git.ipfire.org Git - thirdparty/vim.git/commit

author	Christian Brabandt <cb@256bit.org>
	Wed, 18 Jun 2025 16:28:19 +0000 (18:28 +0200)
committer	Christian Brabandt <cb@256bit.org>
	Wed, 18 Jun 2025 16:31:19 +0000 (18:31 +0200)
commit	9d065a48621bd564fab9d2a8a181f45622d54920
tree	468cc71e52ceaeabebde532c761eace7123fb8da	tree
parent	03e5ee25fdd4f8ee16b00688e24c4ad3b8f8f935	commit \| diff

patch 9.1.1469: potential buffer-underflow with invalid hl_id

Problem:  potential buffer-underflow with invalid hl_id (mugitya03)
Solution: assert that the return-code of syn_get_final_id() if > 0

As a safety check, syn_get_final_id() may return zero when either the
provided hl_id is zero or larger than expected.

However, many callers of syn_get_final_id() do not check that the return
value is larger than zero but re-use the returned highlight id directly
like this:

  hl_id = syn_get_final_id(hl_id);
  sgp = &HL_TABLE()[hl_id - 1];     // index is ID minus one

in which case, this would cause a buffer underrun and an access violation.

Let's use assert(hl_id > 0); to make sure that hl_id is larger than
zero.

Note to myself: I'll need to compile releases builds using -DNDEBUG once
a new release will be made

fixes: #17475
closes: #17512

Signed-off-by: Christian Brabandt <cb@256bit.org>

Makefile		diff \| blob \| blame \| history
src/highlight.c		diff \| blob \| blame \| history
src/version.c		diff \| blob \| blame \| history