patch 9.0.1740: segfault when reading invalid viminfo file

Problem: segfault when reading invalid viminfo file
Solution: Check the expected type in the viminfo file

Thanks to @yegappan for the included test.

closes: #12652
closes: #12845

Signed-off-by: Christian Brabandt <cb@256bit.org>
Co-authored-by: Pierre Colin <48397990+Pierre-Colin@users.noreply.github.com>
Co-authored-by: Yegappan Lakshmanan <yegappan@yahoo.com>
Co-authored-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/testdir/test_viminfo.vim b/src/testdir/test_viminfo.vim
index 0551ea1b494bdb1353d4f95598afd5466faebfcd..1f4a72db16432499c686757b5926589babdda9f4 100644 (file)
--- a/src/testdir/test_viminfo.vim
+++ b/src/testdir/test_viminfo.vim
@@ -614,6 +614,26 @@ func Test_viminfo_bad_syntax2()
   rviminfo Xviminfo
 endfunc
 
+" This used to crash Vim (GitHub issue #12652)
+func Test_viminfo_bad_syntax3()
+  let lines =<< trim END
+    call writefile([], 'Xvbs3.result')
+    qall!
+  END
+  call writefile(lines, 'Xvbs3script', 'D')
+
+  let lines = []
+  call add(lines, '|1,4')
+  " bad viminfo syntax for register barline
+  call add(lines, '|3,1,1,1,1,0,71489,,125') " empty line1
+  call writefile(lines, 'Xviminfo', 'D')
+
+  call RunVim([], [], '--clean -i Xviminfo -S Xvbs3script')
+  call assert_true(filereadable('Xvbs3.result'))
+
+  call delete('Xvbs3.result')
+endfunc
+
 func Test_viminfo_file_marks()
   silent! bwipe test_viminfo.vim
   silent! bwipe Xviminfo

diff --git a/src/version.c b/src/version.c
index 52d128a9c64c69c36a73c67ee169dda02a5f978b..fbf4c68691aaa60569874ea6dfd86a7bd26ab4f7 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -695,6 +695,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1740,
 /**/
     1739,
 /**/

diff --git a/src/viminfo.c b/src/viminfo.c
index b772fc8f32d3846ece9abf4684bebfae4a89ccfb..fbab05eb769984052d6b566e925b7db52539e8c8 100644 (file)
--- a/src/viminfo.c
+++ b/src/viminfo.c
@@ -1804,6 +1804,11 @@ handle_viminfo_register(garray_T *values, int force)
            y_ptr->y_array[i] = vp[i + 6].bv_string;
            vp[i + 6].bv_string = NULL;
        }
+        else if (vp[i + 6].bv_type != BVAL_STRING)
+        {
+            free(y_ptr->y_array);
+            y_ptr->y_array = NULL;
+        }
        else
            y_ptr->y_array[i] = vim_strsave(vp[i + 6].bv_string);
     }