commit e6640ad44e2186bd3642b972115496d347cd1fdd
author Bram Moolenaar <Bram@vim.org> Fri Dec 22 21:06:56 2017 +0100
committer Bram Moolenaar <Bram@vim.org> Fri Dec 22 21:06:56 2017 +0100
tree 647370d0a60e9adbdd4acb9ef0b6235be513d1e1
parent 3c09722600e3218905b5d4a7b635a9e6560f87b3

patch 8.0.1421: accessing invalid memory with overlong byte sequence

Problem:    Accessing invalid memory with overlong byte sequence.
Solution:   Check for NUL character. (test by Dominique Pelle, closes #2485)

src/misc2.c

diff --git a/src/misc2.c b/src/misc2.c
index 460ea74..66aeee0 100644
--- a/src/misc2.c
+++ b/src/misc2.c
@@ -1622,11 +1622,17 @@
 		char_u	*s;
 
 		c = utf_ptr2char(p);
+		l = utf_ptr2len(p);
+		if (c == 0)
+		{
+		    /* overlong sequence, use only the first byte */
+		    c = *p;
+		    l = 1;
+		}
 		uc = utf_toupper(c);
 
 		/* Reallocate string when byte count changes.  This is rare,
 		 * thus it's OK to do another malloc()/free(). */
-		l = utf_ptr2len(p);
 		newl = utf_char2len(uc);
 		if (newl != l)
 		{
@@ -1685,11 +1691,17 @@
 		char_u	*s;
 
 		c = utf_ptr2char(p);
+		l = utf_ptr2len(p);
+		if (c == 0)
+		{
+		    /* overlong sequence, use only the first byte */
+		    c = *p;
+		    l = 1;
+		}
 		lc = utf_tolower(c);
 
 		/* Reallocate string when byte count changes.  This is rare,
 		 * thus it's OK to do another malloc()/free(). */
-		l = utf_ptr2len(p);
 		newl = utf_char2len(lc);
 		if (newl != l)
 		{