patch 7.4.2235
Problem: submatch() does not check for a valid argument.
Solution: Give an error if the argument is out of range. (Dominique Pelle)
diff --git a/src/evalfunc.c b/src/evalfunc.c
index 53d3d75..599a3d6 100644
--- a/src/evalfunc.c
+++ b/src/evalfunc.c
@@ -11491,7 +11491,11 @@
no = (int)get_tv_number_chk(&argvars[0], &error);
if (error)
return;
- error = FALSE;
+ if (no < 0 || no >= NSUBEXP)
+ {
+ EMSGN(_("E935: invalid submatch number: %d"), no);
+ return;
+ }
if (argvars[1].v_type != VAR_UNKNOWN)
retList = (int)get_tv_number_chk(&argvars[1], &error);
if (error)
diff --git a/src/testdir/test_expr.vim b/src/testdir/test_expr.vim
index 7681125..b23b449 100644
--- a/src/testdir/test_expr.vim
+++ b/src/testdir/test_expr.vim
@@ -198,6 +198,11 @@
call assert_equal('--', substitute('xxx', 'x*', {-> '-' . Recurse() . '-'}, ''))
endfunc
+func Test_invalid_submatch()
+ " This was causing invalid memory access in Vim-7.4.2232 and older
+ call assert_fails("call substitute('x', '.', {-> submatch(10)}, '')", 'E935:')
+endfunc
+
func Test_substitute_expr_arg()
call assert_equal('123456789-123456789=', substitute('123456789',
\ '\(.\)\(.\)\(.\)\(.\)\(.\)\(.\)\(.\)\(.\)\(.\)',
diff --git a/src/version.c b/src/version.c
index e9ce597..65eb6d7 100644
--- a/src/version.c
+++ b/src/version.c
@@ -764,6 +764,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 2235,
+/**/
2234,
/**/
2233,