vim-patch:9.2.0458: Crash with invalid shellredir/shellpipe value (#39691)

Problem:  Crash with invalid shellredir/shellpipe value
          (bfredl)
Solution: Validate the option and allow only a single "%s".

fixes:  vim/vim#20157
closes: vim/vim#20159

84ae09dd79

Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit ffe87d91f7)

runtime/doc/options.txt

@@ -5618,6 +5618,7 @@ A jump table for the options with a short description can be found at |Q_op|.
 	Note: When using a pipe like "| tee", you'll lose the exit code of the
 	shell command.  This might be configurable by your shell, look for
 	the pipefail option (for bash and zsh, use ":set -o pipefail").
+	Only a single "%s" value is allowed.
 
 						*'shellquote'* *'shq'*
 'shellquote' 'shq'	string	(default ""; Windows, when 'shell'
@@ -5657,6 +5658,8 @@ A jump table for the options with a short description can be found at |Q_op|.
 	explicitly set before.
 	In the future pipes may be used for filtering and this option will
 	become obsolete (at least for Unix).
+								*E1577*
+	Only a single "%s" item is allowed in the option value.
 
 			*'shellslash'* *'ssl'* *'noshellslash'* *'nossl'*
 'shellslash' 'ssl'	boolean	(default on, Windows: off)

runtime/lua/vim/_meta/options.gen.lua

@@ -5874,6 +5874,7 @@ vim.go.shcf = vim.go.shellcmdflag
 --- Note: When using a pipe like "| tee", you'll lose the exit code of the
 --- shell command.  This might be configurable by your shell, look for
 --- the pipefail option (for bash and zsh, use ":set -o pipefail").
+--- Only a single "%s" value is allowed.
 ---
 --- @type string
 vim.o.shellpipe = "| tee"
@@ -5916,6 +5917,8 @@ vim.go.shq = vim.go.shellquote
 --- explicitly set before.
 --- In the future pipes may be used for filtering and this option will
 --- become obsolete (at least for Unix).
+--- 							*E1577*
+--- Only a single "%s" item is allowed in the option value.
 ---
 --- @type string
 vim.o.shellredir = ">"

src/nvim/errors.h

@@ -223,6 +223,7 @@ EXTERN const char e_cannot_have_more_than_nr_diff_anchors[] INIT( = N_("E1549: C
 EXTERN const char e_failed_to_find_all_diff_anchors[] INIT( = N_("E1550: Failed to find all diff anchors"));
 EXTERN const char e_diff_anchors_with_hidden_windows[] INIT( = N_("E1562: Diff anchors cannot be used with hidden diff windows"));
 EXTERN const char e_leadtab_requires_tab[] INIT( = N_("E1572: 'listchars' field \"leadtab\" requires \"tab\" to be specified"));
+EXTERN const char e_invalid_format_string_single_percent_s[] INIT( = N_("E1577: Invalid format string, only one \"%s\" is allowed"));
 
 EXTERN const char e_trustfile[] INIT(= N_("E5570: Cannot update trust file: %s"));
 EXTERN const char e_cannot_read_from_str_2[] INIT(= N_("E282: Cannot read from \"%s\""));

src/nvim/options.lua

@@ -7680,6 +7680,7 @@ local options = {
     },
     {
       abbreviation = 'sp',
+      cb = 'did_set_shellpipe_redir',
       defaults = {
         condition = 'MSWIN',
         if_false = '| tee',
@@ -7716,6 +7717,7 @@ local options = {
         Note: When using a pipe like "| tee", you'll lose the exit code of the
         shell command.  This might be configurable by your shell, look for
         the pipefail option (for bash and zsh, use ":set -o pipefail").
+        Only a single "%s" value is allowed.
       ]=],
       full_name = 'shellpipe',
       scope = { 'global' },
@@ -7751,6 +7753,7 @@ local options = {
     },
     {
       abbreviation = 'srr',
+      cb = 'did_set_shellpipe_redir',
       defaults = {
         condition = 'MSWIN',
         if_false = '>',
@@ -7777,6 +7780,8 @@ local options = {
         explicitly set before.
         In the future pipes may be used for filtering and this option will
         become obsolete (at least for Unix).
+        							*E1577*
+        Only a single "%s" item is allowed in the option value.
       ]=],
       full_name = 'shellredir',
       scope = { 'global' },

src/nvim/optionstr.c

@@ -1714,6 +1714,36 @@ const char *did_set_shada(optset_T *args)
   return NULL;
 }
 
+/// Validate 'shellpipe'/'shellredir' option.
+const char *did_set_shellpipe_redir(optset_T *args)
+{
+  bool seen = false;
+
+  for (char *p = args->os_newval.string.data; *p != NUL; p++) {
+    if (*p != '%') {
+      continue;
+    }
+    if (p[1] == NUL) {
+      return e_invalid_format_string_single_percent_s;
+    }
+    if (p[1] == '%') {
+      p++;    // skip second %
+      continue;
+    }
+
+    if (p[1] == 's') {
+      if (seen) {
+        return e_invalid_format_string_single_percent_s;
+      }
+      seen = true;
+      p++;    // consume 's'
+      continue;
+    }
+    return e_invalid_format_string_single_percent_s;
+  }
+  return NULL;
+}
+
 /// The 'shortmess' option is changed.
 const char *did_set_shortmess(optset_T *args)
 {

test/old/testdir/gen_opt_test.vim

@@ -326,6 +326,10 @@ let test_values = {
       \ 'sessionoptions': [['', 'blank', 'curdir', 'sesdir',
       \		'help,options,slash'],
       \		['xxx', 'curdir,sesdir']],
+      \ 'shellpipe': [[ '', '>', '>%s2>&1', '\|tee', '\|&tee', '2>&1\|tee', '%%'],
+      \		['%s%s%s', '%s%p%d']],
+      \ 'shellredir': [[ '', '>', '>%s2>&1', '\|tee', '\|&tee', '2>&1\|tee', '%%'],
+      \		['%s%s%s', '%s%p%d']],
       \ 'showcmdloc': [['last', 'statusline', 'tabline'], ['xxx']],
       "\ 'signcolumn': [['', 'auto', 'no', 'yes', 'number'], ['xxx', 'no,yes']],
       \ 'spellfile': [['', 'file.en.add', 'xxx.en.add,yyy.gb.add,zzz.ja.add',

test/old/testdir/test_options.vim

@@ -2590,6 +2590,8 @@ func Test_string_option_revert_on_failure()
         \ ['selection', 'exclusive', 'a123'],
         \ ['selectmode', 'cmd', 'a123'],
         \ ['sessionoptions', 'options', 'a123'],
+        \ ['shellpipe', '>%s', "%s%s%s"],
+        \ ['shellredir', '>%s', "%s%s%s"],
         \ ['shortmess', 'w', '2'],
         \ ['showbreak', '>>', "\x01"],
         \ ['showcmdloc', 'statusline', 'a123'],