patch 8.0.1421: accessing invalid memory with overlong byte sequence

Problem:    Accessing invalid memory with overlong byte sequence.
Solution:   Check for NUL character. (test by Dominique Pelle, closes #2485)

diff --git a/src/misc2.c b/src/misc2.c
index 460ea74895b6f90edb3f10c7711bf91ffee4a038..66aeee01b7d06588564050d292d4be8044fa6eb3 100644 (file)
--- a/src/misc2.c
+++ b/src/misc2.c
@@ -1622,11 +1622,17 @@ strup_save(char_u *orig)
                char_u  *s;
 
                c = utf_ptr2char(p);
+               l = utf_ptr2len(p);
+               if (c == 0)
+               {
+                   /* overlong sequence, use only the first byte */
+                   c = *p;
+                   l = 1;
+               }
                uc = utf_toupper(c);
 
                /* Reallocate string when byte count changes.  This is rare,
                 * thus it's OK to do another malloc()/free(). */
-               l = utf_ptr2len(p);
                newl = utf_char2len(uc);
                if (newl != l)
                {
@@ -1685,11 +1691,17 @@ strlow_save(char_u *orig)
                char_u  *s;
 
                c = utf_ptr2char(p);
+               l = utf_ptr2len(p);
+               if (c == 0)
+               {
+                   /* overlong sequence, use only the first byte */
+                   c = *p;
+                   l = 1;
+               }
                lc = utf_tolower(c);
 
                /* Reallocate string when byte count changes.  This is rare,
                 * thus it's OK to do another malloc()/free(). */
-               l = utf_ptr2len(p);
                newl = utf_char2len(lc);
                if (newl != l)
                {

diff --git a/src/testdir/test_functions.vim b/src/testdir/test_functions.vim
index 20e4280c155618e8ea407708cbae4b38545a83d2..ffc3bc3785751bb2b24d835dcbf31e51c9aca0fc 100644 (file)
--- a/src/testdir/test_functions.vim
+++ b/src/testdir/test_functions.vim
@@ -268,6 +268,11 @@ func Test_tolower()
   " Ⱥ (U+023A) and Ⱦ (U+023E) are the *only* code points to increase
   " in length (2 to 3 bytes) when lowercased. So let's test them.
   call assert_equal("ⱥ ⱦ", tolower("Ⱥ Ⱦ"))
+
+  " This call to tolower with invalid utf8 sequence used to cause access to
+  " invalid memory.
+  call tolower("\xC0\x80\xC0")
+  call tolower("123\xC0\x80\xC0")
 endfunc
 
 func Test_toupper()
@@ -338,6 +343,11 @@ func Test_toupper()
   call assert_equal("ZŹŻŽƵẐẔ", toupper("ZŹŻŽƵẐẔ"))
 
   call assert_equal("Ⱥ Ⱦ", toupper("ⱥ ⱦ"))
+
+  " This call to toupper with invalid utf8 sequence used to cause access to
+  " invalid memory.
+  call toupper("\xC0\x80\xC0")
+  call toupper("123\xC0\x80\xC0")
 endfunc
 
 " Tests for the mode() function

diff --git a/src/version.c b/src/version.c
index 1a217e7b675e21964395aad45604dcb5725eaca6..943469fb9b62f1c6e2d81ea93b71728c46ac436e 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -771,6 +771,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1421,
 /**/
     1420,
 /**/