patch 9.2.0211: possible crash when setting 'winhighlight'

Problem:  possible crash when setting 'winhighlight'
Solution: Validate the option value more carefully (Foxe Chen)

closes: #19774

Signed-off-by: Foxe Chen <chen.foxe@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/highlight.c b/src/highlight.c
index 9e9830bd7dc3661f25e30d2ecbf33d316678b31f..0accfe9be4347b99bde499f7aeb6e4bf87334682 100644 (file)
--- a/src/highlight.c
+++ b/src/highlight.c
@@ -5630,6 +5630,7 @@ parse_winhighlight(char_u *opt, int *len, char **errmsg)
     hl_override_T   *arr;
     int                    i = 0;
     int                    num = 1;
+    int                    n_colons = 0;
 
     if (*p == NUL)
        return NULL;
@@ -5640,6 +5641,19 @@ parse_winhighlight(char_u *opt, int *len, char **errmsg)
        p++;
        num++;
     }
+    p = opt;
+    // Check if number of ':' matches number of ','
+    while ((p = vim_strchr(p, ':')) != NULL)
+    {
+       p++;
+       n_colons++;
+    }
+
+    if (num != n_colons)
+    {
+       *errmsg = e_invalid_argument;
+       return NULL;
+    }
 
     arr = ALLOC_MULT(hl_override_T, num);
     if (arr == NULL)
@@ -5667,6 +5681,8 @@ parse_winhighlight(char_u *opt, int *len, char **errmsg)
            goto fail;
 
        fromlen = p - fromname; // Get hl for "from"
+       if (fromlen == 0)
+           goto fail;
        p++; // Skip colon ':'
        if (*p == NUL)
            goto fail;
@@ -5683,6 +5699,8 @@ parse_winhighlight(char_u *opt, int *len, char **errmsg)
            tolen = tmp - toname;
            p = ++tmp;
        }
+       if (tolen == 0)
+           goto fail;
 
        for (int k = 0; k < 2; k++)
        {

diff --git a/src/testdir/util/gen_opt_test.vim b/src/testdir/util/gen_opt_test.vim
index c2c5191daa3dfc0e21fdf048ae02d29d9bf72964..72ff49b62ee842f882d9c70099272a251b2c4dd3 100644 (file)
--- a/src/testdir/util/gen_opt_test.vim
+++ b/src/testdir/util/gen_opt_test.vim
@@ -362,7 +362,8 @@ let test_values = {
       \ 'winaltkeys': [['no', 'yes', 'menu'], ['', 'xxx']],
       \ 'winhighlight': [['Search:Errormsg,Comment:String', 'Search:Comment', ''],
       \                ['xxx', ',', 'Search:Comment,', 'Search:Errormsg,Comment:String,',
-      \                ':', 'Search:,', 'Search:']],
+      \                ':', 'Search:,', 'Search:', ',Search', ',Search:Test', 'S:,A:B',
+      \                ',', ',S:']],
       \
       "\ skipped options
       \ 'luadll': [[], []],

diff --git a/src/version.c b/src/version.c
index d95613190587dc9baefcc5cb7f1d728d1ac7142e..c9232294905c7e7ec594b404070dd34ed85933c5 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    211,
 /**/
     210,
 /**/