To: vim-dev@vim.org Subject: Patch 7.2.430 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 7.2.430 Problem: The ++bad argument is handled wrong, resulting in an invalid memory access. Solution: Use the bad_char field only for the replacement character, add bad_char_idx to store the position. (Dominique Pelle) Files: src/eval.c, src/ex_cmds.h, src/ex_docmd.c *** ../vim-7.2.429/src/eval.c 2010-05-14 12:16:19.000000000 +0200 --- src/eval.c 2010-05-14 19:04:53.000000000 +0200 *************** *** 18309,18316 **** # ifdef FEAT_MBYTE if (eap->force_enc != 0) len += (unsigned)STRLEN(eap->cmd + eap->force_enc) + 7; ! if (eap->bad_char != 0) ! len += (unsigned)STRLEN(eap->cmd + eap->bad_char) + 7; # endif newval = alloc(len + 1); --- 18309,18316 ---- # ifdef FEAT_MBYTE if (eap->force_enc != 0) len += (unsigned)STRLEN(eap->cmd + eap->force_enc) + 7; ! if (eap->bad_char_idx != 0) ! len += (unsigned)STRLEN(eap->cmd + eap->bad_char_idx) + 7; # endif newval = alloc(len + 1); *************** *** 18334,18342 **** if (eap->force_enc != 0) sprintf((char *)newval + STRLEN(newval), " ++enc=%s", eap->cmd + eap->force_enc); ! if (eap->bad_char != 0) sprintf((char *)newval + STRLEN(newval), " ++bad=%s", ! eap->cmd + eap->bad_char); # endif vimvars[VV_CMDARG].vv_str = newval; return oldval; --- 18334,18342 ---- if (eap->force_enc != 0) sprintf((char *)newval + STRLEN(newval), " ++enc=%s", eap->cmd + eap->force_enc); ! if (eap->bad_char_idx != 0) sprintf((char *)newval + STRLEN(newval), " ++bad=%s", ! eap->cmd + eap->bad_char_idx); # endif vimvars[VV_CMDARG].vv_str = newval; return oldval; *** ../vim-7.2.429/src/ex_cmds.h 2010-05-14 15:42:49.000000000 +0200 --- src/ex_cmds.h 2010-05-14 20:23:20.000000000 +0200 *************** *** 1152,1158 **** int force_ff; /* ++ff= argument (index in cmd[]) */ #ifdef FEAT_MBYTE int force_enc; /* ++enc= argument (index in cmd[]) */ ! int bad_char; /* ++bad= argument (index in cmd[]) */ #endif #ifdef FEAT_USR_CMDS int useridx; /* user command index */ --- 1152,1159 ---- int force_ff; /* ++ff= argument (index in cmd[]) */ #ifdef FEAT_MBYTE int force_enc; /* ++enc= argument (index in cmd[]) */ ! int bad_char_idx; /* ++bad= argument (index in cmd[]) */ ! int bad_char; /* BAD_KEEP, BAD_DROP or replacement char */ #endif #ifdef FEAT_USR_CMDS int useridx; /* user command index */ *** ../vim-7.2.429/src/ex_docmd.c 2010-05-14 15:28:37.000000000 +0200 --- src/ex_docmd.c 2010-05-14 19:04:53.000000000 +0200 *************** *** 4739,4745 **** else if (STRNCMP(arg, "bad", 3) == 0) { arg += 3; ! pp = &eap->bad_char; } #endif --- 4739,4745 ---- else if (STRNCMP(arg, "bad", 3) == 0) { arg += 3; ! pp = &eap->bad_char_idx; } #endif *************** *** 4770,4776 **** { /* Check ++bad= argument. Must be a single-byte character, "keep" or * "drop". */ ! p = eap->cmd + eap->bad_char; if (STRICMP(p, "keep") == 0) eap->bad_char = BAD_KEEP; else if (STRICMP(p, "drop") == 0) --- 4770,4776 ---- { /* Check ++bad= argument. Must be a single-byte character, "keep" or * "drop". */ ! p = eap->cmd + eap->bad_char_idx; if (STRICMP(p, "keep") == 0) eap->bad_char = BAD_KEEP; else if (STRICMP(p, "drop") == 0) *** ../vim-7.2.429/src/version.c 2010-05-14 18:56:33.000000000 +0200 --- src/version.c 2010-05-14 20:39:38.000000000 +0200 *************** *** 683,684 **** --- 683,686 ---- { /* Add new patch number below this line */ + /**/ + 430, /**/ -- You have the right to remain silent. Anything you say will be misquoted, then used against you. /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ download, build and distribute -- http://www.A-A-P.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///