[packages/vim.git] / 7.2.307

To: vim-dev@vim.org
Subject: Patch 7.2.307
Fcc: outbox
From: Bram Moolenaar <Bram@moolenaar.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
------------

Patch 7.2.307
Problem:    Crash with a very long syntax match statement. (Guy Gur Ari)
Solution:   When the offset does not fit in the two bytes available give an
            error instead of continuing with invalid pointers.
Files:      src/regexp.c


*** ../vim-7.2.306/src/regexp.c	2009-05-15 21:31:11.000000000 +0200
--- src/regexp.c	2009-11-25 18:13:03.000000000 +0100
***************
*** 583,588 ****
--- 583,589 ----
  #endif
  static char_u	*regcode;	/* Code-emit pointer, or JUST_CALC_SIZE */
  static long	regsize;	/* Code size. */
+ static int	reg_toolong;	/* TRUE when offset out of range */
  static char_u	had_endbrace[NSUBEXP];	/* flags, TRUE if end of () found */
  static unsigned	regflags;	/* RF_ flags for prog */
  static long	brace_min[10];	/* Minimums for complex brace repeats */
***************
*** 1028,1036 ****
      regcomp_start(expr, re_flags);
      regcode = r->program;
      regc(REGMAGIC);
!     if (reg(REG_NOPAREN, &flags) == NULL)
      {
  	vim_free(r);
  	return NULL;
      }
  
--- 1029,1039 ----
      regcomp_start(expr, re_flags);
      regcode = r->program;
      regc(REGMAGIC);
!     if (reg(REG_NOPAREN, &flags) == NULL || reg_toolong)
      {
  	vim_free(r);
+ 	if (reg_toolong)
+ 	    EMSG_RET_NULL(_("E339: Pattern too long"));
  	return NULL;
      }
  
***************
*** 1141,1146 ****
--- 1144,1150 ----
      re_has_z = 0;
  #endif
      regsize = 0L;
+     reg_toolong = FALSE;
      regflags = 0;
  #if defined(FEAT_SYN_HL) || defined(PROTO)
      had_eol = FALSE;
***************
*** 1228,1234 ****
      {
  	skipchr();
  	br = regbranch(&flags);
! 	if (br == NULL)
  	    return NULL;
  	regtail(ret, br);	/* BRANCH -> BRANCH. */
  	if (!(flags & HASWIDTH))
--- 1232,1238 ----
      {
  	skipchr();
  	br = regbranch(&flags);
! 	if (br == NULL || reg_toolong)
  	    return NULL;
  	regtail(ret, br);	/* BRANCH -> BRANCH. */
  	if (!(flags & HASWIDTH))
***************
*** 1313,1318 ****
--- 1317,1324 ----
  	    break;
  	skipchr();
  	regtail(latest, regnode(END)); /* operand ends */
+ 	if (reg_toolong)
+ 	    break;
  	reginsert(MATCH, latest);
  	chain = latest;
      }
***************
*** 1382,1388 ****
  			    break;
  	    default:
  			    latest = regpiece(&flags);
! 			    if (latest == NULL)
  				return NULL;
  			    *flagp |= flags & (HASWIDTH | HASNL | HASLOOKBH);
  			    if (chain == NULL)	/* First piece. */
--- 1388,1394 ----
  			    break;
  	    default:
  			    latest = regpiece(&flags);
! 			    if (latest == NULL || reg_toolong)
  				return NULL;
  			    *flagp |= flags & (HASWIDTH | HASNL | HASLOOKBH);
  			    if (chain == NULL)	/* First piece. */
***************
*** 2540,2547 ****
  	offset = (int)(scan - val);
      else
  	offset = (int)(val - scan);
!     *(scan + 1) = (char_u) (((unsigned)offset >> 8) & 0377);
!     *(scan + 2) = (char_u) (offset & 0377);
  }
  
  /*
--- 2546,2561 ----
  	offset = (int)(scan - val);
      else
  	offset = (int)(val - scan);
!     /* When the offset uses more than 16 bits it can no longer fit in the two
!      * bytes avaliable.  Use a global flag to avoid having to check return
!      * values in too many places. */
!     if (offset > 0xffff)
! 	reg_toolong = TRUE;
!     else
!     {
! 	*(scan + 1) = (char_u) (((unsigned)offset >> 8) & 0377);
! 	*(scan + 2) = (char_u) (offset & 0377);
!     }
  }
  
  /*
***************
*** 5764,5769 ****
--- 5778,5785 ----
  
  /*
   * regnext - dig the "next" pointer out of a node
+  * Returns NULL when calculating size, when there is no next item and when
+  * there is an error.
   */
      static char_u *
  regnext(p)
***************
*** 5771,5777 ****
  {
      int	    offset;
  
!     if (p == JUST_CALC_SIZE)
  	return NULL;
  
      offset = NEXT(p);
--- 5787,5793 ----
  {
      int	    offset;
  
!     if (p == JUST_CALC_SIZE || reg_toolong)
  	return NULL;
  
      offset = NEXT(p);
*** ../vim-7.2.306/src/version.c	2009-11-25 17:15:16.000000000 +0100
--- src/version.c	2009-11-25 18:14:32.000000000 +0100
***************
*** 683,684 ****
--- 683,686 ----
  {   /* Add new patch number below this line */
+ /**/
+     307,
  /**/

-- 
The fastest way to get an engineer to solve a problem is to declare that the
problem is unsolvable.  No engineer can walk away from an unsolvable problem
until it's solved.
				(Scott Adams - The Dilbert principle)

 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///
Commit	Line	Data
e40e3b19 AG	1	To: vim-dev@vim.org
	2	Subject: Patch 7.2.307
	3	Fcc: outbox
	4	From: Bram Moolenaar <Bram@moolenaar.net>
	5	Mime-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8	------------
	9
	10	Patch 7.2.307
	11	Problem: Crash with a very long syntax match statement. (Guy Gur Ari)
	12	Solution: When the offset does not fit in the two bytes available give an
	13	error instead of continuing with invalid pointers.
	14	Files: src/regexp.c
	15
	16
	17	*** ../vim-7.2.306/src/regexp.c 2009-05-15 21:31:11.000000000 +0200
	18	--- src/regexp.c 2009-11-25 18:13:03.000000000 +0100
	19	***************
	20	* 583,588 **
	21	--- 583,589 ----
	22	#endif
	23	static char_u regcode; / Code-emit pointer, or JUST_CALC_SIZE */
	24	static long regsize; /* Code size. */
	25	+ static int reg_toolong; /* TRUE when offset out of range */
	26	static char_u had_endbrace[NSUBEXP]; /* flags, TRUE if end of () found */
	27	static unsigned regflags; /* RF_ flags for prog */
	28	static long brace_min[10]; /* Minimums for complex brace repeats */
	29	***************
	30	* 1028,1036 **
	31	regcomp_start(expr, re_flags);
	32	regcode = r->program;
	33	regc(REGMAGIC);
	34	! if (reg(REG_NOPAREN, &flags) == NULL)
	35	{
	36	vim_free(r);
	37	return NULL;
	38	}
	39
	40	--- 1029,1039 ----
	41	regcomp_start(expr, re_flags);
	42	regcode = r->program;
	43	regc(REGMAGIC);
	44	! if (reg(REG_NOPAREN, &flags) == NULL \|\| reg_toolong)
	45	{
	46	vim_free(r);
	47	+ if (reg_toolong)
	48	+ EMSG_RET_NULL(_("E339: Pattern too long"));
	49	return NULL;
	50	}
	51
	52	***************
	53	* 1141,1146 **
	54	--- 1144,1150 ----
	55	re_has_z = 0;
	56	#endif
	57	regsize = 0L;
	58	+ reg_toolong = FALSE;
	59	regflags = 0;
	60	#if defined(FEAT_SYN_HL) \|\| defined(PROTO)
	61	had_eol = FALSE;
	62	***************
	63	* 1228,1234 **
	64	{
65	skipchr();
66	br = regbranch(&flags);
67	! if (br == NULL)
68	return NULL;
69	regtail(ret, br); /* BRANCH -> BRANCH. */
70	if (!(flags & HASWIDTH))
71	--- 1232,1238 ----
72	{
73	skipchr();
74	br = regbranch(&flags);
75	! if (br == NULL \|\| reg_toolong)
76	return NULL;
77	regtail(ret, br); /* BRANCH -> BRANCH. */
78	if (!(flags & HASWIDTH))
79	***************
80	* 1313,1318 **
81	--- 1317,1324 ----
82	break;
83	skipchr();
84	regtail(latest, regnode(END)); /* operand ends */
85	+ if (reg_toolong)
86	+ break;
87	reginsert(MATCH, latest);
88	chain = latest;
89	}
90	***************
91	* 1382,1388 **
92	break;
93	default:
94	latest = regpiece(&flags);
95	! if (latest == NULL)
96	return NULL;
97	*flagp \|= flags & (HASWIDTH \| HASNL \| HASLOOKBH);
98	if (chain == NULL) /* First piece. */
99	--- 1388,1394 ----
100	break;
101	default:
102	latest = regpiece(&flags);
103	! if (latest == NULL \|\| reg_toolong)
104	return NULL;
105	*flagp \|= flags & (HASWIDTH \| HASNL \| HASLOOKBH);
106	if (chain == NULL) /* First piece. */
107	***************
108	* 2540,2547 **
109	offset = (int)(scan - val);
110	else
111	offset = (int)(val - scan);
112	! *(scan + 1) = (char_u) (((unsigned)offset >> 8) & 0377);
113	! *(scan + 2) = (char_u) (offset & 0377);
114	}
115
116	/*
117	--- 2546,2561 ----
118	offset = (int)(scan - val);
119	else
120	offset = (int)(val - scan);
121	! /* When the offset uses more than 16 bits it can no longer fit in the two
122	! * bytes avaliable. Use a global flag to avoid having to check return
123	! * values in too many places. */
124	! if (offset > 0xffff)
125	! reg_toolong = TRUE;
126	! else
127	! {
128	! *(scan + 1) = (char_u) (((unsigned)offset >> 8) & 0377);
129	! *(scan + 2) = (char_u) (offset & 0377);
130	! }
131	}
132
133	/*
134	***************
135	* 5764,5769 **
136	--- 5778,5785 ----
137
138	/*
139	* regnext - dig the "next" pointer out of a node
140	+ * Returns NULL when calculating size, when there is no next item and when
141	+ * there is an error.
142	*/
143	static char_u *
144	regnext(p)
145	***************
146	* 5771,5777 **
147	{
148	int offset;
149
150	! if (p == JUST_CALC_SIZE)
151	return NULL;
152
153	offset = NEXT(p);
154	--- 5787,5793 ----
155	{
156	int offset;
157
158	! if (p == JUST_CALC_SIZE \|\| reg_toolong)
159	return NULL;
160
161	offset = NEXT(p);
162	*** ../vim-7.2.306/src/version.c 2009-11-25 17:15:16.000000000 +0100
163	--- src/version.c 2009-11-25 18:14:32.000000000 +0100
164	***************
165	* 683,684 **
166	--- 683,686 ----
167	{ /* Add new patch number below this line */
168	+ /**/
169	+ 307,
170	/**/
171
172	--
173	The fastest way to get an engineer to solve a problem is to declare that the
174	problem is unsolvable. No engineer can walk away from an unsolvable problem
175	until it's solved.
176	(Scott Adams - The Dilbert principle)
177
178	/// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\
179	/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
180	\\\ download, build and distribute -- http://www.A-A-P.org ///
181	\\\ help me help AIDS victims -- http://ICCF-Holland.org ///