patch 7.4.2223
Problem: Buffer overflow when using latin1 character with feedkeys().
Solution: Check for an illegal character. Add a test.
diff --git a/src/getchar.c b/src/getchar.c
index 1c170cc..52b1853 100644
--- a/src/getchar.c
+++ b/src/getchar.c
@@ -4658,8 +4658,16 @@
char_u *res;
char_u *s, *d;
- /* Need a buffer to hold up to three times as much. */
- res = alloc((unsigned)(STRLEN(p) * 3) + 1);
+ /* Need a buffer to hold up to three times as much. Four in case of an
+ * illegal utf-8 byte:
+ * 0xc0 -> 0xc3 0x80 -> 0xc3 K_SPECIAL KS_SPECIAL KE_FILLER */
+ res = alloc((unsigned)(STRLEN(p) *
+#ifdef FEAT_MBYTE
+ 4
+#else
+ 3
+#endif
+ ) + 1);
if (res != NULL)
{
d = res;
@@ -4674,22 +4682,10 @@
}
else
{
-#ifdef FEAT_MBYTE
- int len = mb_char2len(PTR2CHAR(s));
- int len2 = mb_ptr2len(s);
-#endif
/* Add character, possibly multi-byte to destination, escaping
- * CSI and K_SPECIAL. */
+ * CSI and K_SPECIAL. Be careful, it can be an illegal byte! */
d = add_char2buf(PTR2CHAR(s), d);
-#ifdef FEAT_MBYTE
- while (len < len2)
- {
- /* add following combining char */
- d = add_char2buf(PTR2CHAR(s + len), d);
- len += mb_char2len(PTR2CHAR(s + len));
- }
-#endif
- mb_ptr_adv(s);
+ s += MB_CPTR2LEN(s);
}
}
*d = NUL;