patch 9.1.1262: heap-buffer-overflow with narrow 'pummaxwidth' value

Problem: heap-buffer-overflow occurs with narrow 'pummaxwidth' value (after v9.1.1250) Solution: test that st_end points after st pointer (Hirohito Higashi) closes: #17005 Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
2025-03-30 15:19:05 +02:00
parent c6336acfe3
commit f13c856154
11 changed files with 130 additions and 1 deletions
--- a/src/popupmenu.c
+++ b/src/popupmenu.c
@ -845,7 +845,7 @@ pum_redraw(void)
 				    last_char = st_end;
 				}

-				if (last_char != NULL)
+				if (last_char != NULL && st_end > st)
 				{
 				    if (used_cells < ellipsis_width)
 				    {
--- a/src/testdir/dumps/Test_pum_maxwidth_with_many_items_01.dump
+++ b/src/testdir/dumps/Test_pum_maxwidth_with_many_items_01.dump
@ -0,0 +1,8 @@
+|f+0&#ffffff0|o@1> @71
+|f+0#0000001#e0e0e08|o@1| |f|o@1|K|i|n|d| |f|o@1|M|e|n|u| | +0#4040ff13#ffffff0@54
+|b+0#0000001#ffd7ff255|a|r| |b|a|r|K|i|n|d| |b|a|r|M|e|n|u| | +0#4040ff13#ffffff0@54
+|b+0#0000001#ffd7ff255|a|z| |b|a|z|K|i|n|d| |b|a|z|M|e|n|u| | +0#4040ff13#ffffff0@54
+|~| @73
+|~| @73
+|~| @73
+|~| @73
--- a/src/testdir/dumps/Test_pum_maxwidth_with_many_items_02.dump
+++ b/src/testdir/dumps/Test_pum_maxwidth_with_many_items_02.dump
@ -0,0 +1,8 @@
+|f+0&#ffffff0|o@1> @71
+|f+0#0000001#e0e0e08|o@1| |f|o@1|K|i|n|d| |f|o@1|M|e|n|u| +0#4040ff13#ffffff0@55
+|b+0#0000001#ffd7ff255|a|r| |b|a|r|K|i|n|d| |b|a|r|M|e|n|u| +0#4040ff13#ffffff0@55
+|b+0#0000001#ffd7ff255|a|z| |b|a|z|K|i|n|d| |b|a|z|M|e|n|u| +0#4040ff13#ffffff0@55
+|~| @73
+|~| @73
+|~| @73
+|~| @73
--- a/src/testdir/dumps/Test_pum_maxwidth_with_many_items_03.dump
+++ b/src/testdir/dumps/Test_pum_maxwidth_with_many_items_03.dump
@ -0,0 +1,8 @@
+|f+0&#ffffff0|o@1> @71
+|f+0#0000001#e0e0e08|o@1| |f|o@1|K|i|n|d| |f|o@1|.@2| +0#4040ff13#ffffff0@56
+|b+0#0000001#ffd7ff255|a|r| |b|a|r|K|i|n|d| |b|a|r|.@2| +0#4040ff13#ffffff0@56
+|b+0#0000001#ffd7ff255|a|z| |b|a|z|K|i|n|d| |b|a|z|.@2| +0#4040ff13#ffffff0@56
+|~| @73
+|~| @73
+|~| @73
+|~| @73
--- a/src/testdir/dumps/Test_pum_maxwidth_with_many_items_04.dump
+++ b/src/testdir/dumps/Test_pum_maxwidth_with_many_items_04.dump
@ -0,0 +1,8 @@
+|f+0&#ffffff0|o@1> @71
+|f+0#0000001#e0e0e08|o@1| |f|o@1|K|i|n|d| |f|.@2| +0#4040ff13#ffffff0@58
+|b+0#0000001#ffd7ff255|a|r| |b|a|r|K|i|n|d| |b|.@2| +0#4040ff13#ffffff0@58
+|b+0#0000001#ffd7ff255|a|z| |b|a|z|K|i|n|d| |b|.@2| +0#4040ff13#ffffff0@58
+|~| @73
+|~| @73
+|~| @73
+|~| @73
--- a/src/testdir/dumps/Test_pum_maxwidth_with_many_items_05.dump
+++ b/src/testdir/dumps/Test_pum_maxwidth_with_many_items_05.dump
@ -0,0 +1,8 @@
+|f+0&#ffffff0|o@1> @71
+|f+0#0000001#e0e0e08|o@1| |f|o@1|K|i|n|d| |f|o@1| +0#4040ff13#ffffff0@59
+|b+0#0000001#ffd7ff255|a|r| |b|a|r|K|i|n|d| |b|a|r| +0#4040ff13#ffffff0@59
+|b+0#0000001#ffd7ff255|a|z| |b|a|z|K|i|n|d| |b|a|z| +0#4040ff13#ffffff0@59
+|~| @73
+|~| @73
+|~| @73
+|~| @73
--- a/src/testdir/dumps/Test_pum_maxwidth_with_many_items_06.dump
+++ b/src/testdir/dumps/Test_pum_maxwidth_with_many_items_06.dump
@ -0,0 +1,8 @@
+|f+0&#ffffff0|o@1> @71
+|f+0#0000001#e0e0e08|o@1| |f|o@1|K|i|n|d| | +0#4040ff13#ffffff0@62
+|b+0#0000001#ffd7ff255|a|r| |b|a|r|K|i|n|d| | +0#4040ff13#ffffff0@62
+|b+0#0000001#ffd7ff255|a|z| |b|a|z|K|i|n|d| | +0#4040ff13#ffffff0@62
+|~| @73
+|~| @73
+|~| @73
+|~| @73
--- a/src/testdir/dumps/Test_pum_maxwidth_with_many_items_07.dump
+++ b/src/testdir/dumps/Test_pum_maxwidth_with_many_items_07.dump
@ -0,0 +1,8 @@
+|f+0&#ffffff0|o@1> @71
+|f+0#0000001#e0e0e08|o@1| |f|o@1|.@2| +0#4040ff13#ffffff0@64
+|b+0#0000001#ffd7ff255|a|r| |b|a|r|.@2| +0#4040ff13#ffffff0@64
+|b+0#0000001#ffd7ff255|a|z| |b|a|z|.@2| +0#4040ff13#ffffff0@64
+|~| @73
+|~| @73
+|~| @73
+|~| @73
--- a/src/testdir/dumps/Test_pum_maxwidth_with_many_items_08.dump
+++ b/src/testdir/dumps/Test_pum_maxwidth_with_many_items_08.dump
@ -0,0 +1,8 @@
+|f+0&#ffffff0|o@1> @71
+|f+0#0000001#e0e0e08| +0#4040ff13#ffffff0@73
+|b+0#0000001#ffd7ff255| +0#4040ff13#ffffff0@73
+|b+0#0000001#ffd7ff255| +0#4040ff13#ffffff0@73
+|~| @73
+|~| @73
+|~| @73
+|~| @73
--- a/src/testdir/test_popup.vim
+++ b/src/testdir/test_popup.vim
@ -2070,4 +2070,67 @@ func Test_pum_maxwidth_multibyte()
  call StopVimInTerminal(buf)
 endfunc

+func Test_pum_maxwidth_with_many_items()
+  CheckScreendump
+
+  let lines =<< trim END
+    func Omni_test(findstart, base)
+    if a:findstart
+      return col(".")
+    endif
+    return [
+      \ #{word: "foo", menu: "fooMenu", kind: "fooKind"},
+      \ #{word: "bar", menu: "barMenu", kind: "barKind"},
+      \ #{word: "baz", menu: "bazMenu", kind: "bazKind"},
+      \ ]
+    endfunc
+    set omnifunc=Omni_test
+  END
+  call writefile(lines, 'Xtest', 'D')
+  let  buf = RunVimInTerminal('-S Xtest', {})
+  call TermWait(buf)
+
+  call term_sendkeys(buf, ":set pummaxwidth=20\<CR>")
+  call term_sendkeys(buf, "S\<C-X>\<C-O>")
+  call VerifyScreenDump(buf, 'Test_pum_maxwidth_with_many_items_01', {'rows': 8})
+  call term_sendkeys(buf, "\<ESC>")
+
+  call term_sendkeys(buf, ":set pummaxwidth=19\<CR>")
+  call term_sendkeys(buf, "S\<C-X>\<C-O>")
+  call VerifyScreenDump(buf, 'Test_pum_maxwidth_with_many_items_02', {'rows': 8})
+  call term_sendkeys(buf, "\<ESC>")
+
+  call term_sendkeys(buf, ":set pummaxwidth=18\<CR>")   " display Ellipsis
+  call term_sendkeys(buf, "S\<C-X>\<C-O>")
+  call VerifyScreenDump(buf, 'Test_pum_maxwidth_with_many_items_03', {'rows': 8})
+  call term_sendkeys(buf, "\<ESC>")
+
+  call term_sendkeys(buf, ":set pummaxwidth=16\<CR>")   " display Ellipsis
+  call term_sendkeys(buf, "S\<C-X>\<C-O>")
+  call VerifyScreenDump(buf, 'Test_pum_maxwidth_with_many_items_04', {'rows': 8})
+  call term_sendkeys(buf, "\<ESC>")
+
+  call term_sendkeys(buf, ":set pummaxwidth=15\<CR>")
+  call term_sendkeys(buf, "S\<C-X>\<C-O>")
+  call VerifyScreenDump(buf, 'Test_pum_maxwidth_with_many_items_05', {'rows': 8})
+  call term_sendkeys(buf, "\<ESC>")
+
+  call term_sendkeys(buf, ":set pummaxwidth=12\<CR>")
+  call term_sendkeys(buf, "S\<C-X>\<C-O>")
+  call VerifyScreenDump(buf, 'Test_pum_maxwidth_with_many_items_06', {'rows': 8})
+  call term_sendkeys(buf, "\<ESC>")
+
+  call term_sendkeys(buf, ":set pummaxwidth=10\<CR>")   " display Ellipsis
+  call term_sendkeys(buf, "S\<C-X>\<C-O>")
+  call VerifyScreenDump(buf, 'Test_pum_maxwidth_with_many_items_07', {'rows': 8})
+  call term_sendkeys(buf, "\<ESC>")
+
+  call term_sendkeys(buf, ":set pummaxwidth=1\<CR>")
+  call term_sendkeys(buf, "S\<C-X>\<C-O>")
+  call VerifyScreenDump(buf, 'Test_pum_maxwidth_with_many_items_08', {'rows': 8})
+  call term_sendkeys(buf, "\<ESC>")
+
+  call StopVimInTerminal(buf)
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
--- a/src/version.c
+++ b/src/version.c
@ -704,6 +704,8 @@ static char *(features[]) =

 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1262,
 /**/
    1261,
 /**/