To: vim_dev@googlegroups.com Subject: Patch 7.3.664 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 7.3.664 Problem: Buffer overflow in unescaping text. (Raymond Ko) Solution: Limit check for multi-byte character to 4 bytes. Files: src/mbyte.c *** ../vim-7.3.663/src/mbyte.c 2012-06-01 17:46:52.000000000 +0200 --- src/mbyte.c 2012-09-18 17:53:05.000000000 +0200 *************** *** 3793,3805 **** mb_unescape(pp) char_u **pp; { ! static char_u buf[MB_MAXBYTES + 1]; ! int n, m = 0; char_u *str = *pp; /* Must translate K_SPECIAL KS_SPECIAL KE_FILLER to K_SPECIAL and CSI ! * KS_EXTRA KE_CSI to CSI. */ ! for (n = 0; str[n] != NUL && m <= MB_MAXBYTES; ++n) { if (str[n] == K_SPECIAL && str[n + 1] == KS_SPECIAL --- 3793,3807 ---- mb_unescape(pp) char_u **pp; { ! static char_u buf[6]; ! int n; ! int m = 0; char_u *str = *pp; /* Must translate K_SPECIAL KS_SPECIAL KE_FILLER to K_SPECIAL and CSI ! * KS_EXTRA KE_CSI to CSI. ! * Maximum length of a utf-8 character is 4 bytes. */ ! for (n = 0; str[n] != NUL && m < 4; ++n) { if (str[n] == K_SPECIAL && str[n + 1] == KS_SPECIAL *************** *** 3836,3841 **** --- 3838,3847 ---- *pp = str + n + 1; return buf; } + + /* Bail out quickly for ASCII. */ + if (buf[0] < 128) + break; } return NULL; } *** ../vim-7.3.663/src/version.c 2012-09-18 16:47:00.000000000 +0200 --- src/version.c 2012-09-18 18:01:14.000000000 +0200 *************** *** 721,722 **** --- 721,724 ---- { /* Add new patch number below this line */ + /**/ + 664, /**/ -- There are three kinds of people: Those who can count & those who can't. /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///