mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-09-17 08:48:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:8.2.4206: condition with many "(" causes a crash

Browse Source 
Problem:    Condition with many "(" causes a crash.
Solution:   Limit recursion to 1000.

fe6fb267e6

Co-authored-by: Bram Moolenaar <Bram@vim.org>
This commit is contained in:
zeertzjq
2022-10-27 11:40:38 +08:00
parent b793395019
commit 807c6bb909
2 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/nvim/eval.c
View File

@@ -65,6 +65,7 @@ static char *e_nowhitespace
= N_("E274: No white space allowed before parenthesis");
static char *e_write2 = N_("E80: Error while writing: %s");
static char *e_string_list_or_blob_required = N_("E1098: String, List or Blob required");
static char e_expression_too_recursive_str[] = N_("E1169: Expression too recursive: %s");
static char * const namespace_char = "abglstvw";
@@ -2911,6 +2912,7 @@ static int eval7(char **arg, typval_T *rettv, int evaluate, int want_string)
const char *start_leader, *end_leader;
int ret = OK;
char *alias;
static int recurse = 0;
// Initialise variable so that tv_clear() can't mistake this for a
// string and free a string that isn't there.
@@ -2923,6 +2925,14 @@ static int eval7(char **arg, typval_T *rettv, int evaluate, int want_string)
}
end_leader = *arg;
// Limit recursion to 1000 levels. At least at 10000 we run out of stack
// and crash.
if (recurse == 1000) {
semsg(_(e_expression_too_recursive_str), *arg);
return FAIL;
}
recurse++;
switch (**arg) {
// Number constant.
case '0':
@@ -3127,6 +3137,8 @@ static int eval7(char **arg, typval_T *rettv, int evaluate, int want_string)
if (ret == OK && evaluate && end_leader > start_leader) {
ret = eval7_leader(rettv, (char *)start_leader, &end_leader);
}
recurse--;
return ret;
}