patch 8.2.3855: illegal memory access when displaying a blob

Problem:    Illegal memory access when displaying a blob.
Solution:   Append a NUL at the end. (Yegappan Lakshmanan, closes #9372)

diff --git a/src/blob.c b/src/blob.c
index 0458571181b92ccf8d0747f5259b84aeb6bac995..5658370527f551fa20ff47410715b98c36b10d9c 100644 (file)
--- a/src/blob.c
+++ b/src/blob.c
@@ -240,6 +240,7 @@ blob2string(blob_T *blob, char_u **tofree, char_u *numbuf)
        vim_snprintf((char *)numbuf, NUMBUFLEN, "%02X", (int)blob_get(blob, i));
        ga_concat(&ga, numbuf);
     }
+    ga_append(&ga, NUL);               // append a NUL at the end
     *tofree = ga.ga_data;
     return *tofree;
 }

diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
index 9dc246d287dd2f4340c4e2d649083b9d451c6c95..4d7d553bdccb1829d5b3367f16a9037a6b229e84 100644 (file)
--- a/src/regexp_nfa.c
+++ b/src/regexp_nfa.c
@@ -2917,20 +2917,20 @@ nfa_print_state2(FILE *debugf, nfa_state_T *state, garray_T *indent)
        ga_concat(indent, (char_u *)"| ");
     else
        ga_concat(indent, (char_u *)"  ");
-    ga_append(indent, '\0');
+    ga_append(indent, NUL);
 
     nfa_print_state2(debugf, state->out, indent);
 
     // replace last part of indent for state->out1
     indent->ga_len -= 3;
     ga_concat(indent, (char_u *)"  ");
-    ga_append(indent, '\0');
+    ga_append(indent, NUL);
 
     nfa_print_state2(debugf, state->out1, indent);
 
     // shrink indent
     indent->ga_len -= 3;
-    ga_append(indent, '\0');
+    ga_append(indent, NUL);
 }
 
 /*

diff --git a/src/testdir/test_blob.vim b/src/testdir/test_blob.vim
index bd816af4a509a4cfcea978b986d62b91099d3892..3ce95756f18b6c5c133119ef5163611c5edee513 100644 (file)
--- a/src/testdir/test_blob.vim
+++ b/src/testdir/test_blob.vim
@@ -680,5 +680,12 @@ func Test_list2blob()
   call assert_equal(0z00010203, list2blob(range(4)))
 endfunc
 
+" The following used to cause an out-of-bounds memory access
+func Test_blob2string()
+  let v = '0z' .. repeat('01010101.', 444)
+  let v ..= '01'
+  exe 'let b = ' .. v
+  call assert_equal(v, string(b))
+endfunc
 
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/testdir/test_messages.vim b/src/testdir/test_messages.vim
index 5724eb6a3a4a792856e3e7f233512e73fbe89c33..62b5b2910e637071866c315d78d4f91a3d859cc2 100644 (file)
--- a/src/testdir/test_messages.vim
+++ b/src/testdir/test_messages.vim
@@ -341,7 +341,7 @@ endfunc
 func Test_echo_string_partial()
   function CountSpaces()
   endfunction
-  echomsg function('CountSpaces', [#{aaaaaaaaaaa: v:false, bbbbbbbbbbbb: '', ccccccccccc: ['ab', 'cd']}])
+  call assert_equal("function('CountSpaces', [{'ccccccccccc': ['ab', 'cd'], 'aaaaaaaaaaa': v:false, 'bbbbbbbbbbbb': ''}])", string(function('CountSpaces', [#{aaaaaaaaaaa: v:false, bbbbbbbbbbbb: '', ccccccccccc: ['ab', 'cd']}])))
 endfunc
 
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index 52cc584e03d68d0fc5ff015ba1a66236d6ff6d05..873b972145446e6925733542ff26fcb8790ecce9 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -749,6 +749,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    3855,
 /**/
     3854,
 /**/