To: vim_dev@googlegroups.com Subject: Patch 8.2.4752 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.2.4752 Problem: Wrong 'statusline' value can cause illegal memory access. Solution: Properly check the value. (closes #10192) Files: src/optionstr.c, src/testdir/test_options.vim *** ../vim-8.2.4751/src/optionstr.c 2022-04-14 20:43:52.638894555 +0100 --- src/optionstr.c 2022-04-15 13:15:37.439086419 +0100 *************** *** 574,580 **** #ifdef FEAT_STL_OPT /* * Check validity of options with the 'statusline' format. ! * Return error message or NULL. */ static char * check_stl_option(char_u *s) --- 574,580 ---- #ifdef FEAT_STL_OPT /* * Check validity of options with the 'statusline' format. ! * Return an untranslated error message or NULL. */ static char * check_stl_option(char_u *s) *************** *** 625,641 **** } if (*s == '{') { ! int reevaluate = (*s == '%'); ! s++; while ((*s != '}' || (reevaluate && s[-1] != '%')) && *s) s++; if (*s != '}') ! return N_(e_unclosed_expression_sequence); } } if (groupdepth != 0) ! return N_(e_unbalanced_groups); return NULL; } #endif --- 625,643 ---- } if (*s == '{') { ! int reevaluate = (*++s == '%'); ! if (reevaluate && *++s == '}') ! // "}" is not allowed immediately after "%{%" ! return illegal_char(errbuf, '}'); while ((*s != '}' || (reevaluate && s[-1] != '%')) && *s) s++; if (*s != '}') ! return e_unclosed_expression_sequence; } } if (groupdepth != 0) ! return e_unbalanced_groups; return NULL; } #endif *************** *** 1805,1812 **** } #ifdef FEAT_STL_OPT ! // 'statusline' or 'rulerformat' ! else if (gvarp == &p_stl || varp == &p_ruf) { int wid; --- 1807,1814 ---- } #ifdef FEAT_STL_OPT ! // 'statusline', 'tabline' or 'rulerformat' ! else if (gvarp == &p_stl || varp == &p_tal || varp == &p_ruf) { int wid; *************** *** 1824,1830 **** else errmsg = check_stl_option(p_ruf); } ! // check 'statusline' only if it doesn't start with "%!" else if (varp == &p_ruf || s[0] != '%' || s[1] != '!') errmsg = check_stl_option(s); if (varp == &p_ruf && errmsg == NULL) --- 1826,1832 ---- else errmsg = check_stl_option(p_ruf); } ! // check 'statusline' or 'tabline' only if it doesn't start with "%!" else if (varp == &p_ruf || s[0] != '%' || s[1] != '!') errmsg = check_stl_option(s); if (varp == &p_ruf && errmsg == NULL) *** ../vim-8.2.4751/src/testdir/test_options.vim 2022-03-02 19:49:34.321061243 +0000 --- src/testdir/test_options.vim 2022-04-15 13:05:55.976250448 +0100 *************** *** 392,399 **** --- 392,407 ---- call assert_fails('set rulerformat=%15(%%', 'E542:') call assert_fails('set statusline=%$', 'E539:') call assert_fails('set statusline=%{', 'E540:') + call assert_fails('set statusline=%{%', 'E540:') + call assert_fails('set statusline=%{%}', 'E539:') call assert_fails('set statusline=%(', 'E542:') call assert_fails('set statusline=%)', 'E542:') + call assert_fails('set tabline=%$', 'E539:') + call assert_fails('set tabline=%{', 'E540:') + call assert_fails('set tabline=%{%', 'E540:') + call assert_fails('set tabline=%{%}', 'E539:') + call assert_fails('set tabline=%(', 'E542:') + call assert_fails('set tabline=%)', 'E542:') if has('cursorshape') " This invalid value for 'guicursor' used to cause Vim to crash. *** ../vim-8.2.4751/src/version.c 2022-04-14 21:36:09.551209661 +0100 --- src/version.c 2022-04-15 13:07:07.432076803 +0100 *************** *** 748,749 **** --- 748,751 ---- { /* Add new patch number below this line */ + /**/ + 4752, /**/ -- For humans, honesty is a matter of degree. Engineers are always honest in matters of technology and human relationships. That's why it's a good idea to keep engineers away from customers, romantic interests, and other people who can't handle the truth. (Scott Adams - The Dilbert principle) /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// \\\ \\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///