aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-10-30 09:47:20 -04:00
Code Activity

patch 8.2.4752: wrong 'statusline' value can cause illegal memory access

Browse Source 
Problem:    Wrong 'statusline' value can cause illegal memory access.
Solution:   Properly check the value. (closes #10192)
This commit is contained in:
zeertzjq
2022-04-15 13:17:57 +01:00
committed by Bram Moolenaar
parent 648dd88af6
commit 5dc294a7b6
3 changed files with 20 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/optionstr.c
View File

@@ -574,7 +574,7 @@ valid_filetype(char_u *val)
#ifdef FEAT_STL_OPT
/*
* Check validity of options with the 'statusline' format.
* Return error message or NULL.
* Return an untranslated error message or NULL.
*/
static char *
check_stl_option(char_u *s)
@@ -625,17 +625,19 @@ check_stl_option(char_u *s)
}
if (*s == '{')
{
int reevaluate = (*s == '%');
int reevaluate = (*++s == '%');
s++;
if (reevaluate && *++s == '}')
// "}" is not allowed immediately after "%{%"
return illegal_char(errbuf, '}');
while ((*s != '}' || (reevaluate && s[-1] != '%')) && *s)
s++;
if (*s != '}')
return N_(e_unclosed_expression_sequence);
return e_unclosed_expression_sequence;
}
}
if (groupdepth != 0)
return N_(e_unbalanced_groups);
return e_unbalanced_groups;
return NULL;
}
#endif
@@ -1805,8 +1807,8 @@ ambw_end:
}
#ifdef FEAT_STL_OPT
// 'statusline' or 'rulerformat'
else if (gvarp == &p_stl || varp == &p_ruf)
// 'statusline', 'tabline' or 'rulerformat'
else if (gvarp == &p_stl || varp == &p_tal || varp == &p_ruf)
{
int wid;
@@ -1824,7 +1826,7 @@ ambw_end:
else
errmsg = check_stl_option(p_ruf);
}
// check 'statusline' only if it doesn't start with "%!"
// check 'statusline' or 'tabline' only if it doesn't start with "%!"
else if (varp == &p_ruf || s[0] != '%' || s[1] != '!')
errmsg = check_stl_option(s);
if (varp == &p_ruf && errmsg == NULL)

8
src/testdir/test_options.vim
View File

@@ -392,8 +392,16 @@ func Test_set_errors()
call assert_fails('set rulerformat=%15(%%', 'E542:')
call assert_fails('set statusline=%$', 'E539:')
call assert_fails('set statusline=%{', 'E540:')
call assert_fails('set statusline=%{%', 'E540:')
call assert_fails('set statusline=%{%}', 'E539:')
call assert_fails('set statusline=%(', 'E542:')
call assert_fails('set statusline=%)', 'E542:')
call assert_fails('set tabline=%$', 'E539:')
call assert_fails('set tabline=%{', 'E540:')
call assert_fails('set tabline=%{%', 'E540:')
call assert_fails('set tabline=%{%}', 'E539:')
call assert_fails('set tabline=%(', 'E542:')
call assert_fails('set tabline=%)', 'E542:')
if has('cursorshape')
" This invalid value for 'guicursor' used to cause Vim to crash.

2
src/version.c
View File

@@ -746,6 +746,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
4752,
/**/
4751,
/**/