updated for version 7.3.664

Problem:    Buffer overflow in unescaping text. (Raymond Ko)
Solution:   Limit check for multi-byte character to 4 bytes.

diff --git a/src/mbyte.c b/src/mbyte.c
index ca3204f2145d995f06cf300e0e51e363246df0d0..33e894e88c7df4eb96833c5922b7fe475a57f54a 100644 (file)
--- a/src/mbyte.c
+++ b/src/mbyte.c
@@ -3793,13 +3793,15 @@ mb_charlen_len(str, len)
 mb_unescape(pp)
     char_u **pp;
 {
-    static char_u      buf[MB_MAXBYTES + 1];
-    int                        n, m = 0;
+    static char_u      buf[6];
+    int                        n;
+    int                        m = 0;
     char_u             *str = *pp;
 
     /* Must translate K_SPECIAL KS_SPECIAL KE_FILLER to K_SPECIAL and CSI
-     * KS_EXTRA KE_CSI to CSI. */
-    for (n = 0; str[n] != NUL && m <= MB_MAXBYTES; ++n)
+     * KS_EXTRA KE_CSI to CSI.
+     * Maximum length of a utf-8 character is 4 bytes. */
+    for (n = 0; str[n] != NUL && m < 4; ++n)
     {
        if (str[n] == K_SPECIAL
                && str[n + 1] == KS_SPECIAL
@@ -3836,6 +3838,10 @@ mb_unescape(pp)
            *pp = str + n + 1;
            return buf;
        }
+
+       /* Bail out quickly for ASCII. */
+       if (buf[0] < 128)
+           break;
     }
     return NULL;
 }

diff --git a/src/version.c b/src/version.c
index 43d11611bda609c282b40bd3c7b7e28f7da3c85f..d8ada6990e307f26ac95c8d2fd96175f6bb8e5b7 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -719,6 +719,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    664,
 /**/
     663,
 /**/