Patch 8.2.4752
Problem: Wrong 'statusline' value can cause illegal memory access.
Solution: Properly check the value. (closes #10192)
Files: src/optionstr.c, src/testdir/test_options.vim
*** ../vim-8.2.4751/src/optionstr.c 2022-04-14 20:43:52.638894555 +0100
--- src/optionstr.c 2022-04-15 13:15:37.439086419 +0100
***************
*** 574,580 ****
#ifdef FEAT_STL_OPT
/*
* Check validity of options with the 'statusline' format.
! * Return error message or NULL.
*/
static char *
check_stl_option(char_u *s)
--- 574,580 ----
#ifdef FEAT_STL_OPT
/*
* Check validity of options with the 'statusline' format.
! * Return an untranslated error message or NULL.
*/
static char *
check_stl_option(char_u *s)
***************
*** 625,641 ****
}
if (*s == '{')
{
! int reevaluate = (*s == '%');
! s++;
while ((*s != '}' || (reevaluate && s[-1] != '%')) && *s)
s++;
if (*s != '}')
! return N_(e_unclosed_expression_sequence);
}
}
if (groupdepth != 0)
! return N_(e_unbalanced_groups);
return NULL;
}
#endif
--- 625,643 ----
}
if (*s == '{')
{
! int reevaluate = (*++s == '%');
! if (reevaluate && *++s == '}')
! // "}" is not allowed immediately after "%{%"
! return illegal_char(errbuf, '}');
while ((*s != '}' || (reevaluate && s[-1] != '%')) && *s)
s++;
if (*s != '}')
! return e_unclosed_expression_sequence;
}
}
if (groupdepth != 0)
! return e_unbalanced_groups;
return NULL;
}
#endif
***************
*** 1805,1812 ****
}
#ifdef FEAT_STL_OPT
! // 'statusline' or 'rulerformat'
! else if (gvarp == &p_stl || varp == &p_ruf)
{
int wid;
--- 1807,1814 ----
}
#ifdef FEAT_STL_OPT
! // 'statusline', 'tabline' or 'rulerformat'
! else if (gvarp == &p_stl || varp == &p_tal || varp == &p_ruf)
{
int wid;
***************
*** 1824,1830 ****
else
errmsg = check_stl_option(p_ruf);
}
! // check 'statusline' only if it doesn't start with "%!"
else if (varp == &p_ruf || s[0] != '%' || s[1] != '!')
errmsg = check_stl_option(s);
if (varp == &p_ruf && errmsg == NULL)
--- 1826,1832 ----
else
errmsg = check_stl_option(p_ruf);
}
! // check 'statusline' or 'tabline' only if it doesn't start with "%!"
else if (varp == &p_ruf || s[0] != '%' || s[1] != '!')
errmsg = check_stl_option(s);
if (varp == &p_ruf && errmsg == NULL)
*** ../vim-8.2.4751/src/testdir/test_options.vim 2022-03-02
19:49:34.321061243 +0000
--- src/testdir/test_options.vim 2022-04-15 13:05:55.976250448 +0100
***************
*** 392,399 ****
--- 392,407 ----
call assert_fails('set rulerformat=%15(%%', 'E542:')
call assert_fails('set statusline=%$', 'E539:')
call assert_fails('set statusline=%{', 'E540:')
+ call assert_fails('set statusline=%{%', 'E540:')
+ call assert_fails('set statusline=%{%}', 'E539:')
call assert_fails('set statusline=%(', 'E542:')
call assert_fails('set statusline=%)', 'E542:')
+ call assert_fails('set tabline=%$', 'E539:')
+ call assert_fails('set tabline=%{', 'E540:')
+ call assert_fails('set tabline=%{%', 'E540:')
+ call assert_fails('set tabline=%{%}', 'E539:')
+ call assert_fails('set tabline=%(', 'E542:')
+ call assert_fails('set tabline=%)', 'E542:')
if has('cursorshape')
" This invalid value for 'guicursor' used to cause Vim to crash.
*** ../vim-8.2.4751/src/version.c 2022-04-14 21:36:09.551209661 +0100
--- src/version.c 2022-04-15 13:07:07.432076803 +0100
***************
*** 748,749 ****
--- 748,751 ----
{ /* Add new patch number below this line */
+ /**/
+ 4752,
/**/
--
For humans, honesty is a matter of degree. Engineers are always honest in
matters of technology and human relationships. That's why it's a good idea
to keep engineers away from customers, romantic interests, and other people
who can't handle the truth.
(Scott Adams - The Dilbert principle)
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// \\\
\\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/vim_dev/20220415121912.934861C05DA%40moolenaar.net.
