To: vim_dev@googlegroups.com Subject: Patch 8.0.1468 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.0.1468 Problem: Illegal memory access in del_bytes(). Solution: Check for negative byte count. (Christian Brabandt, closes #2466) Files: src/message.c, src/misc1.c *** ../vim-8.0.1467/src/message.c 2018-01-31 20:51:40.305835913 +0100 --- src/message.c 2018-02-04 16:18:50.083941056 +0100 *************** *** 761,767 **** void iemsg(char_u *s) { ! msg(s); #ifdef ABORT_ON_INTERNAL_ERROR abort(); #endif --- 761,767 ---- void iemsg(char_u *s) { ! emsg(s); #ifdef ABORT_ON_INTERNAL_ERROR abort(); #endif *************** *** 4993,4999 **** zero_padding = 0; } else ! { /* Regular float number */ format[0] = '%'; l = 1; --- 4993,4999 ---- zero_padding = 0; } else ! { /* Regular float number */ format[0] = '%'; l = 1; *************** *** 5016,5022 **** format[l + 1] = NUL; str_arg_l = sprintf(tmp, format, f); ! } if (remove_trailing_zeroes) { --- 5016,5022 ---- format[l + 1] = NUL; str_arg_l = sprintf(tmp, format, f); ! } if (remove_trailing_zeroes) { *** ../vim-8.0.1467/src/misc1.c 2018-02-03 20:43:03.531138351 +0100 --- src/misc1.c 2018-02-04 16:31:33.230389619 +0100 *************** *** 2457,2463 **** * If "fixpos" is TRUE, don't leave the cursor on the NUL after the line. * Caller must have prepared for undo. * ! * return FAIL for failure, OK otherwise */ int del_bytes( --- 2457,2463 ---- * If "fixpos" is TRUE, don't leave the cursor on the NUL after the line. * Caller must have prepared for undo. * ! * Return FAIL for failure, OK otherwise. */ int del_bytes( *************** *** 2476,2487 **** oldp = ml_get(lnum); oldlen = (int)STRLEN(oldp); ! /* ! * Can't do anything when the cursor is on the NUL after the line. ! */ if (col >= oldlen) return FAIL; #ifdef FEAT_MBYTE /* If 'delcombine' is set and deleting (less than) one character, only * delete the last combining character. */ --- 2476,2496 ---- oldp = ml_get(lnum); oldlen = (int)STRLEN(oldp); ! /* Can't do anything when the cursor is on the NUL after the line. */ if (col >= oldlen) return FAIL; + /* If "count" is zero there is nothing to do. */ + if (count == 0) + return OK; + + /* If "count" is negative the caller must be doing something wrong. */ + if (count < 1) + { + IEMSGN("E950: Invalid count for del_bytes(): %ld", count); + return FAIL; + } + #ifdef FEAT_MBYTE /* If 'delcombine' is set and deleting (less than) one character, only * delete the last combining character. */ *** ../vim-8.0.1467/src/version.c 2018-02-04 14:49:54.023221567 +0100 --- src/version.c 2018-02-04 16:35:21.364741527 +0100 *************** *** 773,774 **** --- 773,776 ---- { /* Add new patch number below this line */ + /**/ + 1468, /**/ -- CONCORDE: Message for you, sir. He falls forward revealing the arrow with the note. "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///