patch 8.2.4245: ":retab 0" may cause illegal memory access

Problem:    ":retab 0" may cause illegal memory access.
Solution:   Limit the value of 'tabstop' to 10000.

diff --git a/src/indent.c b/src/indent.c
index 8dd4ef99cd91d825299d6381e9d0176b848c312f..8e9b0d148cfbf88476311094e5f6072853a295de 100644 (file)
--- a/src/indent.c
+++ b/src/indent.c
@@ -71,7 +71,7 @@ tabstop_set(char_u *var, int **array)
        int n = atoi((char *)cp);
 
        // Catch negative values, overflow and ridiculous big values.
-       if (n < 0 || n > 9999)
+       if (n < 0 || n > TABSTOP_MAX)
        {
            semsg(_(e_invalid_argument_str), cp);
            vim_free(*array);
@@ -1649,7 +1649,7 @@ ex_retab(exarg_T *eap)
        emsg(_(e_argument_must_be_positive));
        return;
     }
-    if (new_ts < 0 || new_ts > 9999)
+    if (new_ts < 0 || new_ts > TABSTOP_MAX)
     {
        semsg(_(e_invalid_argument_str), eap->arg);
        return;

diff --git a/src/option.c b/src/option.c
index bb952fee5c78e9b9a2de52d9f516b50832909407..482e960b254748a293f00a698951035cfff3428c 100644 (file)
--- a/src/option.c
+++ b/src/option.c
@@ -3752,6 +3752,11 @@ set_num_option(
        errmsg = e_argument_must_be_positive;
        curbuf->b_p_ts = 8;
     }
+    else if (curbuf->b_p_ts > TABSTOP_MAX)
+    {
+       errmsg = e_invalid_argument;
+       curbuf->b_p_ts = 8;
+    }
     if (p_tm < 0)
     {
        errmsg = e_argument_must_be_positive;
@@ -5983,7 +5988,7 @@ buf_copy_options(buf_T *buf, int flags)
            if (p_vsts && p_vsts != empty_option)
                (void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
            else
-               buf->b_p_vsts_array = 0;
+               buf->b_p_vsts_array = NULL;
            buf->b_p_vsts_nopaste = p_vsts_nopaste
                                 ? vim_strsave(p_vsts_nopaste) : NULL;
 #endif
@@ -6803,9 +6808,7 @@ paste_option_changed(void)
            if (buf->b_p_vsts)
                free_string_option(buf->b_p_vsts);
            buf->b_p_vsts = empty_option;
-           if (buf->b_p_vsts_array)
-               vim_free(buf->b_p_vsts_array);
-           buf->b_p_vsts_array = 0;
+           VIM_CLEAR(buf->b_p_vsts_array);
 #endif
        }
 
@@ -6851,12 +6854,11 @@ paste_option_changed(void)
                free_string_option(buf->b_p_vsts);
            buf->b_p_vsts = buf->b_p_vsts_nopaste
                         ? vim_strsave(buf->b_p_vsts_nopaste) : empty_option;
-           if (buf->b_p_vsts_array)
-               vim_free(buf->b_p_vsts_array);
+           vim_free(buf->b_p_vsts_array);
            if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
                (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
            else
-               buf->b_p_vsts_array = 0;
+               buf->b_p_vsts_array = NULL;
 #endif
        }
 

diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim
index 2265894399d0f4ec737d2487628c22dfb5918f30..2af13d94f44e549f6204823b9e3927b8d726f865 100644 (file)
--- a/src/testdir/test_options.vim
+++ b/src/testdir/test_options.vim
@@ -368,6 +368,8 @@ func Test_set_errors()
   call assert_fails('set shiftwidth=-1', 'E487:')
   call assert_fails('set sidescroll=-1', 'E487:')
   call assert_fails('set tabstop=-1', 'E487:')
+  call assert_fails('set tabstop=10000', 'E474:')
+  call assert_fails('set tabstop=5500000000', 'E474:')
   call assert_fails('set textwidth=-1', 'E487:')
   call assert_fails('set timeoutlen=-1', 'E487:')
   call assert_fails('set updatecount=-1', 'E487:')

diff --git a/src/version.c b/src/version.c
index 0caa33a310e59f8c75470b0d36a3a48c4410829a..8275e8f2ae6da16d869d88bffc214c0da2a4e7ee 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -750,6 +750,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    4245,
 /**/
     4244,
 /**/

diff --git a/src/vim.h b/src/vim.h
index 15ed6262d9c3856995fc932013fcecca23310730..86acb6dcda41a72184cc3e804c83a4db4acfd3e1 100644 (file)
--- a/src/vim.h
+++ b/src/vim.h
@@ -2085,6 +2085,8 @@ typedef int sock_T;
 
 #define DICT_MAXNEST 100       // maximum nesting of lists and dicts
 
+#define TABSTOP_MAX 9999
+
 #ifdef FEAT_CLIPBOARD
 
 // VIM_ATOM_NAME is the older Vim-specific selection type for X11.  Still