To: vim_dev@googlegroups.com
Subject: Patch 7.3.664
Fcc: outbox
From: Bram Moolenaar <Bram@moolenaar.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
------------
Patch 7.3.664
Problem: Buffer overflow in unescaping text. (Raymond Ko)
Solution: Limit check for multi-byte character to 4 bytes.
Files: src/mbyte.c
*** ../vim-7.3.663/src/mbyte.c 2012-06-01 17:46:52.000000000 +0200
--- src/mbyte.c 2012-09-18 17:53:05.000000000 +0200
***************
*** 3793,3805 ****
mb_unescape(pp)
char_u **pp;
{
! static char_u buf[MB_MAXBYTES + 1];
! int n, m = 0;
char_u *str = *pp;
/* Must translate K_SPECIAL KS_SPECIAL KE_FILLER to K_SPECIAL and CSI
! * KS_EXTRA KE_CSI to CSI. */
! for (n = 0; str[n] != NUL && m <= MB_MAXBYTES; ++n)
{
if (str[n] == K_SPECIAL
&& str[n + 1] == KS_SPECIAL
--- 3793,3807 ----
mb_unescape(pp)
char_u **pp;
{
! static char_u buf[6];
! int n;
! int m = 0;
char_u *str = *pp;
/* Must translate K_SPECIAL KS_SPECIAL KE_FILLER to K_SPECIAL and CSI
! * KS_EXTRA KE_CSI to CSI.
! * Maximum length of a utf-8 character is 4 bytes. */
! for (n = 0; str[n] != NUL && m < 4; ++n)
{
if (str[n] == K_SPECIAL
&& str[n + 1] == KS_SPECIAL
***************
*** 3836,3841 ****
--- 3838,3847 ----
*pp = str + n + 1;
return buf;
}
+
+ /* Bail out quickly for ASCII. */
+ if (buf[0] < 128)
+ break;
}
return NULL;
}
*** ../vim-7.3.663/src/version.c 2012-09-18 16:47:00.000000000 +0200
--- src/version.c 2012-09-18 18:01:14.000000000 +0200
***************
*** 721,722 ****
--- 721,724 ----
{ /* Add new patch number below this line */
+ /**/
+ 664,
/**/
--
There are three kinds of people: Those who can count & those who can't.
/// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///