Problem: potential buffer-underflow with invalid hl_id (mugitya03)
Solution: assert that the return-code of syn_get_final_id() if > 0
As a safety check, syn_get_final_id() may return zero when either the
provided hl_id is zero or larger than expected.
However, many callers of syn_get_final_id() do not check that the return
value is larger than zero but re-use the returned highlight id directly
like this:
hl_id = syn_get_final_id(hl_id);
sgp = &HL_TABLE()[hl_id - 1]; // index is ID minus one
in which case, this would cause a buffer underrun and an access violation.
Let's use assert(hl_id > 0); to make sure that hl_id is larger than
zero.
Note to myself: I'll need to compile releases builds using -DNDEBUG once
a new release will be made
fixes: #17475
closes: #17512
Signed-off-by: Christian Brabandt <cb@256bit.org>
# - With these features: "make depend" (works best with gcc).
# - If you have a lint program: "make lint" and check the output (ignore GTK
# warnings).
+# - compile release versions using -DNDEBUG to disable assert()s
# - If you have valgrind, enable it in src/testdir/Makefile and run "make
# test". Enable EXITFREE, disable GUI, scheme and tcl to avoid false alarms.
# Check the valgrind output.
hl_group_T *sgp;
hl_id = syn_get_final_id(hl_id);
+ // shouldn't happen
+ assert(hl_id > 0);
sgp = &HL_TABLE()[hl_id - 1]; // index is ID minus one
#ifdef FEAT_GUI
hl_group_T *sgp;
hl_id = syn_get_final_id(hl_id);
+ // shouldn't happen
+ assert(hl_id > 0);
sgp = &HL_TABLE()[hl_id - 1]; // index is ID minus one
*fgp = sgp->sg_gui_fg;
hl_group_T *sgp;
hl_id = syn_get_final_id(hl_id);
+ // shouldn't happen
+ assert(hl_id > 0);
sgp = &HL_TABLE()[hl_id - 1]; // index is ID minus one
*fgp = sgp->sg_cterm_fg - 1;
*bgp = sgp->sg_cterm_bg - 1;
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1469,
/**/
1468,
/**/
projects / thirdparty / vim.git / commitdiff
