patch 9.0.1492: using uninitialized memory when argument is missing

Problem:    Using uninitialized memory when argument is missing.
Solution:   Check there are sufficient arguments before the base.
            (closes #12302)

diff --git a/src/evalfunc.c b/src/evalfunc.c
index 10d00d5a17fcd65ff100cbabf44826f8d86e11a8..05734d25acedd9bda258588a26eb5184e4bc4294 100644 (file)
--- a/src/evalfunc.c
+++ b/src/evalfunc.c
@@ -3134,6 +3134,9 @@ call_internal_method(
 
     if (global_functions[fi].f_argtype == FEARG_2)
     {
+       if (argcount < 1)
+           return FCERR_TOOFEW;
+
        // base value goes second
        argv[0] = argvars[0];
        argv[1] = *basetv;
@@ -3142,6 +3145,9 @@ call_internal_method(
     }
     else if (global_functions[fi].f_argtype == FEARG_3)
     {
+       if (argcount < 2)
+           return FCERR_TOOFEW;
+
        // base value goes third
        argv[0] = argvars[0];
        argv[1] = argvars[1];
@@ -3151,6 +3157,9 @@ call_internal_method(
     }
     else if (global_functions[fi].f_argtype == FEARG_4)
     {
+       if (argcount < 3)
+           return FCERR_TOOFEW;
+
        // base value goes fourth
        argv[0] = argvars[0];
        argv[1] = argvars[1];

diff --git a/src/testdir/test_expr.vim b/src/testdir/test_expr.vim
index 6d6efe72f53a018538111f899a465685110fbfa2..c3543676b0594e79b10a22e6870737bc77ea064a 100644 (file)
--- a/src/testdir/test_expr.vim
+++ b/src/testdir/test_expr.vim
@@ -458,6 +458,9 @@ func Test_printf_misc()
   call v9.CheckLegacyAndVim9Success(lines)
 
   call v9.CheckLegacyAndVim9Failure(["call printf('123', 3)"], "E767:")
+
+  " this was using uninitialized memory
+  call v9.CheckLegacyAndVim9Failure(["eval ''->printf()"], "E119:")
 endfunc
 
 func Test_printf_float()

diff --git a/src/testdir/test_listener.vim b/src/testdir/test_listener.vim
index 413275d464c6d1e77c22638bd7dbe748b706c6c5..d30add0cb26c25e59126aba3f578e379d191785b 100644 (file)
--- a/src/testdir/test_listener.vim
+++ b/src/testdir/test_listener.vim
@@ -212,6 +212,8 @@ func Test_listener_args()
   call assert_fails('call listener_add([])', 'E921:')
   call assert_fails('call listener_add("s:StoreListArgs", [])', 'E730:')
   call assert_fails('call listener_flush([])', 'E730:')
+
+  call assert_fails('eval ""->listener_add()', 'E119:')
 endfunc
 
 func s:StoreBufList(buf, start, end, added, list)

diff --git a/src/version.c b/src/version.c
index 1ae97f646e4209a85fd5db2596e43a4741c0486d..475c3677879bcffd65de3340992aa93a62ee216c 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -695,6 +695,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1492,
 /**/
     1491,
 /**/

diff --git a/src/vim9instr.c b/src/vim9instr.c
index 52402c14ec8567c12f7890cf8f65bc93f790c6af..ed99cb3f1b5c188296804b2527b3d1e7a80fb5b0 100644 (file)
--- a/src/vim9instr.c
+++ b/src/vim9instr.c
@@ -1626,8 +1626,14 @@ check_internal_func_args(
 
     if (method_call && argoff > 1)
     {
-       isn_T   *isn = generate_instr(cctx, ISN_SHUFFLE);
+       if (argcount < argoff)
+       {
+           semsg(_(e_not_enough_arguments_for_function_str),
+                                                internal_func_name(func_idx));
+           return FAIL;
+       }
 
+       isn_T   *isn = generate_instr(cctx, ISN_SHUFFLE);
        if (isn  == NULL)
            return FAIL;
        isn->isn_arg.shuffle.shfl_item = argcount;