Mercurial > vim
comparison src/ex_docmd.c @ 28741:b44f15083faf v8.2.4895
patch 8.2.4895: buffer overflow with invalid command with composing chars
Commit: https://github.com/vim/vim/commit/d88934406c5375d88f8f1b65331c9f0cab68cc6c
Author: Bram Moolenaar <Bram@vim.org>
Date: Fri May 6 20:38:47 2022 +0100
patch 8.2.4895: buffer overflow with invalid command with composing chars
Problem: Buffer overflow with invalid command with composing chars.
Solution: Check that the whole character fits in the buffer.
author | Bram Moolenaar <Bram@vim.org> |
---|---|
date | Fri, 06 May 2022 21:45:02 +0200 |
parents | 930f1bb1649d |
children | d770568e6c98 |
comparison
equal
deleted
inserted
replaced
28740:da9f84bdc1c8 | 28741:b44f15083faf |
---|---|
3433 char_u *s = cmd; | 3433 char_u *s = cmd; |
3434 char_u *d; | 3434 char_u *d; |
3435 | 3435 |
3436 STRCAT(IObuff, ": "); | 3436 STRCAT(IObuff, ": "); |
3437 d = IObuff + STRLEN(IObuff); | 3437 d = IObuff + STRLEN(IObuff); |
3438 while (*s != NUL && d - IObuff < IOSIZE - 7) | 3438 while (*s != NUL && d - IObuff + 5 < IOSIZE) |
3439 { | 3439 { |
3440 if (enc_utf8 ? (s[0] == 0xc2 && s[1] == 0xa0) : *s == 0xa0) | 3440 if (enc_utf8 ? (s[0] == 0xc2 && s[1] == 0xa0) : *s == 0xa0) |
3441 { | 3441 { |
3442 s += enc_utf8 ? 2 : 1; | 3442 s += enc_utf8 ? 2 : 1; |
3443 STRCPY(d, "<a0>"); | 3443 STRCPY(d, "<a0>"); |
3444 d += 4; | 3444 d += 4; |
3445 } | 3445 } |
3446 else if (d - IObuff + (*mb_ptr2len)(s) + 1 >= IOSIZE) | |
3447 break; | |
3446 else | 3448 else |
3447 MB_COPY_CHAR(s, d); | 3449 MB_COPY_CHAR(s, d); |
3448 } | 3450 } |
3449 *d = NUL; | 3451 *d = NUL; |
3450 } | 3452 } |