diff options
| author | Bram Moolenaar <Bram@vim.org> | 2021-11-25 10:50:12 +0000 |
|---|---|---|
| committer | Bram Moolenaar <Bram@vim.org> | 2021-11-25 10:50:12 +0000 |
| commit | bd228fd097b41a798f90944b5d1245eddd484142 (patch) | |
| tree | ed9a086f58a1ce7dc970be1fc3495fd278dd4936 | |
| parent | bb277fd89fd7c665d51be2a08993732d46c208ef (diff) | |
| download | vim-git-bd228fd097b41a798f90944b5d1245eddd484142.tar.gz | |
patch 8.2.3669: buffer overflow with long help argumentv8.2.3669
Problem: Buffer overflow with long help argument.
Solution: Use snprintf().
| -rw-r--r-- | src/help.c | 3 | ||||
| -rw-r--r-- | src/testdir/test_help.vim | 9 | ||||
| -rw-r--r-- | src/version.c | 2 |
3 files changed, 12 insertions, 2 deletions
diff --git a/src/help.c b/src/help.c index 28d914c82..d67f78b08 100644 --- a/src/help.c +++ b/src/help.c @@ -422,8 +422,7 @@ find_help_tags( || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL && arg[2] != NUL))) { - STRCPY(d, "/\\\\"); - STRCPY(d + 3, arg + 1); + vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1); // Check for "/\\_$", should be "/\\_\$" if (d[3] == '_' && d[4] == '$') STRCPY(d + 4, "\\$"); diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim index 15cc642d1..6e32edd36 100644 --- a/src/testdir/test_help.vim +++ b/src/testdir/test_help.vim @@ -134,4 +134,13 @@ func Test_help_window_height() close endfunc +func Test_help_long_argument() + try + exe 'help \%' .. repeat('0', 1021) + catch + call assert_match("E149:", v:exception) + endtry +endfunc + + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index a225e182f..da5871e32 100644 --- a/src/version.c +++ b/src/version.c @@ -758,6 +758,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 3669, +/**/ 3668, /**/ 3667, |