Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
patch 8.2.4245: ":retab 0" may cause illegal memory access
Problem:    ":retab 0" may cause illegal memory access.
Solution:   Limit the value of 'tabstop' to 10000.
  • Loading branch information
brammool committed Jan 28, 2022
1 parent 14cbf77 commit 652dee4
Show file tree
Hide file tree
Showing 5 changed files with 17 additions and 9 deletions.
4 changes: 2 additions & 2 deletions src/indent.c
Expand Up @@ -71,7 +71,7 @@ tabstop_set(char_u *var, int **array)
int n = atoi((char *)cp);

// Catch negative values, overflow and ridiculous big values.
if (n < 0 || n > 9999)
if (n < 0 || n > TABSTOP_MAX)
{
semsg(_(e_invalid_argument_str), cp);
vim_free(*array);
Expand Down Expand Up @@ -1649,7 +1649,7 @@ ex_retab(exarg_T *eap)
emsg(_(e_argument_must_be_positive));
return;
}
if (new_ts < 0 || new_ts > 9999)
if (new_ts < 0 || new_ts > TABSTOP_MAX)
{
semsg(_(e_invalid_argument_str), eap->arg);
return;
Expand Down
16 changes: 9 additions & 7 deletions src/option.c
Expand Up @@ -3752,6 +3752,11 @@ set_num_option(
errmsg = e_argument_must_be_positive;
curbuf->b_p_ts = 8;
}
else if (curbuf->b_p_ts > TABSTOP_MAX)
{
errmsg = e_invalid_argument;
curbuf->b_p_ts = 8;
}
if (p_tm < 0)
{
errmsg = e_argument_must_be_positive;
Expand Down Expand Up @@ -5983,7 +5988,7 @@ buf_copy_options(buf_T *buf, int flags)
if (p_vsts && p_vsts != empty_option)
(void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
else
buf->b_p_vsts_array = 0;
buf->b_p_vsts_array = NULL;
buf->b_p_vsts_nopaste = p_vsts_nopaste
? vim_strsave(p_vsts_nopaste) : NULL;
#endif
Expand Down Expand Up @@ -6803,9 +6808,7 @@ paste_option_changed(void)
if (buf->b_p_vsts)
free_string_option(buf->b_p_vsts);
buf->b_p_vsts = empty_option;
if (buf->b_p_vsts_array)
vim_free(buf->b_p_vsts_array);
buf->b_p_vsts_array = 0;
VIM_CLEAR(buf->b_p_vsts_array);
#endif
}

Expand Down Expand Up @@ -6851,12 +6854,11 @@ paste_option_changed(void)
free_string_option(buf->b_p_vsts);
buf->b_p_vsts = buf->b_p_vsts_nopaste
? vim_strsave(buf->b_p_vsts_nopaste) : empty_option;
if (buf->b_p_vsts_array)
vim_free(buf->b_p_vsts_array);
vim_free(buf->b_p_vsts_array);
if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
(void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
else
buf->b_p_vsts_array = 0;
buf->b_p_vsts_array = NULL;
#endif
}

Expand Down
2 changes: 2 additions & 0 deletions src/testdir/test_options.vim
Expand Up @@ -368,6 +368,8 @@ func Test_set_errors()
call assert_fails('set shiftwidth=-1', 'E487:')
call assert_fails('set sidescroll=-1', 'E487:')
call assert_fails('set tabstop=-1', 'E487:')
call assert_fails('set tabstop=10000', 'E474:')
call assert_fails('set tabstop=5500000000', 'E474:')
call assert_fails('set textwidth=-1', 'E487:')
call assert_fails('set timeoutlen=-1', 'E487:')
call assert_fails('set updatecount=-1', 'E487:')
Expand Down
2 changes: 2 additions & 0 deletions src/version.c
Expand Up @@ -750,6 +750,8 @@ static char *(features[]) =

static int included_patches[] =
{ /* Add new patch number below this line */
/**/
4245,
/**/
4244,
/**/
Expand Down
2 changes: 2 additions & 0 deletions src/vim.h
Expand Up @@ -2085,6 +2085,8 @@ typedef int sock_T;

#define DICT_MAXNEST 100 // maximum nesting of lists and dicts

#define TABSTOP_MAX 9999

#ifdef FEAT_CLIPBOARD

// VIM_ATOM_NAME is the older Vim-specific selection type for X11. Still
Expand Down

0 comments on commit 652dee4

Please sign in to comment.