Patch 7.2a.010

Bram Moolenaar Sun, 29 Jun 2008 07:16:02 -0700


Patch 7.2a.010
Problem:    When a file name has an illegal byte sequence Vim may read
            uninitialised memory.
Solution:   Don't use UTF_COMPOSINGLIKE() on an illegal byte.  In
            msg_outtrans_len_attr() use char2cells() instead of ptr2cells().
            In utf_ptr2char() don't check second byte when first byte is
            illega.  (Dominique Pelle)
Files:      src/mbyte.c, src/message.c



*** ../vim-7.2a.009/src/mbyte.c Tue Jun 24 23:15:45 2008
--- src/mbyte.c Sun Jun 29 16:00:54 2008
***************
*** 1387,1393 ****
        return p[0];
  
      len = utf8len_tab[p[0]];
!     if ((p[1] & 0xc0) == 0x80)
      {
        if (len == 2)
            return ((p[0] & 0x1f) << 6) + (p[1] & 0x3f);
--- 1387,1393 ----
        return p[0];
  
      len = utf8len_tab[p[0]];
!     if (len > 1 && (p[1] & 0xc0) == 0x80)
      {
        if (len == 2)
            return ((p[0] & 0x1f) << 6) + (p[1] & 0x3f);
***************
*** 1753,1766 ****
  #endif
      while (len < size)
      {
!       if (p[len] < 0x80 || !UTF_COMPOSINGLIKE(p + prevlen, p + len))
            break;
  
        /* Skip over composing char */
  #ifdef FEAT_ARABIC
        prevlen = len;
  #endif
!       len += utf_ptr2len_len(p + len, size - len);
      }
      return len;
  }
--- 1753,1779 ----
  #endif
      while (len < size)
      {
!       int     len_next_char;
! 
!       if (p[len] < 0x80)
!           break;
! 
!       /*
!        * Next character length should not go beyond size to ensure that
!        * UTF_COMPOSINGLIKE(...) does not read beyond size.
!        */
!       len_next_char = utf_ptr2len_len(p + len, size - len);
!       if (len_next_char > size - len)
!           break;
! 
!       if (!UTF_COMPOSINGLIKE(p + prevlen, p + len))
            break;
  
        /* Skip over composing char */
  #ifdef FEAT_ARABIC
        prevlen = len;
  #endif
!       len += len_next_char;
      }
      return len;
  }
*** ../vim-7.2a.009/src/message.c       Sat Jun 28 16:09:31 2008
--- src/message.c       Sun Jun 29 15:57:17 2008
***************
*** 1391,1397 ****
                plain_start = str + 1;
                msg_puts_attr(s, attr == 0 ? hl_attr(HLF_8) : attr);
            }
!           retval += ptr2cells(str);
            ++str;
        }
      }
--- 1391,1397 ----
                plain_start = str + 1;
                msg_puts_attr(s, attr == 0 ? hl_attr(HLF_8) : attr);
            }
!           retval += char2cells(*str);
            ++str;
        }
      }
*** ../vim-7.2a.009/src/version.c       Sun Jun 29 13:59:48 2008
--- src/version.c       Sun Jun 29 16:12:49 2008
***************
*** 678,679 ****
--- 678,681 ----
  {   /* Add new patch number below this line */
+ /**/
+     10,
  /**/

-- 
hundred-and-one symptoms of being an internet addict:
118. You are on a first-name basis with your ISP's staff.

 /// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---

Patch 7.2a.010

Raspunde prin e-mail lui