From 766f4c3f62f530cf6c29272bae63a097681ab7fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Vi=C3=B6l?= Date: Thu, 29 Apr 2021 10:36:34 +0200 Subject: [PATCH 1/3] get_str_line: Use heap instead of stack The stack allocated buffer does introduce an arbitrary limit, to the length of the line. Previously, if the line was too long, it might be catched by a stack smash canary or resulted into a crash. This is not guaranteed though, and thus could result into undefined behavior. To mitigate this, an dynamic allocated buffer is replacing the stack allocated buffer, with the initial capacity of the copied line. --- src/nvim/ex_cmds2.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/src/nvim/ex_cmds2.c b/src/nvim/ex_cmds2.c index 950a1a436f..56d22349fc 100644 --- a/src/nvim/ex_cmds2.c +++ b/src/nvim/ex_cmds2.c @@ -2719,16 +2719,19 @@ static char_u *get_str_line(int c, void *cookie, int indent, bool do_concat) while (!(p->buf[i] == '\n' || p->buf[i] == '\0')) { i++; } - char buf[2046]; - char *dst; - dst = xstpncpy(buf, (char *)p->buf + p->offset, i - p->offset); - if ((uint32_t)(dst - buf) != i - p->offset) { + size_t line_length = i - p->offset; + garray_T ga; + ga_init(&ga, (int)sizeof(char_u), (int)line_length); + ga_concat_len(&ga, (char *)p->buf + p->offset, line_length); + if (ga.ga_len != (int)line_length) { smsg(_(":source error parsing command %s"), p->buf); return NULL; } - buf[i - p->offset] = '\0'; + ga_append(&ga, '\0'); p->offset = i + 1; - return (char_u *)xstrdup(buf); + char_u *line = (char_u *)xstrdup(ga.ga_data); + ga_clear(&ga); + return line; } static int source_using_linegetter(void *cookie, From ef8afa0eb7cd506c9b24e0a2c494e188f03beeea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Vi=C3=B6l?= Date: Thu, 29 Apr 2021 11:14:48 +0200 Subject: [PATCH 2/3] Fix documentation typos for msg_scroll_flush --- src/nvim/message.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/nvim/message.c b/src/nvim/message.c index 7c98d3c6b5..1783f62247 100644 --- a/src/nvim/message.c +++ b/src/nvim/message.c @@ -2265,12 +2265,14 @@ void msg_scroll_up(bool may_throttle) /// per screen update. /// /// NB: The bookkeeping is quite messy, and rests on a bunch of poorly -/// documented assumtions. For instance that the message area always grows while -/// being throttled, messages are only being output on the last line etc. +/// documented assumptions. For instance that the message area always grows +/// while being throttled, messages are only being output on the last line +/// etc. /// -/// Probably message scrollback storage should reimplented as a file_buffer, and -/// message scrolling in TUI be reimplemented as a modal floating window. Then -/// we get throttling "for free" using standard redraw_later code paths. +/// Probably message scrollback storage should be reimplemented as a +/// file_buffer, and message scrolling in TUI be reimplemented as a modal +/// floating window. Then we get throttling "for free" using standard +/// redraw_later code paths. void msg_scroll_flush(void) { if (msg_grid.throttled) { From 4d5516dc059038b5609874dc0c1c8164e364b7ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Vi=C3=B6l?= Date: Fri, 30 Apr 2021 14:42:02 +0200 Subject: [PATCH 3/3] get_str_line: Simplify growarray usage --- src/nvim/ex_cmds2.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/nvim/ex_cmds2.c b/src/nvim/ex_cmds2.c index 56d22349fc..317ca465e1 100644 --- a/src/nvim/ex_cmds2.c +++ b/src/nvim/ex_cmds2.c @@ -2723,15 +2723,9 @@ static char_u *get_str_line(int c, void *cookie, int indent, bool do_concat) garray_T ga; ga_init(&ga, (int)sizeof(char_u), (int)line_length); ga_concat_len(&ga, (char *)p->buf + p->offset, line_length); - if (ga.ga_len != (int)line_length) { - smsg(_(":source error parsing command %s"), p->buf); - return NULL; - } ga_append(&ga, '\0'); p->offset = i + 1; - char_u *line = (char_u *)xstrdup(ga.ga_data); - ga_clear(&ga); - return line; + return ga.ga_data; } static int source_using_linegetter(void *cookie,