To: vim-dev@vim.org
Subject: Patch 7.2a.010
Fcc: outbox
From: Bram Moolenaar <Bram@moolenaar.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
------------

Patch 7.2a.010
Problem:    When a file name has an illegal byte sequence Vim may read
	    uninitialised memory.
Solution:   Don't use UTF_COMPOSINGLIKE() on an illegal byte.  In
	    msg_outtrans_len_attr() use char2cells() instead of ptr2cells().
	    In utf_ptr2char() don't check second byte when first byte is
	    illega.  (Dominique Pelle)
Files:	    src/mbyte.c, src/message.c


*** ../vim-7.2a.009/src/mbyte.c	Tue Jun 24 23:15:45 2008
--- src/mbyte.c	Sun Jun 29 16:00:54 2008
***************
*** 1387,1393 ****
  	return p[0];
  
      len = utf8len_tab[p[0]];
!     if ((p[1] & 0xc0) == 0x80)
      {
  	if (len == 2)
  	    return ((p[0] & 0x1f) << 6) + (p[1] & 0x3f);
--- 1387,1393 ----
  	return p[0];
  
      len = utf8len_tab[p[0]];
!     if (len > 1 && (p[1] & 0xc0) == 0x80)
      {
  	if (len == 2)
  	    return ((p[0] & 0x1f) << 6) + (p[1] & 0x3f);
***************
*** 1753,1766 ****
  #endif
      while (len < size)
      {
! 	if (p[len] < 0x80 || !UTF_COMPOSINGLIKE(p + prevlen, p + len))
  	    break;
  
  	/* Skip over composing char */
  #ifdef FEAT_ARABIC
  	prevlen = len;
  #endif
! 	len += utf_ptr2len_len(p + len, size - len);
      }
      return len;
  }
--- 1753,1779 ----
  #endif
      while (len < size)
      {
! 	int	len_next_char;
! 
! 	if (p[len] < 0x80)
! 	    break;
! 
! 	/*
! 	 * Next character length should not go beyond size to ensure that
! 	 * UTF_COMPOSINGLIKE(...) does not read beyond size.
! 	 */
! 	len_next_char = utf_ptr2len_len(p + len, size - len);
! 	if (len_next_char > size - len)
! 	    break;
! 
! 	if (!UTF_COMPOSINGLIKE(p + prevlen, p + len))
  	    break;
  
  	/* Skip over composing char */
  #ifdef FEAT_ARABIC
  	prevlen = len;
  #endif
! 	len += len_next_char;
      }
      return len;
  }
*** ../vim-7.2a.009/src/message.c	Sat Jun 28 16:09:31 2008
--- src/message.c	Sun Jun 29 15:57:17 2008
***************
*** 1391,1397 ****
  		plain_start = str + 1;
  		msg_puts_attr(s, attr == 0 ? hl_attr(HLF_8) : attr);
  	    }
! 	    retval += ptr2cells(str);
  	    ++str;
  	}
      }
--- 1391,1397 ----
  		plain_start = str + 1;
  		msg_puts_attr(s, attr == 0 ? hl_attr(HLF_8) : attr);
  	    }
! 	    retval += char2cells(*str);
  	    ++str;
  	}
      }
*** ../vim-7.2a.009/src/version.c	Sun Jun 29 13:59:48 2008
--- src/version.c	Sun Jun 29 16:12:49 2008
***************
*** 678,679 ****
--- 678,681 ----
  {   /* Add new patch number below this line */
+ /**/
+     10,
  /**/

-- 
hundred-and-one symptoms of being an internet addict:
118. You are on a first-name basis with your ISP's staff.

 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///