From cba3025c438c4be0c5fa5098cabe0129c0e44e96 Mon Sep 17 00:00:00 2001 From: Jan Edmund Lazo Date: Fri, 24 Aug 2018 19:50:55 -0400 Subject: [PATCH 1/4] vim-patch:8.0.0883: invalid memory access with nonsensical script Problem: Invalid memory access with nonsensical script. Solution: Check "dstlen" being positive. (Dominique Pelle) https://github.com/vim/vim/commit/1c864093f93b0066de25d6c0ddf03a6bc6b1c870 --- src/nvim/os/env.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/nvim/os/env.c b/src/nvim/os/env.c index 6997156d4c..2f90d0bc9e 100644 --- a/src/nvim/os/env.c +++ b/src/nvim/os/env.c @@ -457,12 +457,15 @@ void expand_env_esc(char_u *restrict srcp, } else if ((src[0] == ' ' || src[0] == ',') && !one) { at_start = true; } - *dst++ = *src++; - --dstlen; + if (dstlen > 0) { + *dst++ = *src++; + dstlen--; - if (prefix != NULL && src - prefix_len >= srcp - && STRNCMP(src - prefix_len, prefix, prefix_len) == 0) { - at_start = true; + if (prefix != NULL + && src - prefix_len >= srcp + && STRNCMP(src - prefix_len, prefix, prefix_len) == 0) { + at_start = true; + } } } } From 59b53e7bc7ef1d2e92725564f0a0e56cb6034daa Mon Sep 17 00:00:00 2001 From: Jan Edmund Lazo Date: Fri, 24 Aug 2018 20:37:55 -0400 Subject: [PATCH 2/4] vim-patch:8.0.1228: invalid memory access in GUI test Problem: Invalid memory access in GUI test. Solution: Check that the row is not outside of the screen. https://github.com/vim/vim/commit/0e19fc07e73214f94441cb3a495504a1de21eb07 --- src/nvim/screen.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/nvim/screen.c b/src/nvim/screen.c index 092820321c..36901e92ee 100644 --- a/src/nvim/screen.c +++ b/src/nvim/screen.c @@ -1448,7 +1448,11 @@ static void win_update(win_T *wp) wp->w_lines[idx].wl_lnum = lnum; wp->w_lines[idx].wl_valid = true; - if (row > wp->w_height) { // past end of screen + + // Past end of the window or end of the screen. Note that after + // resizing wp->w_height may be end up too big. That's a problem + // elsewhere, but prevent a crash here. + if (row > wp->w_height || row + wp->w_winrow >= Rows) { // we may need the size of that too long line later on if (dollar_vcol == -1) { wp->w_lines[idx].wl_size = plines_win(wp, lnum, true); From bdffa01b528ca6093fc8e0e4f54f810f9bb6d3b7 Mon Sep 17 00:00:00 2001 From: Jan Edmund Lazo Date: Fri, 24 Aug 2018 21:16:34 -0400 Subject: [PATCH 3/4] vim-patch:8.0.1404: invalid memory access on exit Problem: Invalid memory access on exit when autocommands wipe out a buffer. (gy741, Dominique Pelle) Solution: Check if the buffer is still valid. (closes vim/vim#2449) https://github.com/vim/vim/commit/606d45ccd8a2ad2956e2729f6135fd79fd2f6d72 --- src/nvim/main.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/nvim/main.c b/src/nvim/main.c index 96c2168bca..af7c194edc 100644 --- a/src/nvim/main.c +++ b/src/nvim/main.c @@ -605,9 +605,14 @@ void getout(int exitval) buf_T *buf = wp->w_buffer; if (buf_get_changedtick(buf) != -1) { + bufref_T bufref; + + set_bufref(&bufref, buf); apply_autocmds(EVENT_BUFWINLEAVE, buf->b_fname, buf->b_fname, false, buf); - buf_set_changedtick(buf, -1); // note that we did it already + if (bufref_valid(&bufref)) { + buf_set_changedtick(buf, -1); // note that we did it already + } // start all over, autocommands may mess up the lists next_tp = first_tabpage; break; From 16b55d2e9d074bb3de7505708c30c05fe02d8f12 Mon Sep 17 00:00:00 2001 From: Jan Edmund Lazo Date: Fri, 24 Aug 2018 22:29:59 -0400 Subject: [PATCH 4/4] vim-patch:8.0.1468: illegal memory access in del_bytes() Problem: Illegal memory access in del_bytes(). Solution: Check for negative byte count. (Christian Brabandt, closes vim/vim#2466) https://github.com/vim/vim/commit/191f18bad0b5c48afa05c3e8a00f3ced993f6a38 --- src/nvim/message.c | 2 +- src/nvim/misc1.c | 16 ++++++++++++---- src/nvim/strings.c | 2 +- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/src/nvim/message.c b/src/nvim/message.c index 947cd0735e..4b0824c90f 100644 --- a/src/nvim/message.c +++ b/src/nvim/message.c @@ -610,7 +610,7 @@ static bool emsgfv(const char *fmt, va_list ap) /// detected when fuzzing vim. void iemsg(const char *s) { - msg((char_u *)s); + emsg((char_u *)s); #ifdef ABORT_ON_INTERNAL_ERROR abort(); #endif diff --git a/src/nvim/misc1.c b/src/nvim/misc1.c index e87c754eb8..caaa310a8b 100644 --- a/src/nvim/misc1.c +++ b/src/nvim/misc1.c @@ -1605,11 +1605,19 @@ int del_bytes(colnr_T count, bool fixpos_arg, bool use_delcombine) char_u *oldp = ml_get(lnum); colnr_T oldlen = (colnr_T)STRLEN(oldp); - /* - * Can't do anything when the cursor is on the NUL after the line. - */ - if (col >= oldlen) + // Can't do anything when the cursor is on the NUL after the line. + if (col >= oldlen) { return FAIL; + } + // If "count" is zero there is nothing to do. + if (count == 0) { + return OK; + } + // If "count" is negative the caller must be doing something wrong. + if (count < 1) { + IEMSGN("E950: Invalid count for del_bytes(): %ld", count); + return FAIL; + } /* If 'delcombine' is set and deleting (less than) one character, only * delete the last combining character. */ diff --git a/src/nvim/strings.c b/src/nvim/strings.c index f24de72743..17c4a75a64 100644 --- a/src/nvim/strings.c +++ b/src/nvim/strings.c @@ -1217,6 +1217,7 @@ int vim_vsnprintf(char *str, size_t str_m, const char *fmt, va_list ap, str_arg_l = 3; zero_padding = 0; } else { + // Regular float number format[0] = '%'; size_t l = 1; if (force_sign) { @@ -1241,7 +1242,6 @@ int vim_vsnprintf(char *str, size_t str_m, const char *fmt, va_list ap, format[l] = (char)(fmt_spec == 'F' ? 'f' : fmt_spec); format[l + 1] = NUL; - // Regular float number str_arg_l = (size_t)snprintf(tmp, sizeof(tmp), format, f); assert(str_arg_l < sizeof(tmp));