patch 9.0.1458: buffer overflow when expanding long file namev9.0.1458

Problem:    Buffer overflow when expanding long file name.
Solution:   Use a larger buffer and avoid overflowing it. (Yee Cheng Chin,
            closes #12201)

2 files changed, 7 insertions, 6 deletions

diff --git a/src/filepath.c b/src/filepath.c
index 57e9fb295..79d4afb2e 100644
--- a/src/filepath.c
+++ b/src/filepath.c
@@ -938,9 +938,9 @@ f_filewritable(typval_T *argvars, typval_T *rettv)
 
     static void
 findfilendir(
-    typval_T	*argvars UNUSED,
+    typval_T	*argvars,
     typval_T	*rettv,
-    int		find_what UNUSED)
+    int		find_what)
 {
     char_u	*fname;
     char_u	*fresult = NULL;
@@ -3685,7 +3685,6 @@ unix_expandpath(
     int		didstar)	// expanded "**" once already
 {
     char_u	*buf;
-    size_t	buflen;
     char_u	*path_end;
     char_u	*p, *s, *e;
     int		start_len = gap->ga_len;
@@ -3708,8 +3707,8 @@ unix_expandpath(
 	    return 0;
     }
 
-    // make room for file name
-    buflen = STRLEN(path) + BASENAMELEN + 5;
+    // make room for file name (a bit too much to stay on the safe side)
+    size_t buflen = STRLEN(path) + MAXPATHL;
     buf = alloc(buflen);
     if (buf == NULL)
 	return 0;
@@ -3828,7 +3827,7 @@ unix_expandpath(
 		   || ((flags & EW_NOTWILD)
 		     && fnamencmp(path + (s - buf), dp->d_name, e - s) == 0)))
 	    {
-		STRCPY(s, dp->d_name);
+		vim_strncpy(s, (char_u *)dp->d_name, buflen - (s - buf) - 1);
 		len = STRLEN(buf);
 
 		if (starstar && stardepth < 100)
diff --git a/src/version.c b/src/version.c
index ca4774dc3..018fcf5d6 100644
--- a/src/version.c
+++ b/src/version.c
@@ -696,6 +696,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    1458,
+/**/
     1457,
 /**/
     1456,