Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_vim / b7081e135a16091c93f6f5f7525a5c58fb7ca9f9^! / . / src / indent.c
commitb7081e135a16091c93f6f5f7525a5c58fb7ca9f9[log] [tgz]
authorBram Moolenaar <Bram@vim.org>Sat Sep 04 18:47:28 2021 +0200
committerBram Moolenaar <Bram@vim.org>Sat Sep 04 18:47:28 2021 +0200
treefe04f73c100f22e17137f2dfe0af5c68ac21bcd9
parent10c83dde554b57ab4db71b96a0a02a5b6d1798e9 [diff] [blame]
patch 8.2.3402: invalid memory access when using :retab with large value

Problem:    Invalid memory access when using :retab with large value.
Solution:   Check the number is positive.

diff --git a/src/indent.c b/src/indent.c
index f4c3982..cd03f25 100644
--- a/src/indent.c
+++ b/src/indent.c

@@ -18,18 +18,19 @@
 /*
  * Set the integer values corresponding to the string setting of 'vartabstop'.
  * "array" will be set, caller must free it if needed.
+ * Return FAIL for an error.
  */
     int
 tabstop_set(char_u *var, int **array)
 {
-    int valcount = 1;
-    int t;
-    char_u *cp;
+    int	    valcount = 1;
+    int	    t;
+    char_u  *cp;
 
     if (var[0] == NUL || (var[0] == '0' && var[1] == NUL))
     {
 	*array = NULL;
-	return TRUE;
+	return OK;
     }
 
     for (cp = var; *cp != NUL; ++cp)
@@ -43,8 +44,8 @@
 		if (cp != end)
 		    emsg(_(e_positive));
 		else
-		    emsg(_(e_invarg));
-		return FALSE;
+		    semsg(_(e_invarg2), cp);
+		return FAIL;
 	    }
 	}
 
@@ -55,26 +56,33 @@
 	    ++valcount;
 	    continue;
 	}
-	emsg(_(e_invarg));
-	return FALSE;
+	semsg(_(e_invarg2), var);
+	return FAIL;
     }
 
     *array = ALLOC_MULT(int, valcount + 1);
     if (*array == NULL)
-	return FALSE;
+	return FAIL;
     (*array)[0] = valcount;
 
     t = 1;
     for (cp = var; *cp != NUL;)
     {
-	(*array)[t++] = atoi((char *)cp);
-	while (*cp  != NUL && *cp != ',')
+	int n = atoi((char *)cp);
+
+	if (n < 0 || n > 9999)
+	{
+	    semsg(_(e_invarg2), cp);
+	    return FAIL;
+	}
+	(*array)[t++] = n;
+	while (*cp != NUL && *cp != ',')
 	    ++cp;
 	if (*cp != NUL)
 	    ++cp;
     }
 
-    return TRUE;
+    return OK;
 }
 
 /*
@@ -1591,7 +1599,7 @@
 
 #ifdef FEAT_VARTABS
     new_ts_str = eap->arg;
-    if (!tabstop_set(eap->arg, &new_vts_array))
+    if (tabstop_set(eap->arg, &new_vts_array) == FAIL)
 	return;
     while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',')
 	++(eap->arg);