1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
From 806d037671e133bd28a7864248763f643967973a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 25 Jan 2022 20:45:16 +0000
Subject: [PATCH] patch 8.2.4218: illegal memory access with bracketed paste in
Ex mode
Problem: Illegal memory access with bracketed paste in Ex mode.
Solution: Reserve space for the trailing NUL.
---
src/edit.c | 3 ++-
src/testdir/test_paste.vim | 3 +++
src/version.c | 2 ++
3 files changed, 7 insertions(+), 1 deletion(-)
From fe4bbac1166f2e4e3fa18cb966ec7305198c8176 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 20 Jan 2020 21:12:20 +0100
Subject: [PATCH] patch 8.2.0135: bracketed paste can still cause invalid
memory access
Problem: Bracketed paste can still cause invalid memory access. (Dominique
Pelle)
Solution: Check for NULL pointer.
---
src/edit.c | 2 +-
src/testdir/test_search.vim | 3 ++-
src/version.c | 2 ++
3 files changed, 5 insertions(+), 2 deletions(-)
Backport: drop included_patches 135 due to version bump
From 98a336dd497d3422e7efeef9f24cc9e25aeb8a49 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 20 Jan 2020 20:22:30 +0100
Subject: [PATCH] patch 8.2.0133: invalid memory access with search command
Problem: Invalid memory access with search command.
Solution: When :normal runs out of characters in bracketed paste mode break
out of the loop.(closes #5511)
---
src/edit.c | 4 ++--
src/testdir/test_search.vim | 5 +++++
src/version.c | 2 ++
3 files changed, 9 insertions(+), 2 deletions(-)
Backport: drop included_patches 135 due to version bump
diff --git a/src/edit.c b/src/edit.c
index ee3caf0dad50..2b5301100ddb 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -9183,7 +9183,7 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
int save_paste = p_paste;
/* If the end code is too long we can't detect it, read everything. */
- if (STRLEN(end) >= NUMBUFLEN)
+ if (end != NULL && STRLEN(end) >= NUMBUFLEN)
end = NULL;
++no_mapping;
allow_keys = 0;
@@ -9201,9 +9201,9 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
{
c = vgetc();
} while (c == K_IGNORE || c == K_VER_SCROLLBAR || c == K_HOR_SCROLLBAR);
- if (c == NUL || got_int)
+ if (c == NUL || got_int || (ex_normal_busy > 0 && c == Ctrl_C))
// When CTRL-C was encountered the typeahead will be flushed and we
- // won't get the end sequence.
+ // won't get the end sequence. Except when using ":normal".
break;
if (has_mbyte)
@@ -9226,7 +9226,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
break;
case PASTE_EX:
- if (gap != NULL && ga_grow(gap, idx) == OK)
+ /* add one for the NUL that is going to be appended */
+ if (gap != NULL && ga_grow(gap, idx + 1) == OK)
{
mch_memmove((char *)gap->ga_data + gap->ga_len,
buf, (size_t)idx);
diff --git a/src/testdir/test_paste.vim b/src/testdir/test_paste.vim
index c94fe7c357ed..5b8d8a0e3e2d 100644
--- a/src/testdir/test_paste.vim
+++ b/src/testdir/test_paste.vim
@@ -84,6 +84,16 @@
call assert_equal("\"afoo\<CR>barb", getreg(':'))
endfunc
+" bracketed paste in Ex-mode
+func Test_paste_ex_mode()
+ unlet! foo
+ call feedkeys("Qlet foo=\"\<Esc>[200~foo\<CR>bar\<Esc>[201~\"\<CR>vi\<CR>", 'xt')
+ call assert_equal("foo\rbar", foo)
+
+ " pasting more than 40 bytes
+ exe "norm Q\<PasteStart>0000000000000000000000000000000000000000000000000000000000000000000000\<C-C>"
+endfunc
+
func Test_paste_visual_mode()
new
call setline(1, 'here are some words')
diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim
index 60152f602..89ca6e131 100644
--- a/src/testdir/test_search.vim
+++ b/src/testdir/test_search.vim
@@ -1187,3 +1187,9 @@
call assert_equal(bufcontent[1], @/)
call Incsearch_cleanup()
endfunc
+
+func Test_search_special()
+ " this was causing illegal memory access and an endless loop
+ set t_PE=
+ exe "norm /\x80PS"
+endfunc
diff --git a/src/version.c b/src/version.c
index 6685b554f537..9dcf34928f8d 100644
--- a/src/version.c
+++ b/src/version.c
@@ -795,6 +795,8 @@ static char *(features[]) =
805,
/**/
5024,
+/**/
+ 4218,
/**/
4214,
/**/
|
