diff options
| author | Bram Moolenaar <Bram@vim.org> | 2018-02-04 18:22:46 +0100 |
|---|---|---|
| committer | Bram Moolenaar <Bram@vim.org> | 2018-02-04 18:22:46 +0100 |
| commit | 2c7b906afb86b986476cfc959732e433b1b4a3b1 (patch) | |
| tree | 327ebb2d44650fe095b394b7dcf4f5aa85710872 | |
| parent | 2374faae111057ee28e8d487f9a52a95855e2206 (diff) | |
| download | vim-git-8.0.1470.tar.gz | |
patch 8.0.1470: integer overflow when using regexp patternv8.0.1470
Problem: Integer overflow when using regexp pattern. (geeknik)
Solution: Use a long instead of int. (Christian Brabandt, closes #2251)
| -rw-r--r-- | src/regexp_nfa.c | 27 | ||||
| -rw-r--r-- | src/version.c | 2 |
2 files changed, 19 insertions, 10 deletions
diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c index afd42383c..43fe5dc4d 100644 --- a/src/regexp_nfa.c +++ b/src/regexp_nfa.c @@ -1600,7 +1600,7 @@ nfa_regatom(void) default: { - int n = 0; + long n = 0; int cmp = c; if (c == '<' || c == '>') @@ -1628,7 +1628,14 @@ nfa_regatom(void) /* \%{n}v \%{n}<v \%{n}>v */ EMIT(cmp == '<' ? NFA_VCOL_LT : cmp == '>' ? NFA_VCOL_GT : NFA_VCOL); - EMIT(n); +#if VIM_SIZEOF_INT < VIM_SIZEOF_LONG + if (n > INT_MAX) + { + EMSG(_("E951: \\% value too large")); + return FAIL; + } +#endif + EMIT((int)n); break; } else if (c == '\'' && n == 0) @@ -3970,7 +3977,7 @@ static int nfa_match; #ifdef FEAT_RELTIME static proftime_T *nfa_time_limit; static int *nfa_timed_out; -static int nfa_time_count; +static int nfa_time_count; #endif static void copy_pim(nfa_pim_T *to, nfa_pim_T *from); @@ -4068,10 +4075,10 @@ copy_ze_off(regsub_T *to, regsub_T *from) if (REG_MULTI) { if (from->list.multi[0].end_lnum >= 0) - { + { to->list.multi[0].end_lnum = from->list.multi[0].end_lnum; to->list.multi[0].end_col = from->list.multi[0].end_col; - } + } } else { @@ -5124,9 +5131,9 @@ recursive_regmatch( } if (state->c == NFA_START_INVISIBLE_BEFORE - || state->c == NFA_START_INVISIBLE_BEFORE_FIRST - || state->c == NFA_START_INVISIBLE_BEFORE_NEG - || state->c == NFA_START_INVISIBLE_BEFORE_NEG_FIRST) + || state->c == NFA_START_INVISIBLE_BEFORE_FIRST + || state->c == NFA_START_INVISIBLE_BEFORE_NEG + || state->c == NFA_START_INVISIBLE_BEFORE_NEG_FIRST) { /* The recursive match must end at the current position. When "pim" is * not NULL it specifies the current position. */ @@ -6302,7 +6309,7 @@ nfa_regmatch( } } else if (state->c < 0 ? check_char_class(state->c, curc) - : (curc == state->c + : (curc == state->c || (rex.reg_ic && MB_TOLOWER(curc) == MB_TOLOWER(state->c)))) { @@ -6863,7 +6870,7 @@ nfa_regmatch( && (REG_MULTI ? (reglnum < nfa_endp->se_u.pos.lnum || (reglnum == nfa_endp->se_u.pos.lnum - && (int)(reginput - regline) + && (int)(reginput - regline) < nfa_endp->se_u.pos.col)) : reginput < nfa_endp->se_u.ptr)))) { diff --git a/src/version.c b/src/version.c index 5786860a5..5d417029b 100644 --- a/src/version.c +++ b/src/version.c @@ -772,6 +772,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 1470, +/**/ 1469, /**/ 1468, |