patch 8.0.0355: using uninitialized memory when 'isfname' is empty

Problem:    Using uninitialized memory when 'isfname' is empty.
Solution:   Don't call getpwnam() without an argument. (Dominique Pelle,
            closes #1464)

diff --git a/src/misc1.c b/src/misc1.c
index 17779ba0b602989a08ee1381799120dc2648c216..9f867266f39e13e3390ffa473249295154194f61 100644 (file)
--- a/src/misc1.c
+++ b/src/misc1.c
@@ -4028,15 +4028,12 @@ expand_env_esc(
                 */
 #  if defined(HAVE_GETPWNAM) && defined(HAVE_PWD_H)
                {
-                   struct passwd *pw;
-
                    /* Note: memory allocated by getpwnam() is never freed.
                     * Calling endpwent() apparently doesn't help. */
-                   pw = getpwnam((char *)dst + 1);
-                   if (pw != NULL)
-                       var = (char_u *)pw->pw_dir;
-                   else
-                       var = NULL;
+                   struct passwd *pw = (*dst == NUL)
+                                       ? NULL : getpwnam((char *)dst + 1);
+
+                   var = (pw == NULL) ? NULL : (char_u *)pw->pw_dir;
                }
                if (var == NULL)
 #  endif
@@ -9652,7 +9649,7 @@ expand_wildcards(
 # endif
            if (match_file_list(p_wig, (*files)[i], ffname))
            {
-               /* remove this matching files from the list */
+               /* remove this matching file from the list */
                vim_free((*files)[i]);
                for (j = i; j + 1 < *num_files; ++j)
                    (*files)[j] = (*files)[j + 1];
@@ -10736,14 +10733,15 @@ has_env_var(char_u *p)
 static int has_special_wildchar(char_u *p);
 
 /*
- * Return TRUE if "p" contains a special wildcard character.
- * Allowing for escaping.
+ * Return TRUE if "p" contains a special wildcard character, one that Vim
+ * cannot expand, requires using a shell.
  */
     static int
 has_special_wildchar(char_u *p)
 {
     for ( ; *p; mb_ptr_adv(p))
     {
+       /* Allow for escaping. */
        if (*p == '\\' && p[1] != NUL)
            ++p;
        else if (vim_strchr((char_u *)SPECIAL_WILDCHAR, *p) != NULL)

diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim
index 9ac46f243f21a878412d49e944fdff6e2fb05b8c..11466dc16ac9667a55779b024448b36cd5d690cd 100644 (file)
--- a/src/testdir/test_options.vim
+++ b/src/testdir/test_options.vim
@@ -22,6 +22,13 @@ function! Test_whichwrap()
   set whichwrap&
 endfunction
 
+function! Test_isfname()
+  " This used to cause Vim to access uninitialized memory.
+  set isfname=
+  call assert_equal("~X", expand("~X"))
+  set isfname&
+endfunction
+
 function Test_options()
   let caught = 'ok'
   try

diff --git a/src/version.c b/src/version.c
index 9494e0327e5855e30a544c6c755c9310cd6565e3..64e11118b5ea1e63b1a048f96928e8fdaf2f95fd 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -764,6 +764,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    355,
 /**/
     354,
 /**/