Problem: Invalid memory access when using :retab with large value.
Solution: Check the number is positive.
/*
* Set the integer values corresponding to the string setting of 'vartabstop'.
* "array" will be set, caller must free it if needed.
+ * Return FAIL for an error.
*/
int
tabstop_set(char_u *var, int **array)
{
- int valcount = 1;
- int t;
- char_u *cp;
+ int valcount = 1;
+ int t;
+ char_u *cp;
if (var[0] == NUL || (var[0] == '0' && var[1] == NUL))
{
*array = NULL;
- return TRUE;
+ return OK;
}
for (cp = var; *cp != NUL; ++cp)
if (cp != end)
emsg(_(e_positive));
else
- emsg(_(e_invarg));
- return FALSE;
+ semsg(_(e_invarg2), cp);
+ return FAIL;
}
}
++valcount;
continue;
}
- emsg(_(e_invarg));
- return FALSE;
+ semsg(_(e_invarg2), var);
+ return FAIL;
}
*array = ALLOC_MULT(int, valcount + 1);
if (*array == NULL)
- return FALSE;
+ return FAIL;
(*array)[0] = valcount;
t = 1;
for (cp = var; *cp != NUL;)
{
- (*array)[t++] = atoi((char *)cp);
- while (*cp != NUL && *cp != ',')
+ int n = atoi((char *)cp);
+
+ if (n < 0 || n > 9999)
+ {
+ semsg(_(e_invarg2), cp);
+ return FAIL;
+ }
+ (*array)[t++] = n;
+ while (*cp != NUL && *cp != ',')
++cp;
if (*cp != NUL)
++cp;
}
- return TRUE;
+ return OK;
}
/*
#ifdef FEAT_VARTABS
new_ts_str = eap->arg;
- if (!tabstop_set(eap->arg, &new_vts_array))
+ if (tabstop_set(eap->arg, &new_vts_array) == FAIL)
return;
while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',')
++(eap->arg);
#endif
#ifdef FEAT_VARTABS
vim_free(curbuf->b_p_vsts_array);
- tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
+ (void)tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
vim_free(curbuf->b_p_vts_array);
- tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
+ (void)tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
#endif
}
buf->b_p_vsts = vim_strsave(p_vsts);
COPY_OPT_SCTX(buf, BV_VSTS);
if (p_vsts && p_vsts != empty_option)
- tabstop_set(p_vsts, &buf->b_p_vsts_array);
+ (void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
else
buf->b_p_vsts_array = 0;
buf->b_p_vsts_nopaste = p_vsts_nopaste
buf->b_p_isk = save_p_isk;
#ifdef FEAT_VARTABS
if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
- tabstop_set(p_vts, &buf->b_p_vts_array);
+ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
else
buf->b_p_vts_array = NULL;
#endif
buf->b_p_vts = vim_strsave(p_vts);
COPY_OPT_SCTX(buf, BV_VTS);
if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
- tabstop_set(p_vts, &buf->b_p_vts_array);
+ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
else
buf->b_p_vts_array = NULL;
#endif
if (buf->b_p_vsts_array)
vim_free(buf->b_p_vsts_array);
if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
- tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
+ (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
else
buf->b_p_vsts_array = 0;
#endif
if (errmsg == NULL)
{
int *oldarray = curbuf->b_p_vsts_array;
- if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)))
+ if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)) == OK)
{
if (oldarray)
vim_free(oldarray);
{
int *oldarray = curbuf->b_p_vts_array;
- if (tabstop_set(*varp, &(curbuf->b_p_vts_array)))
+ if (tabstop_set(*varp, &(curbuf->b_p_vts_array)) == OK)
{
vim_free(oldarray);
#ifdef FEAT_FOLDING
func Test_retab_error()
call assert_fails('retab -1', 'E487:')
call assert_fails('retab! -1', 'E487:')
+ call assert_fails('ret -1000', 'E487:')
+ call assert_fails('ret 10000', 'E475:')
+ call assert_fails('ret 80000000000000000000', 'E475:')
endfunc
" vim: shiftwidth=2 sts=2 expandtab
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 3402,
/**/
3401,
/**/
projects / vim / commitdiff