To: vim-dev@vim.org
Subject: Patch 7.2.307
Fcc: outbox
From: Bram Moolenaar <Bram@moolenaar.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
------------

Patch 7.2.307
Problem:    Crash with a very long syntax match statement. (Guy Gur Ari)
Solution:   When the offset does not fit in the two bytes available give an
            error instead of continuing with invalid pointers.
Files:      src/regexp.c


*** ../vim-7.2.306/src/regexp.c	2009-05-15 21:31:11.000000000 +0200
--- src/regexp.c	2009-11-25 18:13:03.000000000 +0100
***************
*** 583,588 ****
--- 583,589 ----
  #endif
  static char_u	*regcode;	/* Code-emit pointer, or JUST_CALC_SIZE */
  static long	regsize;	/* Code size. */
+ static int	reg_toolong;	/* TRUE when offset out of range */
  static char_u	had_endbrace[NSUBEXP];	/* flags, TRUE if end of () found */
  static unsigned	regflags;	/* RF_ flags for prog */
  static long	brace_min[10];	/* Minimums for complex brace repeats */
***************
*** 1028,1036 ****
      regcomp_start(expr, re_flags);
      regcode = r->program;
      regc(REGMAGIC);
!     if (reg(REG_NOPAREN, &flags) == NULL)
      {
  	vim_free(r);
  	return NULL;
      }
  
--- 1029,1039 ----
      regcomp_start(expr, re_flags);
      regcode = r->program;
      regc(REGMAGIC);
!     if (reg(REG_NOPAREN, &flags) == NULL || reg_toolong)
      {
  	vim_free(r);
+ 	if (reg_toolong)
+ 	    EMSG_RET_NULL(_("E339: Pattern too long"));
  	return NULL;
      }
  
***************
*** 1141,1146 ****
--- 1144,1150 ----
      re_has_z = 0;
  #endif
      regsize = 0L;
+     reg_toolong = FALSE;
      regflags = 0;
  #if defined(FEAT_SYN_HL) || defined(PROTO)
      had_eol = FALSE;
***************
*** 1228,1234 ****
      {
  	skipchr();
  	br = regbranch(&flags);
! 	if (br == NULL)
  	    return NULL;
  	regtail(ret, br);	/* BRANCH -> BRANCH. */
  	if (!(flags & HASWIDTH))
--- 1232,1238 ----
      {
  	skipchr();
  	br = regbranch(&flags);
! 	if (br == NULL || reg_toolong)
  	    return NULL;
  	regtail(ret, br);	/* BRANCH -> BRANCH. */
  	if (!(flags & HASWIDTH))
***************
*** 1313,1318 ****
--- 1317,1324 ----
  	    break;
  	skipchr();
  	regtail(latest, regnode(END)); /* operand ends */
+ 	if (reg_toolong)
+ 	    break;
  	reginsert(MATCH, latest);
  	chain = latest;
      }
***************
*** 1382,1388 ****
  			    break;
  	    default:
  			    latest = regpiece(&flags);
! 			    if (latest == NULL)
  				return NULL;
  			    *flagp |= flags & (HASWIDTH | HASNL | HASLOOKBH);
  			    if (chain == NULL)	/* First piece. */
--- 1388,1394 ----
  			    break;
  	    default:
  			    latest = regpiece(&flags);
! 			    if (latest == NULL || reg_toolong)
  				return NULL;
  			    *flagp |= flags & (HASWIDTH | HASNL | HASLOOKBH);
  			    if (chain == NULL)	/* First piece. */
***************
*** 2540,2547 ****
  	offset = (int)(scan - val);
      else
  	offset = (int)(val - scan);
!     *(scan + 1) = (char_u) (((unsigned)offset >> 8) & 0377);
!     *(scan + 2) = (char_u) (offset & 0377);
  }
  
  /*
--- 2546,2561 ----
  	offset = (int)(scan - val);
      else
  	offset = (int)(val - scan);
!     /* When the offset uses more than 16 bits it can no longer fit in the two
!      * bytes avaliable.  Use a global flag to avoid having to check return
!      * values in too many places. */
!     if (offset > 0xffff)
! 	reg_toolong = TRUE;
!     else
!     {
! 	*(scan + 1) = (char_u) (((unsigned)offset >> 8) & 0377);
! 	*(scan + 2) = (char_u) (offset & 0377);
!     }
  }
  
  /*
***************
*** 5764,5769 ****
--- 5778,5785 ----
  
  /*
   * regnext - dig the "next" pointer out of a node
+  * Returns NULL when calculating size, when there is no next item and when
+  * there is an error.
   */
      static char_u *
  regnext(p)
***************
*** 5771,5777 ****
  {
      int	    offset;
  
!     if (p == JUST_CALC_SIZE)
  	return NULL;
  
      offset = NEXT(p);
--- 5787,5793 ----
  {
      int	    offset;
  
!     if (p == JUST_CALC_SIZE || reg_toolong)
  	return NULL;
  
      offset = NEXT(p);
*** ../vim-7.2.306/src/version.c	2009-11-25 17:15:16.000000000 +0100
--- src/version.c	2009-11-25 18:14:32.000000000 +0100
***************
*** 683,684 ****
--- 683,686 ----
  {   /* Add new patch number below this line */
+ /**/
+     307,
  /**/

-- 
The fastest way to get an engineer to solve a problem is to declare that the
problem is unsolvable.  No engineer can walk away from an unsolvable problem
until it's solved.
				(Scott Adams - The Dilbert principle)

 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///