From 806d037671e133bd28a7864248763f643967973a Mon Sep 17 00:00:00 2001 From: Bram Moolenaar Date: Tue, 25 Jan 2022 20:45:16 +0000 Subject: [PATCH] patch 8.2.4218: illegal memory access with bracketed paste in Ex mode Problem: Illegal memory access with bracketed paste in Ex mode. Solution: Reserve space for the trailing NUL. --- src/edit.c | 3 ++- src/testdir/test_paste.vim | 3 +++ src/version.c | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) From fe4bbac1166f2e4e3fa18cb966ec7305198c8176 Mon Sep 17 00:00:00 2001 From: Bram Moolenaar Date: Mon, 20 Jan 2020 21:12:20 +0100 Subject: [PATCH] patch 8.2.0135: bracketed paste can still cause invalid memory access Problem: Bracketed paste can still cause invalid memory access. (Dominique Pelle) Solution: Check for NULL pointer. --- src/edit.c | 2 +- src/testdir/test_search.vim | 3 ++- src/version.c | 2 ++ 3 files changed, 5 insertions(+), 2 deletions(-) Backport: drop included_patches 135 due to version bump From 98a336dd497d3422e7efeef9f24cc9e25aeb8a49 Mon Sep 17 00:00:00 2001 From: Bram Moolenaar Date: Mon, 20 Jan 2020 20:22:30 +0100 Subject: [PATCH] patch 8.2.0133: invalid memory access with search command Problem: Invalid memory access with search command. Solution: When :normal runs out of characters in bracketed paste mode break out of the loop.(closes #5511) --- src/edit.c | 4 ++-- src/testdir/test_search.vim | 5 +++++ src/version.c | 2 ++ 3 files changed, 9 insertions(+), 2 deletions(-) Backport: drop included_patches 135 due to version bump diff --git a/src/edit.c b/src/edit.c index ee3caf0dad50..2b5301100ddb 100644 --- a/src/edit.c +++ b/src/edit.c @@ -9183,7 +9183,7 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) int save_paste = p_paste; /* If the end code is too long we can't detect it, read everything. */ - if (STRLEN(end) >= NUMBUFLEN) + if (end != NULL && STRLEN(end) >= NUMBUFLEN) end = NULL; ++no_mapping; allow_keys = 0; @@ -9201,9 +9201,9 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) { c = vgetc(); } while (c == K_IGNORE || c == K_VER_SCROLLBAR || c == K_HOR_SCROLLBAR); - if (c == NUL || got_int) + if (c == NUL || got_int || (ex_normal_busy > 0 && c == Ctrl_C)) // When CTRL-C was encountered the typeahead will be flushed and we - // won't get the end sequence. + // won't get the end sequence. Except when using ":normal". break; if (has_mbyte) @@ -9226,7 +9226,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) break; case PASTE_EX: - if (gap != NULL && ga_grow(gap, idx) == OK) + /* add one for the NUL that is going to be appended */ + if (gap != NULL && ga_grow(gap, idx + 1) == OK) { mch_memmove((char *)gap->ga_data + gap->ga_len, buf, (size_t)idx); diff --git a/src/testdir/test_paste.vim b/src/testdir/test_paste.vim index c94fe7c357ed..5b8d8a0e3e2d 100644 --- a/src/testdir/test_paste.vim +++ b/src/testdir/test_paste.vim @@ -84,6 +84,16 @@ call assert_equal("\"afoo\barb", getreg(':')) endfunc +" bracketed paste in Ex-mode +func Test_paste_ex_mode() + unlet! foo + call feedkeys("Qlet foo=\"\[200~foo\bar\[201~\"\vi\", 'xt') + call assert_equal("foo\rbar", foo) + + " pasting more than 40 bytes + exe "norm Q\0000000000000000000000000000000000000000000000000000000000000000000000\" +endfunc + func Test_paste_visual_mode() new call setline(1, 'here are some words') diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim index 60152f602..89ca6e131 100644 --- a/src/testdir/test_search.vim +++ b/src/testdir/test_search.vim @@ -1187,3 +1187,9 @@ call assert_equal(bufcontent[1], @/) call Incsearch_cleanup() endfunc + +func Test_search_special() + " this was causing illegal memory access and an endless loop + set t_PE= + exe "norm /\x80PS" +endfunc diff --git a/src/version.c b/src/version.c index 6685b554f537..9dcf34928f8d 100644 --- a/src/version.c +++ b/src/version.c @@ -795,6 +795,8 @@ static char *(features[]) = 805, /**/ 5024, +/**/ + 4218, /**/ 4214, /**/