From 701c863e68fa24847100beef3c9008024615a081 Mon Sep 17 00:00:00 2001 From: Christian Brabandt Date: Sun, 8 Sep 2024 20:05:23 +0200 Subject: [PATCH] patch 9.1.0722: crash with large id in text_prop interface Problem: crash with large id in text_prop interface prop_add()/prop_add_list() (cposture) Solution: Error out if the id is > INT_MAX or <= INT_MIN fixes: #15637 closes: #15638 Signed-off-by: Christian Brabandt --- runtime/doc/textprop.txt | 12 ++++++------ src/testdir/test_textprop.vim | 4 ++++ src/textprop.c | 22 ++++++++++++++++++++-- src/version.c | 2 ++ 4 files changed, 32 insertions(+), 8 deletions(-) diff --git a/runtime/doc/textprop.txt b/runtime/doc/textprop.txt index 6b46e06df9..0a04abbdb6 100644 --- a/runtime/doc/textprop.txt +++ b/runtime/doc/textprop.txt @@ -1,4 +1,4 @@ -*textprop.txt* For Vim version 9.1. Last change: 2024 Jun 08 +*textprop.txt* For Vim version 9.1. Last change: 2024 Sep 08 VIM REFERENCE MANUAL by Bram Moolenaar @@ -140,10 +140,10 @@ prop_add({lnum}, {col}, {props}) bufnr buffer to add the property to; when omitted the current buffer is used id user defined ID for the property; must be a - number, should be positive; when using "text" - then "id" must not be present and will be set - automatically to a negative number; otherwise - zero is used + number, should be positive |E1510|; + when using "text" then "id" must not be + present and will be set automatically to a + negative number; otherwise zero is used *E1305* text text to be displayed before {col}, or above/below the line if {col} is zero; prepend @@ -271,7 +271,7 @@ prop_add_list({props}, [{item}, ...]) *prop_add_list()* call prop_add_list(#{type: 'MyProp', id: 2}, \ [[1, 4, 1, 7], \ [1, 15, 1, 20], - \ [2, 30, 3, 30]] + \ [2, 30, 3, 30]]) < Can also be used as a |method|: > GetProp()->prop_add_list([[1, 1, 1, 2], [1, 4, 1, 8]]) diff --git a/src/testdir/test_textprop.vim b/src/testdir/test_textprop.vim index 57277f79e2..bbb911f959 100644 --- a/src/testdir/test_textprop.vim +++ b/src/testdir/test_textprop.vim @@ -393,6 +393,8 @@ func Test_prop_add_list() call assert_fails('call prop_add_list(test_null_dict(), [[2, 2, 2]])', 'E965:') call assert_fails('call prop_add_list(#{type: "one"}, test_null_list())', 'E1298:') call assert_fails('call prop_add_list(#{type: "one"}, [test_null_list()])', 'E714:') + call assert_fails('call prop_add_list(#{type: "one", id: 2147483648}, [[2, 2, 2, 2], [3, 20, 3, 22]])', 'E1510:') + call assert_fails('call prop_add_list(#{type: "one", id: -2147483648}, [[2, 2, 2, 2], [3, 20, 3, 22]])', 'E1510:') " only one error for multiple wrong values call assert_fails('call prop_add_list(#{type: "one"}, [[{}, [], 0z00, 0.3]])', ['E728:', 'E728:']) @@ -1780,6 +1782,8 @@ func Test_prop_func_invalid_args() call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'length':-1})", 'E475:') call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'end_col':0})", 'E475:') call assert_fails("call prop_add(2, 3, {'length':1})", 'E965:') + call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'id': 2147483648})", 'E1510:') + call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'id': -2147483648})", 'E1510:') call prop_type_delete('xxx') bwipe! diff --git a/src/textprop.c b/src/textprop.c index fe0c8d20cb..d16f8ecef3 100644 --- a/src/textprop.c +++ b/src/textprop.c @@ -372,7 +372,16 @@ f_prop_add_list(typval_T *argvars, typval_T *rettv UNUSED) type_name = dict_get_string(dict, "type", FALSE); if (dict_has_key(dict, "id")) - id = dict_get_number(dict, "id"); + { + vimlong_T x; + x = dict_get_number(dict, "id"); + if (x > INT_MAX || x <= INT_MIN) + { + semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE)); + return; + } + id = (int)x; + } if (get_bufnr_from_arg(&argvars[0], &buf) == FAIL) return; @@ -497,7 +506,16 @@ prop_add_common( end_col = 1; if (dict_has_key(dict, "id")) - id = dict_get_number(dict, "id"); + { + vimlong_T x; + x = dict_get_number(dict, "id"); + if (x > INT_MAX || x <= INT_MIN) + { + semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE)); + goto theend; + } + id = (int)x; + } if (dict_has_key(dict, "text")) { diff --git a/src/version.c b/src/version.c index eb88b0d914..4460bb16ec 100644 --- a/src/version.c +++ b/src/version.c @@ -704,6 +704,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 722, /**/ 721, /**/