Tree - rpms/vim - CentOS Git server

rpms / vim

Files

Commit: 201dce2036dee5afc9c3d6fd78868531ed837446

Blob Blame History Raw

 To: vim-dev@vim.org
Subject: Patch 7.2.307
Fcc: outbox
From: Bram Moolenaar <Bram@moolenaar.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
------------
 
Patch 7.2.307
Problem:    Crash with a very long syntax match statement. (Guy Gur Ari)
Solution:   When the offset does not fit in the two bytes available give an
            error instead of continuing with invalid pointers.
Files:      src/regexp.c
 
 
*** ../vim-7.2.306/src/regexp.c	2009-05-15 21:31:11.000000000 +0200
--- src/regexp.c	2009-11-25 18:13:03.000000000 +0100
***************
*** 583,588 ****
--- 583,589 ----
  #endif
  static char_u	*regcode;	/* Code-emit pointer, or JUST_CALC_SIZE */
  static long	regsize;	/* Code size. */
+ static int	reg_toolong;	/* TRUE when offset out of range */
  static char_u	had_endbrace[NSUBEXP];	/* flags, TRUE if end of () found */
  static unsigned	regflags;	/* RF_ flags for prog */
  static long	brace_min[10];	/* Minimums for complex brace repeats */
***************
*** 1028,1036 ****
      regcomp_start(expr, re_flags);
      regcode = r->program;
      regc(REGMAGIC);
!     if (reg(REG_NOPAREN, &flags) == NULL)
      {
  	vim_free(r);
  	return NULL;
      }
  
--- 1029,1039 ----
      regcomp_start(expr, re_flags);
      regcode = r->program;
      regc(REGMAGIC);
!     if (reg(REG_NOPAREN, &flags) == NULL || reg_toolong)
      {
  	vim_free(r);
+ 	if (reg_toolong)
+ 	    EMSG_RET_NULL(_("E339: Pattern too long"));
  	return NULL;
      }
  
***************
*** 1141,1146 ****
--- 1144,1150 ----
      re_has_z = 0;
  #endif
      regsize = 0L;
+     reg_toolong = FALSE;
      regflags = 0;
  #if defined(FEAT_SYN_HL) || defined(PROTO)
      had_eol = FALSE;
***************
*** 1228,1234 ****
      {
  	skipchr();
  	br = regbranch(&flags);
! 	if (br == NULL)
  	    return NULL;
  	regtail(ret, br);	/* BRANCH -> BRANCH. */
  	if (!(flags & HASWIDTH))
--- 1232,1238 ----
      {
  	skipchr();
  	br = regbranch(&flags);
! 	if (br == NULL || reg_toolong)
  	    return NULL;
  	regtail(ret, br);	/* BRANCH -> BRANCH. */
  	if (!(flags & HASWIDTH))
***************
*** 1313,1318 ****
--- 1317,1324 ----
  	    break;
  	skipchr();
  	regtail(latest, regnode(END)); /* operand ends */
+ 	if (reg_toolong)
+ 	    break;
  	reginsert(MATCH, latest);
  	chain = latest;
      }
***************
*** 1382,1388 ****
  			    break;
  	    default:
  			    latest = regpiece(&flags);
! 			    if (latest == NULL)
  				return NULL;
  			    *flagp |= flags & (HASWIDTH | HASNL | HASLOOKBH);
  			    if (chain == NULL)	/* First piece. */
--- 1388,1394 ----
  			    break;
  	    default:
  			    latest = regpiece(&flags);
! 			    if (latest == NULL || reg_toolong)
  				return NULL;
  			    *flagp |= flags & (HASWIDTH | HASNL | HASLOOKBH);
  			    if (chain == NULL)	/* First piece. */
***************
*** 2540,2547 ****
  	offset = (int)(scan - val);
      else
  	offset = (int)(val - scan);
!     *(scan + 1) = (char_u) (((unsigned)offset >> 8) & 0377);
!     *(scan + 2) = (char_u) (offset & 0377);
  }
  
  /*
--- 2546,2561 ----
  	offset = (int)(scan - val);
      else
  	offset = (int)(val - scan);
!     /* When the offset uses more than 16 bits it can no longer fit in the two
!      * bytes avaliable.  Use a global flag to avoid having to check return
!      * values in too many places. */
!     if (offset > 0xffff)
! 	reg_toolong = TRUE;
!     else
!     {
! 	*(scan + 1) = (char_u) (((unsigned)offset >> 8) & 0377);
! 	*(scan + 2) = (char_u) (offset & 0377);
!     }
  }
  
  /*
***************
*** 5764,5769 ****
--- 5778,5785 ----
  
  /*
   * regnext - dig the "next" pointer out of a node
+  * Returns NULL when calculating size, when there is no next item and when
+  * there is an error.
   */
      static char_u *
  regnext(p)
***************
*** 5771,5777 ****
  {
      int	    offset;
  
!     if (p == JUST_CALC_SIZE)
  	return NULL;
  
      offset = NEXT(p);
--- 5787,5793 ----
  {
      int	    offset;
  
!     if (p == JUST_CALC_SIZE || reg_toolong)
  	return NULL;
  
      offset = NEXT(p);
*** ../vim-7.2.306/src/version.c	2009-11-25 17:15:16.000000000 +0100
--- src/version.c	2009-11-25 18:14:32.000000000 +0100
***************
*** 683,684 ****
--- 683,686 ----
  {   /* Add new patch number below this line */
+ /**/
+     307,
  /**/
 
-- 
The fastest way to get an engineer to solve a problem is to declare that the
problem is unsolvable.  No engineer can walk away from an unsolvable problem
until it's solved.
				(Scott Adams - The Dilbert principle)
 
 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

	To: vim-dev@vim.org
	Subject: Patch 7.2.307
	Fcc: outbox
	From: Bram Moolenaar <Bram@moolenaar.net>
	Mime-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit
	------------

	Patch 7.2.307
	Problem: Crash with a very long syntax match statement. (Guy Gur Ari)
	Solution: When the offset does not fit in the two bytes available give an
	error instead of continuing with invalid pointers.
	Files: src/regexp.c


	*** ../vim-7.2.306/src/regexp.c 2009-05-15 21:31:11.000000000 +0200
	--- src/regexp.c 2009-11-25 18:13:03.000000000 +0100
	***************
	* 583,588 **
	--- 583,589 ----
	#endif
	static char_u regcode; / Code-emit pointer, or JUST_CALC_SIZE */
	static long regsize; /* Code size. */
	+ static int reg_toolong; /* TRUE when offset out of range */
	static char_u had_endbrace[NSUBEXP]; /* flags, TRUE if end of () found */
	static unsigned regflags; /* RF_ flags for prog */
	static long brace_min[10]; /* Minimums for complex brace repeats */
	***************
	* 1028,1036 **
	regcomp_start(expr, re_flags);
	regcode = r->program;
	regc(REGMAGIC);
	! if (reg(REG_NOPAREN, &flags) == NULL)
	{
	vim_free(r);
	return NULL;
	}

	--- 1029,1039 ----
	regcomp_start(expr, re_flags);
	regcode = r->program;
	regc(REGMAGIC);
	! if (reg(REG_NOPAREN, &flags) == NULL \|\| reg_toolong)
	{
	vim_free(r);
	+ if (reg_toolong)
	+ EMSG_RET_NULL(_("E339: Pattern too long"));
	return NULL;
	}

	***************
	* 1141,1146 **
	--- 1144,1150 ----
	re_has_z = 0;
	#endif
	regsize = 0L;
	+ reg_toolong = FALSE;
	regflags = 0;
	#if defined(FEAT_SYN_HL) \|\| defined(PROTO)
	had_eol = FALSE;
	***************
	* 1228,1234 **
	{
	skipchr();
	br = regbranch(&flags);
	! if (br == NULL)
	return NULL;
	regtail(ret, br); /* BRANCH -> BRANCH. */
	if (!(flags & HASWIDTH))
	--- 1232,1238 ----
	{
	skipchr();
	br = regbranch(&flags);
	! if (br == NULL \|\| reg_toolong)
	return NULL;
	regtail(ret, br); /* BRANCH -> BRANCH. */
	if (!(flags & HASWIDTH))
	***************
	* 1313,1318 **
	--- 1317,1324 ----
	break;
	skipchr();
	regtail(latest, regnode(END)); /* operand ends */
	+ if (reg_toolong)
	+ break;
	reginsert(MATCH, latest);
	chain = latest;
	}
	***************
	* 1382,1388 **
	break;
	default:
	latest = regpiece(&flags);
	! if (latest == NULL)
	return NULL;
	*flagp \|= flags & (HASWIDTH \| HASNL \| HASLOOKBH);
	if (chain == NULL) /* First piece. */
	--- 1388,1394 ----
	break;
	default:
	latest = regpiece(&flags);
	! if (latest == NULL \|\| reg_toolong)
	return NULL;
	*flagp \|= flags & (HASWIDTH \| HASNL \| HASLOOKBH);
	if (chain == NULL) /* First piece. */
	***************
	* 2540,2547 **
	offset = (int)(scan - val);
	else
	offset = (int)(val - scan);
	! *(scan + 1) = (char_u) (((unsigned)offset >> 8) & 0377);
	! *(scan + 2) = (char_u) (offset & 0377);
	}

	/*
	--- 2546,2561 ----
	offset = (int)(scan - val);
	else
	offset = (int)(val - scan);
	! /* When the offset uses more than 16 bits it can no longer fit in the two
	! * bytes avaliable. Use a global flag to avoid having to check return
	! * values in too many places. */
	! if (offset > 0xffff)
	! reg_toolong = TRUE;
	! else
	! {
	! *(scan + 1) = (char_u) (((unsigned)offset >> 8) & 0377);
	! *(scan + 2) = (char_u) (offset & 0377);
	! }
	}

	/*
	***************
	* 5764,5769 **
	--- 5778,5785 ----

	/*
	* regnext - dig the "next" pointer out of a node
	+ * Returns NULL when calculating size, when there is no next item and when
	+ * there is an error.
	*/
	static char_u *
	regnext(p)
	***************
	* 5771,5777 **
	{
	int offset;

	! if (p == JUST_CALC_SIZE)
	return NULL;

	offset = NEXT(p);
	--- 5787,5793 ----
	{
	int offset;

	! if (p == JUST_CALC_SIZE \|\| reg_toolong)
	return NULL;

	offset = NEXT(p);
	*** ../vim-7.2.306/src/version.c 2009-11-25 17:15:16.000000000 +0100
	--- src/version.c 2009-11-25 18:14:32.000000000 +0100
	***************
	* 683,684 **
	--- 683,686 ----
	{ /* Add new patch number below this line */
	+ /**/
	+ 307,
	/**/

	--
	The fastest way to get an engineer to solve a problem is to declare that the
	problem is unsolvable. No engineer can walk away from an unsolvable problem
	until it's solved.
	(Scott Adams - The Dilbert principle)

	/// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\
	/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
	\\\ download, build and distribute -- http://www.A-A-P.org ///
	\\\ help me help AIDS victims -- http://ICCF-Holland.org ///

rpms / vim

Source Code

Files