patch 8.0.0337: invalid memory access in :recover command

author Bram Moolenaar <Bram@vim.org>

Sat, 18 Feb 2017 15:59:02 +0000 (16:59 +0100)

committer Bram Moolenaar <Bram@vim.org>

Sat, 18 Feb 2017 15:59:02 +0000 (16:59 +0100)
author Bram Moolenaar <Bram@vim.org>
Sat, 18 Feb 2017 15:59:02 +0000 (16:59 +0100)
committer Bram Moolenaar <Bram@vim.org>
Sat, 18 Feb 2017 15:59:02 +0000 (16:59 +0100)
diff --git a/src/Makefile b/src/Makefile

index 52c74f20e9cf5c09bc45e428e37575e93a2a5784..b5d39ec2c19d60d214ef755fcfea414749e2db63 100644 (file)
--- a/src/Makefile
+++ b/src/Makefile
@@ -2177,6 +2177,7 @@ test_arglist \
         test_pyx2 \
         test_pyx3 \
         test_quickfix \
+       test_recover \
         test_regexp_latin \
         test_regexp_utf8 \
         test_reltime \
diff --git a/src/memline.c b/src/memline.c

index 5874b5d69de7da263e68f113a51b2ff462a1c00c..df799b1b25cb34442e83d2b1ac0896a1700f021a 100644 (file)
--- a/src/memline.c
+++ b/src/memline.c
@@ -1863,8 +1863,10 @@ recover_names(
             else
             {
  #if defined(UNIX) || defined(WIN3264)
-               p = dir_name + STRLEN(dir_name);
-               if (after_pathsep(dir_name, p) && p[-1] == p[-2])
+               int     len = STRLEN(dir_name);
+
+               p = dir_name + len;
+               if (after_pathsep(dir_name, p) && len > 1 && p[-1] == p[-2])
                 {
                     /* Ends with '//', Use Full path for swap name */
                     tail = make_percent_swname(dir_name, fname_res);
@@ -3922,8 +3924,10 @@ makeswapname(
  #endif
  
  #if defined(UNIX) || defined(WIN3264)  /* Need _very_ long file names */
-    s = dir_name + STRLEN(dir_name);
-    if (after_pathsep(dir_name, s) && s[-1] == s[-2])
+    int                len = STRLEN(dir_name);
+
+    s = dir_name + len;
+    if (after_pathsep(dir_name, s) && len > 1 && s[-1] == s[-2])
      {                         /* Ends with '//', Use Full path */
         r = NULL;
         if ((s = make_percent_swname(dir_name, fname)) != NULL)
diff --git a/src/testdir/test_alot.vim b/src/testdir/test_alot.vim

index d43ae4f1b7af7230fbda8ef08dd54ba43f197f2e..ef0edc742e9cff9ca540df9f6f28b175d6b57844 100644 (file)
--- a/src/testdir/test_alot.vim
+++ b/src/testdir/test_alot.vim
@@ -34,6 +34,7 @@ source test_messages.vim
  source test_partial.vim
  source test_popup.vim
  source test_put.vim
+source test_recover.vim
  source test_reltime.vim
  source test_searchpos.vim
  source test_set.vim
diff --git a/src/testdir/test_recover.vim b/src/testdir/test_recover.vim

new file mode 100644 (file)

index 0000000..aa291b1
--- /dev/null
+++ b/src/testdir/test_recover.vim
@@ -0,0 +1,14 @@
+" Test :recover
+
+func Test_recover_root_dir()
+  " This used to access invalid memory.
+  split Xtest
+  set dir=/
+  call assert_fails('recover', 'E305:')
+  close!
+
+  call assert_fails('split Xtest', 'E303:')
+  set dir&
+endfunc
+
+" TODO: move recover tests from test78.in to here.
diff --git a/src/version.c b/src/version.c

index df77e82c7a79452181fbaf722585c543d75106a5..73f99290b4456769218feaf8a0308c17a8d1c584 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -764,6 +764,8 @@ static char *(features[]) =
  
  static int included_patches[] =
  {   /* Add new patch number below this line */
+/**/
+    337,
  /**/
      336,
  /**/
author	Bram Moolenaar <Bram@vim.org>
	Sat, 18 Feb 2017 15:59:02 +0000 (16:59 +0100)
committer	Bram Moolenaar <Bram@vim.org>
	Sat, 18 Feb 2017 15:59:02 +0000 (16:59 +0100)
src/Makefile		patch \| blob \| history
src/memline.c		patch \| blob \| history
src/testdir/test_alot.vim		patch \| blob \| history
src/testdir/test_recover.vim	[new file with mode: 0644]	patch \| blob
src/version.c		patch \| blob \| history