From cdd09aa51a8d34bb384460af4f91026dbff5bf48 Mon Sep 17 00:00:00 2001 From: Bram Moolenaar Date: Sun, 11 Feb 2018 15:38:40 +0100 Subject: [PATCH] patch 8.0.1503: access memory beyond end of string Problem: Access memory beyond end of string. (Coverity) Solution: Keep allocated memory in separate pointer. Avoid outputting the NUL character. --- src/hardcopy.c | 13 ++++--------- src/version.c | 2 ++ 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/src/hardcopy.c b/src/hardcopy.c index 96fab2048..91f62c39f 100644 --- a/src/hardcopy.c +++ b/src/hardcopy.c @@ -3382,6 +3382,7 @@ mch_print_text_out(char_u *p, int len UNUSED) #ifdef FEAT_MBYTE int in_ascii; int half_width; + char_u *tofree = NULL; #endif char_width = prt_char_width; @@ -3507,19 +3508,15 @@ mch_print_text_out(char_u *p, int len UNUSED) #ifdef FEAT_MBYTE if (prt_do_conv) - { /* Convert from multi-byte to 8-bit encoding */ - p = string_convert(&prt_conv, p, &len); - if (p == NULL) - p = (char_u *)""; - } + tofree = p = string_convert(&prt_conv, p, &len); if (prt_out_mbyte) { /* Multi-byte character strings are represented more efficiently as hex * strings when outputting clean 8 bit PS. */ - do + while (len-- > 0) { ch = prt_hexchar[(unsigned)(*p) >> 4]; ga_append(&prt_ps_buffer, ch); @@ -3527,7 +3524,6 @@ mch_print_text_out(char_u *p, int len UNUSED) ga_append(&prt_ps_buffer, ch); p++; } - while (--len); } else #endif @@ -3574,8 +3570,7 @@ mch_print_text_out(char_u *p, int len UNUSED) #ifdef FEAT_MBYTE /* Need to free any translated characters */ - if (prt_do_conv && (*p != NUL)) - vim_free(p); + vim_free(tofree); #endif prt_text_run += char_width; diff --git a/src/version.c b/src/version.c index 62fd9edce..5c72d8d73 100644 --- a/src/version.c +++ b/src/version.c @@ -771,6 +771,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 1503, /**/ 1502, /**/ -- 2.50.1