patch 9.1.0722: crash with large id in text_prop interface
Problem:  crash with large id in text_prop interface
          prop_add()/prop_add_list() (cposture)
Solution: Error out if the id is > INT_MAX or <= INT_MIN
fixes: #15637
closes: #15638
Signed-off-by: Christian Brabandt <cb@256bit.org>
			
			
This commit is contained in:
		| @ -1,4 +1,4 @@ | |||||||
| *textprop.txt*  For Vim version 9.1.  Last change: 2024 Jun 08 | *textprop.txt*  For Vim version 9.1.  Last change: 2024 Sep 08 | ||||||
|  |  | ||||||
|  |  | ||||||
| 		  VIM REFERENCE MANUAL    by Bram Moolenaar | 		  VIM REFERENCE MANUAL    by Bram Moolenaar | ||||||
| @ -140,10 +140,10 @@ prop_add({lnum}, {col}, {props}) | |||||||
| 		   bufnr	buffer to add the property to; when omitted | 		   bufnr	buffer to add the property to; when omitted | ||||||
| 				the current buffer is used | 				the current buffer is used | ||||||
| 		   id		user defined ID for the property; must be a | 		   id		user defined ID for the property; must be a | ||||||
| 				number, should be positive; when using "text" | 				number, should be positive |E1510|; | ||||||
| 				then "id" must not be present and will be set | 				when using "text" then "id" must not be | ||||||
| 				automatically to a negative number; otherwise | 				present and will be set automatically to a | ||||||
| 				zero is used | 				negative number; otherwise zero is used | ||||||
| 							*E1305* | 							*E1305* | ||||||
| 		   text		text to be displayed before {col}, or | 		   text		text to be displayed before {col}, or | ||||||
| 				above/below the line if {col} is zero; prepend | 				above/below the line if {col} is zero; prepend | ||||||
| @ -271,7 +271,7 @@ prop_add_list({props}, [{item}, ...])			*prop_add_list()* | |||||||
| 			call prop_add_list(#{type: 'MyProp', id: 2}, | 			call prop_add_list(#{type: 'MyProp', id: 2}, | ||||||
| 					\ [[1, 4, 1, 7], | 					\ [[1, 4, 1, 7], | ||||||
| 					\  [1, 15, 1, 20], | 					\  [1, 15, 1, 20], | ||||||
| 					\  [2, 30, 3, 30]] | 					\  [2, 30, 3, 30]]) | ||||||
| < | < | ||||||
| 		Can also be used as a |method|: > | 		Can also be used as a |method|: > | ||||||
| 			GetProp()->prop_add_list([[1, 1, 1, 2], [1, 4, 1, 8]]) | 			GetProp()->prop_add_list([[1, 1, 1, 2], [1, 4, 1, 8]]) | ||||||
|  | |||||||
| @ -393,6 +393,8 @@ func Test_prop_add_list() | |||||||
|   call assert_fails('call prop_add_list(test_null_dict(), [[2, 2, 2]])', 'E965:') |   call assert_fails('call prop_add_list(test_null_dict(), [[2, 2, 2]])', 'E965:') | ||||||
|   call assert_fails('call prop_add_list(#{type: "one"}, test_null_list())', 'E1298:') |   call assert_fails('call prop_add_list(#{type: "one"}, test_null_list())', 'E1298:') | ||||||
|   call assert_fails('call prop_add_list(#{type: "one"}, [test_null_list()])', 'E714:') |   call assert_fails('call prop_add_list(#{type: "one"}, [test_null_list()])', 'E714:') | ||||||
|  |   call assert_fails('call prop_add_list(#{type: "one", id: 2147483648}, [[2, 2, 2, 2], [3, 20, 3, 22]])', 'E1510:') | ||||||
|  |   call assert_fails('call prop_add_list(#{type: "one", id: -2147483648}, [[2, 2, 2, 2], [3, 20, 3, 22]])', 'E1510:') | ||||||
|  |  | ||||||
|   " only one error for multiple wrong values |   " only one error for multiple wrong values | ||||||
|   call assert_fails('call prop_add_list(#{type: "one"}, [[{}, [], 0z00, 0.3]])', ['E728:', 'E728:']) |   call assert_fails('call prop_add_list(#{type: "one"}, [[{}, [], 0z00, 0.3]])', ['E728:', 'E728:']) | ||||||
| @ -1780,6 +1782,8 @@ func Test_prop_func_invalid_args() | |||||||
|   call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'length':-1})", 'E475:') |   call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'length':-1})", 'E475:') | ||||||
|   call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'end_col':0})", 'E475:') |   call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'end_col':0})", 'E475:') | ||||||
|   call assert_fails("call prop_add(2, 3, {'length':1})", 'E965:') |   call assert_fails("call prop_add(2, 3, {'length':1})", 'E965:') | ||||||
|  |   call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'id': 2147483648})", 'E1510:') | ||||||
|  |   call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'id': -2147483648})", 'E1510:') | ||||||
|  |  | ||||||
|   call prop_type_delete('xxx') |   call prop_type_delete('xxx') | ||||||
|   bwipe! |   bwipe! | ||||||
|  | |||||||
| @ -372,7 +372,16 @@ f_prop_add_list(typval_T *argvars, typval_T *rettv UNUSED) | |||||||
|     type_name = dict_get_string(dict, "type", FALSE); |     type_name = dict_get_string(dict, "type", FALSE); | ||||||
|  |  | ||||||
|     if (dict_has_key(dict, "id")) |     if (dict_has_key(dict, "id")) | ||||||
| 	id = dict_get_number(dict, "id"); |     { | ||||||
|  | 	vimlong_T x; | ||||||
|  | 	x = dict_get_number(dict, "id"); | ||||||
|  | 	if (x > INT_MAX || x  <= INT_MIN) | ||||||
|  | 	{ | ||||||
|  | 	    semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE)); | ||||||
|  | 	    return; | ||||||
|  | 	} | ||||||
|  | 	id = (int)x; | ||||||
|  |     } | ||||||
|  |  | ||||||
|     if (get_bufnr_from_arg(&argvars[0], &buf) == FAIL) |     if (get_bufnr_from_arg(&argvars[0], &buf) == FAIL) | ||||||
| 	return; | 	return; | ||||||
| @ -497,7 +506,16 @@ prop_add_common( | |||||||
| 	end_col = 1; | 	end_col = 1; | ||||||
|  |  | ||||||
|     if (dict_has_key(dict, "id")) |     if (dict_has_key(dict, "id")) | ||||||
| 	id = dict_get_number(dict, "id"); |     { | ||||||
|  | 	vimlong_T x; | ||||||
|  | 	x = dict_get_number(dict, "id"); | ||||||
|  | 	if (x > INT_MAX || x  <= INT_MIN) | ||||||
|  | 	{ | ||||||
|  | 	    semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE)); | ||||||
|  | 	    goto theend; | ||||||
|  | 	} | ||||||
|  | 	id = (int)x; | ||||||
|  |     } | ||||||
|  |  | ||||||
|     if (dict_has_key(dict, "text")) |     if (dict_has_key(dict, "text")) | ||||||
|     { |     { | ||||||
|  | |||||||
| @ -704,6 +704,8 @@ static char *(features[]) = | |||||||
|  |  | ||||||
| static int included_patches[] = | static int included_patches[] = | ||||||
| {   /* Add new patch number below this line */ | {   /* Add new patch number below this line */ | ||||||
|  | /**/ | ||||||
|  |     722, | ||||||
| /**/ | /**/ | ||||||
|     721, |     721, | ||||||
| /**/ | /**/ | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user