]>
Commit | Line | Data |
---|---|---|
e40e3b19 AG |
1 | To: vim-dev@vim.org |
2 | Subject: Patch 7.2.307 | |
3 | Fcc: outbox | |
4 | From: Bram Moolenaar <Bram@moolenaar.net> | |
5 | Mime-Version: 1.0 | |
6 | Content-Type: text/plain; charset=UTF-8 | |
7 | Content-Transfer-Encoding: 8bit | |
8 | ------------ | |
9 | ||
10 | Patch 7.2.307 | |
11 | Problem: Crash with a very long syntax match statement. (Guy Gur Ari) | |
12 | Solution: When the offset does not fit in the two bytes available give an | |
13 | error instead of continuing with invalid pointers. | |
14 | Files: src/regexp.c | |
15 | ||
16 | ||
17 | *** ../vim-7.2.306/src/regexp.c 2009-05-15 21:31:11.000000000 +0200 | |
18 | --- src/regexp.c 2009-11-25 18:13:03.000000000 +0100 | |
19 | *************** | |
20 | *** 583,588 **** | |
21 | --- 583,589 ---- | |
22 | #endif | |
23 | static char_u *regcode; /* Code-emit pointer, or JUST_CALC_SIZE */ | |
24 | static long regsize; /* Code size. */ | |
25 | + static int reg_toolong; /* TRUE when offset out of range */ | |
26 | static char_u had_endbrace[NSUBEXP]; /* flags, TRUE if end of () found */ | |
27 | static unsigned regflags; /* RF_ flags for prog */ | |
28 | static long brace_min[10]; /* Minimums for complex brace repeats */ | |
29 | *************** | |
30 | *** 1028,1036 **** | |
31 | regcomp_start(expr, re_flags); | |
32 | regcode = r->program; | |
33 | regc(REGMAGIC); | |
34 | ! if (reg(REG_NOPAREN, &flags) == NULL) | |
35 | { | |
36 | vim_free(r); | |
37 | return NULL; | |
38 | } | |
39 | ||
40 | --- 1029,1039 ---- | |
41 | regcomp_start(expr, re_flags); | |
42 | regcode = r->program; | |
43 | regc(REGMAGIC); | |
44 | ! if (reg(REG_NOPAREN, &flags) == NULL || reg_toolong) | |
45 | { | |
46 | vim_free(r); | |
47 | + if (reg_toolong) | |
48 | + EMSG_RET_NULL(_("E339: Pattern too long")); | |
49 | return NULL; | |
50 | } | |
51 | ||
52 | *************** | |
53 | *** 1141,1146 **** | |
54 | --- 1144,1150 ---- | |
55 | re_has_z = 0; | |
56 | #endif | |
57 | regsize = 0L; | |
58 | + reg_toolong = FALSE; | |
59 | regflags = 0; | |
60 | #if defined(FEAT_SYN_HL) || defined(PROTO) | |
61 | had_eol = FALSE; | |
62 | *************** | |
63 | *** 1228,1234 **** | |
64 | { | |
65 | skipchr(); | |
66 | br = regbranch(&flags); | |
67 | ! if (br == NULL) | |
68 | return NULL; | |
69 | regtail(ret, br); /* BRANCH -> BRANCH. */ | |
70 | if (!(flags & HASWIDTH)) | |
71 | --- 1232,1238 ---- | |
72 | { | |
73 | skipchr(); | |
74 | br = regbranch(&flags); | |
75 | ! if (br == NULL || reg_toolong) | |
76 | return NULL; | |
77 | regtail(ret, br); /* BRANCH -> BRANCH. */ | |
78 | if (!(flags & HASWIDTH)) | |
79 | *************** | |
80 | *** 1313,1318 **** | |
81 | --- 1317,1324 ---- | |
82 | break; | |
83 | skipchr(); | |
84 | regtail(latest, regnode(END)); /* operand ends */ | |
85 | + if (reg_toolong) | |
86 | + break; | |
87 | reginsert(MATCH, latest); | |
88 | chain = latest; | |
89 | } | |
90 | *************** | |
91 | *** 1382,1388 **** | |
92 | break; | |
93 | default: | |
94 | latest = regpiece(&flags); | |
95 | ! if (latest == NULL) | |
96 | return NULL; | |
97 | *flagp |= flags & (HASWIDTH | HASNL | HASLOOKBH); | |
98 | if (chain == NULL) /* First piece. */ | |
99 | --- 1388,1394 ---- | |
100 | break; | |
101 | default: | |
102 | latest = regpiece(&flags); | |
103 | ! if (latest == NULL || reg_toolong) | |
104 | return NULL; | |
105 | *flagp |= flags & (HASWIDTH | HASNL | HASLOOKBH); | |
106 | if (chain == NULL) /* First piece. */ | |
107 | *************** | |
108 | *** 2540,2547 **** | |
109 | offset = (int)(scan - val); | |
110 | else | |
111 | offset = (int)(val - scan); | |
112 | ! *(scan + 1) = (char_u) (((unsigned)offset >> 8) & 0377); | |
113 | ! *(scan + 2) = (char_u) (offset & 0377); | |
114 | } | |
115 | ||
116 | /* | |
117 | --- 2546,2561 ---- | |
118 | offset = (int)(scan - val); | |
119 | else | |
120 | offset = (int)(val - scan); | |
121 | ! /* When the offset uses more than 16 bits it can no longer fit in the two | |
122 | ! * bytes avaliable. Use a global flag to avoid having to check return | |
123 | ! * values in too many places. */ | |
124 | ! if (offset > 0xffff) | |
125 | ! reg_toolong = TRUE; | |
126 | ! else | |
127 | ! { | |
128 | ! *(scan + 1) = (char_u) (((unsigned)offset >> 8) & 0377); | |
129 | ! *(scan + 2) = (char_u) (offset & 0377); | |
130 | ! } | |
131 | } | |
132 | ||
133 | /* | |
134 | *************** | |
135 | *** 5764,5769 **** | |
136 | --- 5778,5785 ---- | |
137 | ||
138 | /* | |
139 | * regnext - dig the "next" pointer out of a node | |
140 | + * Returns NULL when calculating size, when there is no next item and when | |
141 | + * there is an error. | |
142 | */ | |
143 | static char_u * | |
144 | regnext(p) | |
145 | *************** | |
146 | *** 5771,5777 **** | |
147 | { | |
148 | int offset; | |
149 | ||
150 | ! if (p == JUST_CALC_SIZE) | |
151 | return NULL; | |
152 | ||
153 | offset = NEXT(p); | |
154 | --- 5787,5793 ---- | |
155 | { | |
156 | int offset; | |
157 | ||
158 | ! if (p == JUST_CALC_SIZE || reg_toolong) | |
159 | return NULL; | |
160 | ||
161 | offset = NEXT(p); | |
162 | *** ../vim-7.2.306/src/version.c 2009-11-25 17:15:16.000000000 +0100 | |
163 | --- src/version.c 2009-11-25 18:14:32.000000000 +0100 | |
164 | *************** | |
165 | *** 683,684 **** | |
166 | --- 683,686 ---- | |
167 | { /* Add new patch number below this line */ | |
168 | + /**/ | |
169 | + 307, | |
170 | /**/ | |
171 | ||
172 | -- | |
173 | The fastest way to get an engineer to solve a problem is to declare that the | |
174 | problem is unsolvable. No engineer can walk away from an unsolvable problem | |
175 | until it's solved. | |
176 | (Scott Adams - The Dilbert principle) | |
177 | ||
178 | /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ | |
179 | /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ | |
180 | \\\ download, build and distribute -- http://www.A-A-P.org /// | |
181 | \\\ help me help AIDS victims -- http://ICCF-Holland.org /// |