summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorBram Moolenaar <Bram@vim.org>2023-04-29 21:38:04 +0100
committerBram Moolenaar <Bram@vim.org>2023-04-29 21:38:04 +0100
commitcaf642c25de526229264cab9425e7c9979f3509b (patch)
treedd6a1a9602b5e1adf9f939e28e13f9e33dbe6c51 /src
parent58806c1553afa2924377f6445ac6ed8cb852f9ca (diff)
downloadvim-git-caf642c25de526229264cab9425e7c9979f3509b.tar.gz
patch 9.0.1499: using uninitialized memory with fuzzy matchingv9.0.1499
Problem: Using uninitialized memory with fuzzy matching. Solution: Initialize the arrays used to store match positions.
Diffstat (limited to 'src')
-rw-r--r--src/quickfix.c5
-rw-r--r--src/search.c17
-rw-r--r--src/testdir/test_matchfuzzy.vim27
-rw-r--r--src/version.c2
4 files changed, 40 insertions, 11 deletions
diff --git a/src/quickfix.c b/src/quickfix.c
index 13292e2f7..553ad4578 100644
--- a/src/quickfix.c
+++ b/src/quickfix.c
@@ -6058,6 +6058,8 @@ vgr_match_buflines(
long lnum;
colnr_T col;
int pat_len = (int)STRLEN(spat);
+ if (pat_len > MAX_FUZZY_MATCHES)
+ pat_len = MAX_FUZZY_MATCHES;
for (lnum = 1; lnum <= buf->b_ml.ml_line_count && *tomatch > 0; ++lnum)
{
@@ -6066,7 +6068,7 @@ vgr_match_buflines(
{
// Regular expression match
while (vim_regexec_multi(regmatch, curwin, buf, lnum,
- col, NULL) > 0)
+ col, NULL) > 0)
{
// Pass the buffer number so that it gets used even for a
// dummy buffer, unless duplicate_name is set, then the
@@ -6112,6 +6114,7 @@ vgr_match_buflines(
int_u sz = ARRAY_LENGTH(matches);
// Fuzzy string match
+ CLEAR_FIELD(matches);
while (fuzzy_match(str + col, spat, FALSE, &score, matches, sz) > 0)
{
// Pass the buffer number so that it gets used even for a
diff --git a/src/search.c b/src/search.c
index 74ca8fefb..5e3857078 100644
--- a/src/search.c
+++ b/src/search.c
@@ -4422,14 +4422,14 @@ fuzzy_match_recursive(
// Found match
if (vim_tolower(c1) == vim_tolower(c2))
{
- int_u recursiveMatches[MAX_FUZZY_MATCHES];
- int recursiveScore = 0;
- char_u *next_char;
-
// Supplied matches buffer was too short
if (nextMatch >= maxMatches)
return 0;
+ int recursiveScore = 0;
+ int_u recursiveMatches[MAX_FUZZY_MATCHES];
+ CLEAR_FIELD(recursiveMatches);
+
// "Copy-on-Write" srcMatches into matches
if (first_match && srcMatches)
{
@@ -4438,10 +4438,7 @@ fuzzy_match_recursive(
}
// Recursive call that "skips" this match
- if (has_mbyte)
- next_char = str + (*mb_ptr2len)(str);
- else
- next_char = str + 1;
+ char_u *next_char = str + (has_mbyte ? (*mb_ptr2len)(str) : 1);
if (fuzzy_match_recursive(fuzpat, next_char, strIdx + 1,
&recursiveScore, strBegin, strLen, matches,
recursiveMatches,
@@ -4506,8 +4503,8 @@ fuzzy_match_recursive(
* Uses char_u for match indices. Therefore patterns are limited to
* MAX_FUZZY_MATCHES characters.
*
- * Returns TRUE if 'pat_arg' matches 'str'. Also returns the match score in
- * 'outScore' and the matching character positions in 'matches'.
+ * Returns TRUE if "pat_arg" matches "str". Also returns the match score in
+ * "outScore" and the matching character positions in "matches".
*/
int
fuzzy_match(
diff --git a/src/testdir/test_matchfuzzy.vim b/src/testdir/test_matchfuzzy.vim
index 502d136cc..43eca8ff0 100644
--- a/src/testdir/test_matchfuzzy.vim
+++ b/src/testdir/test_matchfuzzy.vim
@@ -2,6 +2,7 @@
source shared.vim
source check.vim
+source term_util.vim
" Test for matchfuzzy()
func Test_matchfuzzy()
@@ -253,4 +254,30 @@ func Test_matchfuzzy_limit()
call assert_equal([{'id': 5, 'val': 'crayon'}], l->matchfuzzy('c', #{key: 'val', limit: 1}))
endfunc
+" This was using uninitialized memory
+func Test_matchfuzzy_initialized()
+ CheckRunVimInTerminal
+
+ " This can take a very long time (esp. when using valgrind). Run in a
+ " separate Vim instance and kill it after two seconds. We only check for
+ " memory errors.
+ let lines =<< trim END
+ lvimgrep [ss [fg*
+ END
+ call writefile(lines, 'XTest_matchfuzzy', 'D')
+
+ let buf = RunVimInTerminal('-u NONE -X -Z', {})
+ call term_sendkeys(buf, ":source XTest_matchfuzzy\n")
+ call TermWait(buf, 2000)
+
+ let job = term_getjob(buf)
+ if job_status(job) == "run"
+ call job_stop(job, "int")
+ call TermWait(buf, 50)
+ endif
+
+ " clean up
+ call StopVimInTerminal(buf)
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index ce94bc80c..460b49b9e 100644
--- a/src/version.c
+++ b/src/version.c
@@ -696,6 +696,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 1499,
+/**/
1498,
/**/
1497,