aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-07-04 23:07:33 -04:00
Code

patch 8.2.4752: wrong 'statusline' value can cause illegal memory access

Browse Source 
Problem:    Wrong 'statusline' value can cause illegal memory access.
Solution:   Properly check the value. (closes #10192)
This commit is contained in:
zeertzjq 2022-04-15 13:17:57 +01:00 committed by Bram Moolenaar
parent 648dd88af6
commit 5dc294a7b6
3 changed files with 20 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/optionstr.c
View File

@ -574,7 +574,7 @@ valid_filetype(char_u *val)
#ifdef FEAT_STL_OPT #ifdef FEAT_STL_OPT
/* /*
* Check validity of options with the 'statusline' format. * Check validity of options with the 'statusline' format.
* Return error message or NULL. * Return an untranslated error message or NULL.
*/ */
static char * static char *
check_stl_option(char_u *s) check_stl_option(char_u *s)
@ -625,17 +625,19 @@ check_stl_option(char_u *s)
} }
if (*s == '{') if (*s == '{')
{ {
int reevaluate = (*s == '%'); int reevaluate = (*++s == '%');
s++; if (reevaluate && *++s == '}')
// "}" is not allowed immediately after "%{%"
return illegal_char(errbuf, '}');
while ((*s != '}' || (reevaluate && s[-1] != '%')) && *s) while ((*s != '}' || (reevaluate && s[-1] != '%')) && *s)
s++; s++;
if (*s != '}') if (*s != '}')
return N_(e_unclosed_expression_sequence); return e_unclosed_expression_sequence;
} }
} }
if (groupdepth != 0) if (groupdepth != 0)
return N_(e_unbalanced_groups); return e_unbalanced_groups;
return NULL; return NULL;
} }
#endif #endif
@ -1805,8 +1807,8 @@ ambw_end:
} }
#ifdef FEAT_STL_OPT #ifdef FEAT_STL_OPT
// 'statusline' or 'rulerformat' // 'statusline', 'tabline' or 'rulerformat'
else if (gvarp == &p_stl || varp == &p_ruf) else if (gvarp == &p_stl || varp == &p_tal || varp == &p_ruf)
{ {
int wid; int wid;
@ -1824,7 +1826,7 @@ ambw_end:
else else
errmsg = check_stl_option(p_ruf); errmsg = check_stl_option(p_ruf);
} }
// check 'statusline' only if it doesn't start with "%!" // check 'statusline' or 'tabline' only if it doesn't start with "%!"
else if (varp == &p_ruf || s[0] != '%' || s[1] != '!') else if (varp == &p_ruf || s[0] != '%' || s[1] != '!')
errmsg = check_stl_option(s); errmsg = check_stl_option(s);
if (varp == &p_ruf && errmsg == NULL) if (varp == &p_ruf && errmsg == NULL)

8
src/testdir/test_options.vim
View File

@ -392,8 +392,16 @@ func Test_set_errors()
call assert_fails('set rulerformat=%15(%%', 'E542:') call assert_fails('set rulerformat=%15(%%', 'E542:')
call assert_fails('set statusline=%$', 'E539:') call assert_fails('set statusline=%$', 'E539:')
call assert_fails('set statusline=%{', 'E540:') call assert_fails('set statusline=%{', 'E540:')
call assert_fails('set statusline=%{%', 'E540:')
call assert_fails('set statusline=%{%}', 'E539:')
call assert_fails('set statusline=%(', 'E542:') call assert_fails('set statusline=%(', 'E542:')
call assert_fails('set statusline=%)', 'E542:') call assert_fails('set statusline=%)', 'E542:')
call assert_fails('set tabline=%$', 'E539:')
call assert_fails('set tabline=%{', 'E540:')
call assert_fails('set tabline=%{%', 'E540:')
call assert_fails('set tabline=%{%}', 'E539:')
call assert_fails('set tabline=%(', 'E542:')
call assert_fails('set tabline=%)', 'E542:')
if has('cursorshape') if has('cursorshape')
" This invalid value for 'guicursor' used to cause Vim to crash. " This invalid value for 'guicursor' used to cause Vim to crash.

2
src/version.c
View File

@ -746,6 +746,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
4752,
/**/ /**/
4751, 4751,
/**/ /**/