patch 9.1.0722: crash with large id in text_prop interface
Problem: crash with large id in text_prop interface
prop_add()/prop_add_list() (cposture)
Solution: Error out if the id is > INT_MAX or <= INT_MIN
fixes: #15637
closes: #15638
Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/runtime/doc/textprop.txt b/runtime/doc/textprop.txt
index 6b46e06..0a04abb 100644
--- a/runtime/doc/textprop.txt
+++ b/runtime/doc/textprop.txt
@@ -1,4 +1,4 @@
-*textprop.txt* For Vim version 9.1. Last change: 2024 Jun 08
+*textprop.txt* For Vim version 9.1. Last change: 2024 Sep 08
VIM REFERENCE MANUAL by Bram Moolenaar
@@ -140,10 +140,10 @@
bufnr buffer to add the property to; when omitted
the current buffer is used
id user defined ID for the property; must be a
- number, should be positive; when using "text"
- then "id" must not be present and will be set
- automatically to a negative number; otherwise
- zero is used
+ number, should be positive |E1510|;
+ when using "text" then "id" must not be
+ present and will be set automatically to a
+ negative number; otherwise zero is used
*E1305*
text text to be displayed before {col}, or
above/below the line if {col} is zero; prepend
@@ -271,7 +271,7 @@
call prop_add_list(#{type: 'MyProp', id: 2},
\ [[1, 4, 1, 7],
\ [1, 15, 1, 20],
- \ [2, 30, 3, 30]]
+ \ [2, 30, 3, 30]])
<
Can also be used as a |method|: >
GetProp()->prop_add_list([[1, 1, 1, 2], [1, 4, 1, 8]])
diff --git a/src/testdir/test_textprop.vim b/src/testdir/test_textprop.vim
index 57277f7..bbb911f 100644
--- a/src/testdir/test_textprop.vim
+++ b/src/testdir/test_textprop.vim
@@ -393,6 +393,8 @@
call assert_fails('call prop_add_list(test_null_dict(), [[2, 2, 2]])', 'E965:')
call assert_fails('call prop_add_list(#{type: "one"}, test_null_list())', 'E1298:')
call assert_fails('call prop_add_list(#{type: "one"}, [test_null_list()])', 'E714:')
+ call assert_fails('call prop_add_list(#{type: "one", id: 2147483648}, [[2, 2, 2, 2], [3, 20, 3, 22]])', 'E1510:')
+ call assert_fails('call prop_add_list(#{type: "one", id: -2147483648}, [[2, 2, 2, 2], [3, 20, 3, 22]])', 'E1510:')
" only one error for multiple wrong values
call assert_fails('call prop_add_list(#{type: "one"}, [[{}, [], 0z00, 0.3]])', ['E728:', 'E728:'])
@@ -1780,6 +1782,8 @@
call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'length':-1})", 'E475:')
call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'end_col':0})", 'E475:')
call assert_fails("call prop_add(2, 3, {'length':1})", 'E965:')
+ call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'id': 2147483648})", 'E1510:')
+ call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'id': -2147483648})", 'E1510:')
call prop_type_delete('xxx')
bwipe!
diff --git a/src/textprop.c b/src/textprop.c
index fe0c8d2..d16f8ec 100644
--- a/src/textprop.c
+++ b/src/textprop.c
@@ -372,7 +372,16 @@
type_name = dict_get_string(dict, "type", FALSE);
if (dict_has_key(dict, "id"))
- id = dict_get_number(dict, "id");
+ {
+ vimlong_T x;
+ x = dict_get_number(dict, "id");
+ if (x > INT_MAX || x <= INT_MIN)
+ {
+ semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE));
+ return;
+ }
+ id = (int)x;
+ }
if (get_bufnr_from_arg(&argvars[0], &buf) == FAIL)
return;
@@ -497,7 +506,16 @@
end_col = 1;
if (dict_has_key(dict, "id"))
- id = dict_get_number(dict, "id");
+ {
+ vimlong_T x;
+ x = dict_get_number(dict, "id");
+ if (x > INT_MAX || x <= INT_MIN)
+ {
+ semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE));
+ goto theend;
+ }
+ id = (int)x;
+ }
if (dict_has_key(dict, "text"))
{
diff --git a/src/version.c b/src/version.c
index eb88b0d..4460bb1 100644
--- a/src/version.c
+++ b/src/version.c
@@ -705,6 +705,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 722,
+/**/
721,
/**/
720,