To: vim_dev@googlegroups.com Subject: Patch 8.2.4255 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.2.4255 Problem: Theoretical computation overflow. Solution: Perform multiplication in a wider type. (closes #9657) Files: src/alloc.c, src/drawline.c, src/eval.c, src/evalfunc.c, src/ex_docmd.c, src/hardcopy.c, src/list.c, src/memfile.c, src/memline.c, src/popupwin.c *** ../vim-8.2.4254/src/alloc.c 2022-01-26 16:45:16.930506772 +0000 --- src/alloc.c 2022-01-29 15:15:44.657344407 +0000 *************** *** 737,747 **** if (n < gap->ga_len / 2) n = gap->ga_len / 2; ! new_len = gap->ga_itemsize * (gap->ga_len + n); pp = vim_realloc(gap->ga_data, new_len); if (pp == NULL) return FAIL; ! old_len = gap->ga_itemsize * gap->ga_maxlen; vim_memset(pp + old_len, 0, new_len - old_len); gap->ga_maxlen = gap->ga_len + n; gap->ga_data = pp; --- 737,747 ---- if (n < gap->ga_len / 2) n = gap->ga_len / 2; ! new_len = (size_t)gap->ga_itemsize * (gap->ga_len + n); pp = vim_realloc(gap->ga_data, new_len); if (pp == NULL) return FAIL; ! old_len = (size_t)gap->ga_itemsize * gap->ga_maxlen; vim_memset(pp + old_len, 0, new_len - old_len); gap->ga_maxlen = gap->ga_len + n; gap->ga_data = pp; *** ../vim-8.2.4254/src/drawline.c 2022-01-28 15:28:00.200927841 +0000 --- src/drawline.c 2022-01-29 15:17:03.196184476 +0000 *************** *** 2800,2806 **** if (((wp->w_p_cuc && (int)wp->w_virtcol >= VCOL_HLC - eol_hl_off && (int)wp->w_virtcol < ! wp->w_width * (row - startrow + 1) + v && lnum != wp->w_cursor.lnum) || draw_color_col || win_attr != 0) --- 2800,2806 ---- if (((wp->w_p_cuc && (int)wp->w_virtcol >= VCOL_HLC - eol_hl_off && (int)wp->w_virtcol < ! (long)wp->w_width * (row - startrow + 1) + v && lnum != wp->w_cursor.lnum) || draw_color_col || win_attr != 0) *** ../vim-8.2.4254/src/eval.c 2022-01-26 21:17:00.552771590 +0000 --- src/eval.c 2022-01-29 15:15:44.657344407 +0000 *************** *** 4632,4638 **** // Don't make it bigger though. if (exestack.ga_len + n < exestack.ga_maxlen) { ! new_len = exestack.ga_itemsize * (exestack.ga_len + n); pp = vim_realloc(exestack.ga_data, new_len); if (pp == NULL) return FAIL; --- 4632,4638 ---- // Don't make it bigger though. if (exestack.ga_len + n < exestack.ga_maxlen) { ! new_len = (size_t)exestack.ga_itemsize * (exestack.ga_len + n); pp = vim_realloc(exestack.ga_data, new_len); if (pp == NULL) return FAIL; *** ../vim-8.2.4254/src/evalfunc.c 2022-01-29 13:06:19.340028690 +0000 --- src/evalfunc.c 2022-01-29 15:15:44.657344407 +0000 *************** *** 7327,7333 **** if ((l->lv_u.nonmat.lv_stride > 0) ^ domax) n = l->lv_u.nonmat.lv_start; else ! n = l->lv_u.nonmat.lv_start + (l->lv_len - 1) * l->lv_u.nonmat.lv_stride; } else --- 7327,7333 ---- if ((l->lv_u.nonmat.lv_stride > 0) ^ domax) n = l->lv_u.nonmat.lv_start; else ! n = l->lv_u.nonmat.lv_start + ((varnumber_T)l->lv_len - 1) * l->lv_u.nonmat.lv_stride; } else *** ../vim-8.2.4254/src/ex_docmd.c 2022-01-28 15:28:00.208927722 +0000 --- src/ex_docmd.c 2022-01-29 15:15:44.661344350 +0000 *************** *** 4738,4744 **** while ((pos = (char_u *)strstr((char *)pos + 2, "$*")) != NULL) ++i; len = (int)STRLEN(p); ! new_cmdline = alloc(STRLEN(program) + i * (len - 2) + 1); if (new_cmdline == NULL) return NULL; // out of memory ptr = new_cmdline; --- 4738,4744 ---- while ((pos = (char_u *)strstr((char *)pos + 2, "$*")) != NULL) ++i; len = (int)STRLEN(p); ! new_cmdline = alloc(STRLEN(program) + (size_t)i * (len - 2) + 1); if (new_cmdline == NULL) return NULL; // out of memory ptr = new_cmdline; *** ../vim-8.2.4254/src/hardcopy.c 2022-01-08 16:19:18.505639885 +0000 --- src/hardcopy.c 2022-01-29 15:17:41.423620153 +0000 *************** *** 2769,2777 **** // derive the bbox from that point. We have the expected cpl chars // across the media and lpp lines down the media. bbox[1] = (int)(top - (psettings->lines_per_page + prt_header_height()) ! * prt_line_height); ! bbox[2] = (int)(left + psettings->chars_per_line * prt_char_width ! + 0.5); bbox[3] = (int)(top + 0.5); } else --- 2769,2777 ---- // derive the bbox from that point. We have the expected cpl chars // across the media and lpp lines down the media. bbox[1] = (int)(top - (psettings->lines_per_page + prt_header_height()) ! * (double)prt_line_height); ! bbox[2] = (int)(left + psettings->chars_per_line ! * (double)prt_char_width + 0.5); bbox[3] = (int)(top + 0.5); } else *************** *** 2782,2789 **** bbox[1] = (int)bottom; bbox[2] = (int)(left + ((psettings->lines_per_page + prt_header_height()) * prt_line_height) + 0.5); ! bbox[3] = (int)(bottom + psettings->chars_per_line * prt_char_width ! + 0.5); } prt_dsc_ints("BoundingBox", 4, bbox); // The media width and height does not change with landscape printing! --- 2782,2789 ---- bbox[1] = (int)bottom; bbox[2] = (int)(left + ((psettings->lines_per_page + prt_header_height()) * prt_line_height) + 0.5); ! bbox[3] = (int)(bottom + psettings->chars_per_line ! * (double)prt_char_width + 0.5); } prt_dsc_ints("BoundingBox", 4, bbox); // The media width and height does not change with landscape printing! *************** *** 2797,2803 **** if (prt_out_mbyte) { prt_dsc_font_resource((prt_use_courier ? NULL ! : "DocumentNeededResources"), &prt_ps_mb_font); if (!prt_custom_cmap) prt_dsc_resources(NULL, "cmap", prt_cmap); } --- 2797,2803 ---- if (prt_out_mbyte) { prt_dsc_font_resource((prt_use_courier ? NULL ! : "DocumentNeededResources"), &prt_ps_mb_font); if (!prt_custom_cmap) prt_dsc_resources(NULL, "cmap", prt_cmap); } *** ../vim-8.2.4254/src/list.c 2022-01-27 17:37:37.759862584 +0000 --- src/list.c 2022-01-29 15:15:44.661344350 +0000 *************** *** 2902,2908 **** if (l->lv_first == &range_list_item) { varnumber_T new_start = l->lv_u.nonmat.lv_start ! + (l->lv_len - 1) * l->lv_u.nonmat.lv_stride; l->lv_u.nonmat.lv_end = new_start - (l->lv_u.nonmat.lv_end - l->lv_u.nonmat.lv_start); l->lv_u.nonmat.lv_start = new_start; --- 2902,2908 ---- if (l->lv_first == &range_list_item) { varnumber_T new_start = l->lv_u.nonmat.lv_start ! + ((varnumber_T)l->lv_len - 1) * l->lv_u.nonmat.lv_stride; l->lv_u.nonmat.lv_end = new_start - (l->lv_u.nonmat.lv_end - l->lv_u.nonmat.lv_start); l->lv_u.nonmat.lv_start = new_start; *** ../vim-8.2.4254/src/memfile.c 2022-01-02 17:00:37.002093302 +0000 --- src/memfile.c 2022-01-29 15:18:21.579027565 +0000 *************** *** 249,255 **** // free entries in used list for (hp = mfp->mf_used_first; hp != NULL; hp = nextp) { ! total_mem_used -= hp->bh_page_count * mfp->mf_page_size; nextp = hp->bh_next; mf_free_bhdr(hp); } --- 249,255 ---- // free entries in used list for (hp = mfp->mf_used_first; hp != NULL; hp = nextp) { ! total_mem_used -= (long_u)hp->bh_page_count * mfp->mf_page_size; nextp = hp->bh_next; mf_free_bhdr(hp); } *************** *** 359,365 **** } else if (hp == NULL) // need to allocate memory for this block { ! if ((p = alloc(mfp->mf_page_size * page_count)) == NULL) return NULL; hp = mf_rem_free(mfp); hp->bh_data = p; --- 359,365 ---- } else if (hp == NULL) // need to allocate memory for this block { ! if ((p = alloc((size_t)mfp->mf_page_size * page_count)) == NULL) return NULL; hp = mf_rem_free(mfp); hp->bh_data = p; *************** *** 718,724 **** else hp->bh_next->bh_prev = hp; mfp->mf_used_count += hp->bh_page_count; ! total_mem_used += hp->bh_page_count * mfp->mf_page_size; } /* --- 718,724 ---- else hp->bh_next->bh_prev = hp; mfp->mf_used_count += hp->bh_page_count; ! total_mem_used += (long_u)hp->bh_page_count * mfp->mf_page_size; } /* *************** *** 736,742 **** else hp->bh_prev->bh_next = hp->bh_next; mfp->mf_used_count -= hp->bh_page_count; ! total_mem_used -= hp->bh_page_count * mfp->mf_page_size; } /* --- 736,742 ---- else hp->bh_prev->bh_next = hp->bh_next; mfp->mf_used_count -= hp->bh_page_count; ! total_mem_used -= (long_u)hp->bh_page_count * mfp->mf_page_size; } /* *************** *** 814,820 **** if (hp->bh_page_count != page_count) { vim_free(hp->bh_data); ! if ((hp->bh_data = alloc(mfp->mf_page_size * page_count)) == NULL) { vim_free(hp); return NULL; --- 814,821 ---- if (hp->bh_page_count != page_count) { vim_free(hp->bh_data); ! if ((hp->bh_data = alloc((size_t)mfp->mf_page_size * page_count)) ! == NULL) { vim_free(hp); return NULL; *************** *** 881,887 **** if ((hp = ALLOC_ONE(bhdr_T)) != NULL) { ! if ((hp->bh_data = alloc(mfp->mf_page_size * page_count)) == NULL) { vim_free(hp); // not enough memory return NULL; --- 882,889 ---- if ((hp = ALLOC_ONE(bhdr_T)) != NULL) { ! if ((hp->bh_data = alloc((size_t)mfp->mf_page_size * page_count)) ! == NULL) { vim_free(hp); // not enough memory return NULL; *** ../vim-8.2.4254/src/memline.c 2022-01-28 15:28:00.208927722 +0000 --- src/memline.c 2022-01-29 15:18:37.106798465 +0000 *************** *** 5778,5784 **** && lnum >= curline + buf->b_ml.ml_chunksize[curix].mlcs_numlines) || (offset != 0 && offset > size + buf->b_ml.ml_chunksize[curix].mlcs_totalsize ! + ffdos * buf->b_ml.ml_chunksize[curix].mlcs_numlines))) { curline += buf->b_ml.ml_chunksize[curix].mlcs_numlines; size += buf->b_ml.ml_chunksize[curix].mlcs_totalsize; --- 5778,5784 ---- && lnum >= curline + buf->b_ml.ml_chunksize[curix].mlcs_numlines) || (offset != 0 && offset > size + buf->b_ml.ml_chunksize[curix].mlcs_totalsize ! + (long)ffdos * buf->b_ml.ml_chunksize[curix].mlcs_numlines))) { curline += buf->b_ml.ml_chunksize[curix].mlcs_numlines; size += buf->b_ml.ml_chunksize[curix].mlcs_totalsize; *** ../vim-8.2.4254/src/popupwin.c 2022-01-06 21:41:07.653593304 +0000 --- src/popupwin.c 2022-01-29 15:18:53.342558949 +0000 *************** *** 3427,3433 **** return; // cache is still valid vim_free(wp->w_popup_mask_cells); ! wp->w_popup_mask_cells = alloc_clear(width * height); if (wp->w_popup_mask_cells == NULL) return; cells = wp->w_popup_mask_cells; --- 3427,3433 ---- return; // cache is still valid vim_free(wp->w_popup_mask_cells); ! wp->w_popup_mask_cells = alloc_clear((size_t)width * height); if (wp->w_popup_mask_cells == NULL) return; cells = wp->w_popup_mask_cells; *************** *** 3639,3645 **** mask = popup_mask; else mask = popup_mask_next; ! vim_memset(mask, 0, screen_Rows * screen_Columns * sizeof(short)); // Find the window with the lowest zindex that hasn't been handled yet, // so that the window with a higher zindex overwrites the value in --- 3639,3645 ---- mask = popup_mask; else mask = popup_mask_next; ! vim_memset(mask, 0, (size_t)screen_Rows * screen_Columns * sizeof(short)); // Find the window with the lowest zindex that hasn't been handled yet, // so that the window with a higher zindex overwrites the value in *************** *** 4008,4014 **** linenr_T linecount = wp->w_buffer->b_ml.ml_line_count; int height = wp->w_height; ! sb_thumb_height = (height * height + linecount / 2) / linecount; if (wp->w_topline > 1 && sb_thumb_height == height) --sb_thumb_height; // scrolled, no full thumb if (sb_thumb_height == 0) --- 4008,4015 ---- linenr_T linecount = wp->w_buffer->b_ml.ml_line_count; int height = wp->w_height; ! sb_thumb_height = ((linenr_T)height * height + linecount / 2) ! / linecount; if (wp->w_topline > 1 && sb_thumb_height == height) --sb_thumb_height; // scrolled, no full thumb if (sb_thumb_height == 0) *** ../vim-8.2.4254/src/version.c 2022-01-29 15:12:35.172146951 +0000 --- src/version.c 2022-01-29 15:15:21.637684547 +0000 *************** *** 752,753 **** --- 752,755 ---- { /* Add new patch number below this line */ + /**/ + 4255, /**/ -- LARGE MAN: Who's that then? CART DRIVER: (Grudgingly) I dunno, Must be a king. LARGE MAN: Why? CART DRIVER: He hasn't got shit all over him. "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// \\\ \\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///