3') + call assert_equal("\n18\n19\n20", a) + call assert_equal(20, line('.')) + + let a = execute('20z=3') + call assert_match("^\n18\n19\n-\\+\n20\n-\\+\n21\n22$", a) + call assert_equal(20, line('.')) + + let a = execute('20z^3') + call assert_equal("\n14\n15\n16\n17", a) + call assert_equal(17, line('.')) + + let a = execute('20z.3') + call assert_equal("\n19\n20\n21", a) + call assert_equal(21, line('.')) + + let a = execute('20z#3') + call assert_equal("\n 20 20\n 21 21\n 22 22", a) + call assert_equal(22, line('.')) + + let a = execute('20z#-3') + call assert_equal("\n 18 18\n 19 19\n 20 20", a) + call assert_equal(20, line('.')) + + let a = execute('20z#=3') + call assert_match("^\n 18 18\n 19 19\n-\\+\n 20 20\n-\\+\n 21 21\n 22 22$", a) + call assert_equal(20, line('.')) + + " Test with {count} bigger than the number of lines in buffer. + let a = execute('20z1000') + call assert_match("^\n20\n21\n.*\n99\n100$", a) + call assert_equal(100, line('.')) + + let a = execute('20z-1000') + call assert_match("^\n1\n2\n.*\n19\n20$", a) + call assert_equal(20, line('.')) + + let a = execute('20z=1000') + call assert_match("^\n1\n.*\n-\\+\n20\n-\\\+\n.*\n100$", a) + call assert_equal(20, line('.')) + + call assert_fails('20z=a', 'E144:') + + set window& scroll& + bw! + endfunc + + func Test_z_bug() + " This used to access invalid memory as a result of an integer overflow + " and freeze vim. + normal ox + normal Heat + z777777776666666 + ') + endfunc *** ../vim-8.0.0536/src/version.c 2017-04-02 15:15:44.825083189 +0200 --- src/version.c 2017-04-02 15:43:45.854340777 +0200 *************** *** 766,767 **** --- 766,769 ---- { /* Add new patch number below this line */ + /**/ + 537, /**/ -- hundred-and-one symptoms of being an internet addict: 256. You are able to write down over 250 symptoms of being an internet addict, even though they only asked for 101. /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///