diff options
author | Yee Cheng Chin <ychin.git@gmail.com> | 2023-04-16 20:13:12 +0100 |
---|---|---|
committer | Bram Moolenaar <Bram@vim.org> | 2023-04-16 20:13:12 +0100 |
commit | a77670726e3706973adffc2b118f4576e1f58ea0 (patch) | |
tree | 4543c5cb6900658a4c9eb0561fee0f6a5ec2f6c4 | |
parent | ceff9cd1bb194f252c63da8e1c2dc7d6764d9d1f (diff) | |
download | vim-git-a77670726e3706973adffc2b118f4576e1f58ea0.tar.gz |
patch 9.0.1458: buffer overflow when expanding long file namev9.0.1458
Problem: Buffer overflow when expanding long file name.
Solution: Use a larger buffer and avoid overflowing it. (Yee Cheng Chin,
closes #12201)
-rw-r--r-- | src/filepath.c | 11 | ||||
-rw-r--r-- | src/version.c | 2 |
2 files changed, 7 insertions, 6 deletions
diff --git a/src/filepath.c b/src/filepath.c index 57e9fb295..79d4afb2e 100644 --- a/src/filepath.c +++ b/src/filepath.c @@ -938,9 +938,9 @@ f_filewritable(typval_T *argvars, typval_T *rettv) static void findfilendir( - typval_T *argvars UNUSED, + typval_T *argvars, typval_T *rettv, - int find_what UNUSED) + int find_what) { char_u *fname; char_u *fresult = NULL; @@ -3685,7 +3685,6 @@ unix_expandpath( int didstar) // expanded "**" once already { char_u *buf; - size_t buflen; char_u *path_end; char_u *p, *s, *e; int start_len = gap->ga_len; @@ -3708,8 +3707,8 @@ unix_expandpath( return 0; } - // make room for file name - buflen = STRLEN(path) + BASENAMELEN + 5; + // make room for file name (a bit too much to stay on the safe side) + size_t buflen = STRLEN(path) + MAXPATHL; buf = alloc(buflen); if (buf == NULL) return 0; @@ -3828,7 +3827,7 @@ unix_expandpath( || ((flags & EW_NOTWILD) && fnamencmp(path + (s - buf), dp->d_name, e - s) == 0))) { - STRCPY(s, dp->d_name); + vim_strncpy(s, (char_u *)dp->d_name, buflen - (s - buf) - 1); len = STRLEN(buf); if (starstar && stardepth < 100) diff --git a/src/version.c b/src/version.c index ca4774dc3..018fcf5d6 100644 --- a/src/version.c +++ b/src/version.c @@ -696,6 +696,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 1458, +/**/ 1457, /**/ 1456, |