patch 8.0.0537: illegal memory access with :z and large count

Problem:    Illegal memory access with :z and large count.
Solution:   Check for number overflow, using long instead of int. (Dominique
            Pelle, closes #1612)

diff --git a/src/Makefile b/src/Makefile
index 82da653e741cbc10a203df9aac039c4412fb15f4..5ceae2fff9e223b12ae16d1eea6025232b352351 100644 (file)
--- a/src/Makefile
+++ b/src/Makefile
@@ -2122,10 +2122,10 @@ test_arglist \
        test_delete \
        test_diffmode \
        test_digraph \
-       test_functions \
        test_display \
        test_edit \
        test_ex_undo \
+       test_ex_z \
        test_execute_func \
        test_expand \
        test_expand_dllpath \
@@ -2142,6 +2142,7 @@ test_arglist \
        test_fnameescape \
        test_fnamemodify \
        test_fold \
+       test_functions \
        test_ga \
        test_gf \
        test_glob2regpat \

diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index 6940e55277ad69849faab537b92163f83e998aeb..4b0bdef59cac8337477ad45919bcbd2b6b262b11 100644 (file)
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4564,7 +4564,7 @@ ex_change(exarg_T *eap)
 ex_z(exarg_T *eap)
 {
     char_u     *x;
-    int                bigness;
+    long       bigness;
     char_u     *kind;
     int                minus = 0;
     linenr_T   start, end, curs, i;
@@ -4601,7 +4601,12 @@ ex_z(exarg_T *eap)
        }
        else
        {
-           bigness = atoi((char *)x);
+           bigness = atol((char *)x);
+
+           /* bigness could be < 0 if atol(x) overflows. */
+           if (bigness > 2 * curbuf->b_ml.ml_line_count || bigness < 0)
+               bigness = 2 * curbuf->b_ml.ml_line_count;
+
            p_window = bigness;
            if (*kind == '=')
                bigness += 2;

diff --git a/src/testdir/test_alot.vim b/src/testdir/test_alot.vim
index 56a3f8edf52c5c70d0465a2e27bd3438bcdedcf9..e961e9945111cf14bcea9689c96564b12b8460c5 100644 (file)
--- a/src/testdir/test_alot.vim
+++ b/src/testdir/test_alot.vim
@@ -8,10 +8,11 @@ source test_changedtick.vim
 source test_cursor_func.vim
 source test_delete.vim
 source test_ex_undo.vim
+source test_ex_z.vim
 source test_execute_func.vim
 source test_expand.vim
-source test_expr.vim
 source test_expand_dllpath.vim
+source test_expr.vim
 source test_feedkeys.vim
 source test_file_perm.vim
 source test_fileformat.vim
@@ -30,9 +31,9 @@ source test_join.vim
 source test_jumps.vim
 source test_lambda.vim
 source test_lispwords.vim
+source test_mapping.vim
 source test_match.vim
 source test_menu.vim
-source test_mapping.vim
 source test_messages.vim
 source test_partial.vim
 source test_popup.vim

diff --git a/src/testdir/test_ex_z.vim b/src/testdir/test_ex_z.vim
new file mode 100644 (file)
index 0000000..608a36c
--- /dev/null
+++ b/src/testdir/test_ex_z.vim
@@ -0,0 +1,78 @@
+" Test :z
+
+func Test_z()
+  call setline(1, range(1, 100))
+
+  let a = execute('20z3')
+  call assert_equal("\n20\n21\n22", a)
+  call assert_equal(22, line('.'))
+  " 'window' should be set to the {count} value.
+  call assert_equal(3, &window)
+
+  " If there is only one window, then twice the amount of 'scroll' is used.
+  set scroll=2
+  let a = execute('20z')
+  call assert_equal("\n20\n21\n22\n23", a)
+  call assert_equal(23, line('.'))
+
+  let a = execute('20z+3')
+  " FIXME: I would expect the same result as '20z3' but it
+  " gives "\n21\n22\n23" instead. Bug in Vim or in ":help :z"?
+  "call assert_equal("\n20\n21\n22", a)
+  "call assert_equal(22, line('.'))
+
+  let a = execute('20z-3')
+  call assert_equal("\n18\n19\n20", a)
+  call assert_equal(20, line('.'))
+
+  let a = execute('20z=3')
+  call assert_match("^\n18\n19\n-\\+\n20\n-\\+\n21\n22$", a)
+  call assert_equal(20, line('.'))
+
+  let a = execute('20z^3')
+  call assert_equal("\n14\n15\n16\n17", a)
+  call assert_equal(17, line('.'))
+
+  let a = execute('20z.3')
+  call assert_equal("\n19\n20\n21", a)
+  call assert_equal(21, line('.'))
+
+  let a = execute('20z#3')
+  call assert_equal("\n 20 20\n 21 21\n 22 22", a)
+  call assert_equal(22, line('.'))
+
+  let a = execute('20z#-3')
+  call assert_equal("\n 18 18\n 19 19\n 20 20", a)
+  call assert_equal(20, line('.'))
+
+  let a = execute('20z#=3')
+  call assert_match("^\n 18 18\n 19 19\n-\\+\n 20 20\n-\\+\n 21 21\n 22 22$", a)
+  call assert_equal(20, line('.'))
+
+  " Test with {count} bigger than the number of lines in buffer.
+  let a = execute('20z1000')
+  call assert_match("^\n20\n21\n.*\n99\n100$", a)
+  call assert_equal(100, line('.'))
+
+  let a = execute('20z-1000')
+  call assert_match("^\n1\n2\n.*\n19\n20$", a)
+  call assert_equal(20, line('.'))
+
+  let a = execute('20z=1000')
+  call assert_match("^\n1\n.*\n-\\+\n20\n-\\\+\n.*\n100$", a)
+  call assert_equal(20, line('.'))
+
+  call assert_fails('20z=a', 'E144:')
+
+  set window& scroll&
+  bw!
+endfunc
+
+func Test_z_bug()
+  " This used to access invalid memory as a result of an integer overflow
+  " and freeze vim.
+  normal ox
+  normal Heat
+  z777777776666666
+  ')
+endfunc

diff --git a/src/version.c b/src/version.c
index fd6272869955c8c716dfb11102160d4aa7e8e9b1..dc7cfb53cf58affd7329ca9cb3f7e1e774ea5ae9 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -764,6 +764,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    537,
 /**/
     536,
 /**/