To: vim_dev@googlegroups.com Subject: Patch 8.2.4245 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.2.4245 Problem: ":retab 0" may cause illegal memory access. Solution: Limit the value of 'tabstop' to 10000. Files: src/option.c, src/vim.h, src/indent.c, src/testdir/test_options.vim *** ../vim-8.2.4244/src/option.c 2022-01-28 15:28:00.212927659 +0000 --- src/option.c 2022-01-28 20:36:47.009469689 +0000 *************** *** 3752,3757 **** --- 3752,3762 ---- errmsg = e_argument_must_be_positive; curbuf->b_p_ts = 8; } + else if (curbuf->b_p_ts > TABSTOP_MAX) + { + errmsg = e_invalid_argument; + curbuf->b_p_ts = 8; + } if (p_tm < 0) { errmsg = e_argument_must_be_positive; *************** *** 5983,5989 **** if (p_vsts && p_vsts != empty_option) (void)tabstop_set(p_vsts, &buf->b_p_vsts_array); else ! buf->b_p_vsts_array = 0; buf->b_p_vsts_nopaste = p_vsts_nopaste ? vim_strsave(p_vsts_nopaste) : NULL; #endif --- 5988,5994 ---- if (p_vsts && p_vsts != empty_option) (void)tabstop_set(p_vsts, &buf->b_p_vsts_array); else ! buf->b_p_vsts_array = NULL; buf->b_p_vsts_nopaste = p_vsts_nopaste ? vim_strsave(p_vsts_nopaste) : NULL; #endif *************** *** 6803,6811 **** if (buf->b_p_vsts) free_string_option(buf->b_p_vsts); buf->b_p_vsts = empty_option; ! if (buf->b_p_vsts_array) ! vim_free(buf->b_p_vsts_array); ! buf->b_p_vsts_array = 0; #endif } --- 6808,6814 ---- if (buf->b_p_vsts) free_string_option(buf->b_p_vsts); buf->b_p_vsts = empty_option; ! VIM_CLEAR(buf->b_p_vsts_array); #endif } *************** *** 6851,6862 **** free_string_option(buf->b_p_vsts); buf->b_p_vsts = buf->b_p_vsts_nopaste ? vim_strsave(buf->b_p_vsts_nopaste) : empty_option; ! if (buf->b_p_vsts_array) ! vim_free(buf->b_p_vsts_array); if (buf->b_p_vsts && buf->b_p_vsts != empty_option) (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array); else ! buf->b_p_vsts_array = 0; #endif } --- 6854,6864 ---- free_string_option(buf->b_p_vsts); buf->b_p_vsts = buf->b_p_vsts_nopaste ? vim_strsave(buf->b_p_vsts_nopaste) : empty_option; ! vim_free(buf->b_p_vsts_array); if (buf->b_p_vsts && buf->b_p_vsts != empty_option) (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array); else ! buf->b_p_vsts_array = NULL; #endif } *** ../vim-8.2.4244/src/vim.h 2022-01-26 11:16:48.659593594 +0000 --- src/vim.h 2022-01-28 20:34:57.099104517 +0000 *************** *** 2085,2090 **** --- 2085,2092 ---- #define DICT_MAXNEST 100 // maximum nesting of lists and dicts + #define TABSTOP_MAX 9999 + #ifdef FEAT_CLIPBOARD // VIM_ATOM_NAME is the older Vim-specific selection type for X11. Still *** ../vim-8.2.4244/src/indent.c 2022-01-22 20:31:56.315870158 +0000 --- src/indent.c 2022-01-28 20:36:16.733919854 +0000 *************** *** 71,77 **** int n = atoi((char *)cp); // Catch negative values, overflow and ridiculous big values. ! if (n < 0 || n > 9999) { semsg(_(e_invalid_argument_str), cp); vim_free(*array); --- 71,77 ---- int n = atoi((char *)cp); // Catch negative values, overflow and ridiculous big values. ! if (n < 0 || n > TABSTOP_MAX) { semsg(_(e_invalid_argument_str), cp); vim_free(*array); *************** *** 1649,1655 **** emsg(_(e_argument_must_be_positive)); return; } ! if (new_ts < 0 || new_ts > 9999) { semsg(_(e_invalid_argument_str), eap->arg); return; --- 1649,1655 ---- emsg(_(e_argument_must_be_positive)); return; } ! if (new_ts < 0 || new_ts > TABSTOP_MAX) { semsg(_(e_invalid_argument_str), eap->arg); return; *** ../vim-8.2.4244/src/testdir/test_options.vim 2021-12-11 12:26:55.924402407 +0000 --- src/testdir/test_options.vim 2022-01-28 20:32:39.641150821 +0000 *************** *** 368,373 **** --- 368,375 ---- call assert_fails('set shiftwidth=-1', 'E487:') call assert_fails('set sidescroll=-1', 'E487:') call assert_fails('set tabstop=-1', 'E487:') + call assert_fails('set tabstop=10000', 'E474:') + call assert_fails('set tabstop=5500000000', 'E474:') call assert_fails('set textwidth=-1', 'E487:') call assert_fails('set timeoutlen=-1', 'E487:') call assert_fails('set updatecount=-1', 'E487:') *** ../vim-8.2.4244/src/version.c 2022-01-28 18:54:10.125520952 +0000 --- src/version.c 2022-01-28 20:30:00.275526431 +0000 *************** *** 752,753 **** --- 752,755 ---- { /* Add new patch number below this line */ + /**/ + 4245, /**/ -- Clothes make the man. Naked people have little or no influence on society. -- Mark Twain (Samuel Clemens) (1835-1910) /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// \\\ \\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///