GitHub/vim
1
0
Fork 0
mirror of https://github.com/vim/vim synced 2025-07-15 08:41:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

patch 9.1.1469: potential buffer-underflow with invalid hl_id

Browse Source 
Problem:  potential buffer-underflow with invalid hl_id (mugitya03)
Solution: assert that the return-code of syn_get_final_id() if > 0

As a safety check, syn_get_final_id() may return zero when either the
provided hl_id is zero or larger than expected.

However, many callers of syn_get_final_id() do not check that the return
value is larger than zero but re-use the returned highlight id directly
like this:

  hl_id = syn_get_final_id(hl_id);
  sgp = &HL_TABLE()[hl_id - 1];	    // index is ID minus one

in which case, this would cause a buffer underrun and an access violation.

Let's use assert(hl_id > 0); to make sure that hl_id is larger than
zero.

Note to myself: I'll need to compile releases builds using -DNDEBUG once
a new release will be made

fixes: #17475
closes: #17512

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2025-06-18 18:28:19 +02:00
parent 03e5ee25fd
commit 9d065a4862
3 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Makefile
View File

@ -115,6 +115,7 @@ MINOR = 1
# - With these features: "make depend" (works best with gcc). # - With these features: "make depend" (works best with gcc).
# - If you have a lint program: "make lint" and check the output (ignore GTK # - If you have a lint program: "make lint" and check the output (ignore GTK
# warnings). # warnings).
# - compile release versions using -DNDEBUG to disable assert()s
# - If you have valgrind, enable it in src/testdir/Makefile and run "make # - If you have valgrind, enable it in src/testdir/Makefile and run "make
# test". Enable EXITFREE, disable GUI, scheme and tcl to avoid false alarms. # test". Enable EXITFREE, disable GUI, scheme and tcl to avoid false alarms.
# Check the valgrind output. # Check the valgrind output.

6
src/highlight.c
View File

@ -3689,6 +3689,8 @@ syn_id2attr(int hl_id)
hl_group_T *sgp; hl_group_T *sgp;
hl_id = syn_get_final_id(hl_id); hl_id = syn_get_final_id(hl_id);
// shouldn't happen
assert(hl_id > 0);
sgp = &HL_TABLE()[hl_id - 1]; // index is ID minus one sgp = &HL_TABLE()[hl_id - 1]; // index is ID minus one
#ifdef FEAT_GUI #ifdef FEAT_GUI
@ -3716,6 +3718,8 @@ syn_id2colors(int hl_id, guicolor_T *fgp, guicolor_T *bgp)
hl_group_T *sgp; hl_group_T *sgp;
hl_id = syn_get_final_id(hl_id); hl_id = syn_get_final_id(hl_id);
// shouldn't happen
assert(hl_id > 0);
sgp = &HL_TABLE()[hl_id - 1]; // index is ID minus one sgp = &HL_TABLE()[hl_id - 1]; // index is ID minus one
*fgp = sgp->sg_gui_fg; *fgp = sgp->sg_gui_fg;
@ -3734,6 +3738,8 @@ syn_id2cterm_bg(int hl_id, int *fgp, int *bgp)
hl_group_T *sgp; hl_group_T *sgp;
hl_id = syn_get_final_id(hl_id); hl_id = syn_get_final_id(hl_id);
// shouldn't happen
assert(hl_id > 0);
sgp = &HL_TABLE()[hl_id - 1]; // index is ID minus one sgp = &HL_TABLE()[hl_id - 1]; // index is ID minus one
*fgp = sgp->sg_cterm_fg - 1; *fgp = sgp->sg_cterm_fg - 1;
*bgp = sgp->sg_cterm_bg - 1; *bgp = sgp->sg_cterm_bg - 1;

2
src/version.c
View File

@ -709,6 +709,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
1469,
/**/ /**/
1468, 1468,
/**/ /**/