patch 8.0.1468: illegal memory access in del_bytes()

Problem:    Illegal memory access in del_bytes().
Solution:   Check for negative byte count. (Christian Brabandt, closes #2466)

diff --git a/src/message.c b/src/message.c
index 211403384a63178e5da4d42bf010b3902b411cb5..17a6633523611eb803f8f82f8b9d04999c17b4d7 100644 (file)
--- a/src/message.c
+++ b/src/message.c
@@ -761,7 +761,7 @@ emsgn(char_u *s, long n)
     void
 iemsg(char_u *s)
 {
-    msg(s);
+    emsg(s);
 #ifdef ABORT_ON_INTERNAL_ERROR
     abort();
 #endif
@@ -4993,7 +4993,7 @@ vim_vsnprintf_typval(
                            zero_padding = 0;
                        }
                        else
-                        {
+                       {
                            /* Regular float number */
                            format[0] = '%';
                            l = 1;
@@ -5016,7 +5016,7 @@ vim_vsnprintf_typval(
                            format[l + 1] = NUL;
 
                            str_arg_l = sprintf(tmp, format, f);
-                        }
+                       }
 
                        if (remove_trailing_zeroes)
                        {

diff --git a/src/misc1.c b/src/misc1.c
index 726500a4c8ff9dfcd1d6ef9bfad86b43a979b7ef..593dce1c3d14a553197907fd55107dc7352f3ada 100644 (file)
--- a/src/misc1.c
+++ b/src/misc1.c
@@ -2457,7 +2457,7 @@ del_chars(long count, int fixpos)
  * If "fixpos" is TRUE, don't leave the cursor on the NUL after the line.
  * Caller must have prepared for undo.
  *
- * return FAIL for failure, OK otherwise
+ * Return FAIL for failure, OK otherwise.
  */
     int
 del_bytes(
@@ -2476,12 +2476,21 @@ del_bytes(
     oldp = ml_get(lnum);
     oldlen = (int)STRLEN(oldp);
 
-    /*
-     * Can't do anything when the cursor is on the NUL after the line.
-     */
+    /* Can't do anything when the cursor is on the NUL after the line. */
     if (col >= oldlen)
        return FAIL;
 
+    /* If "count" is zero there is nothing to do. */
+    if (count == 0)
+       return OK;
+
+    /* If "count" is negative the caller must be doing something wrong. */
+    if (count < 1)
+    {
+       IEMSGN("E950: Invalid count for del_bytes(): %ld", count);
+       return FAIL;
+    }
+
 #ifdef FEAT_MBYTE
     /* If 'delcombine' is set and deleting (less than) one character, only
      * delete the last combining character. */

diff --git a/src/version.c b/src/version.c
index 767a348235cdd5a2abe8b13eea7b80710e5ec8b1..e4a4b51f8d7d5d195ba27d6b21ea9d41dc24cdb9 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -771,6 +771,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1468,
 /**/
     1467,
 /**/