Mercurial > vim
annotate pixmaps/tb_new.xpm @ 33422:25d250a74bb6 v9.0.1969
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Commit: https://github.com/vim/vim/commit/3bd7fa12e146c6051490d048a4acbfba974eeb04
Author: Christian Brabandt <cb@256bit.org>
Date: Mon Oct 2 20:59:08 2023 +0200
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Problem: buffer-overflow in trunc_string()
Solution: Add NULL at end of buffer
Currently trunc_string() assumes that when the string is too long,
buf[e-1] will always be writeable. But that assumption may not always be
true. The condition currently looks like this
else if (e + 3 < buflen)
[...]
else
{
// can't fit in the "...", just truncate it
buf[e - 1] = NUL;
}
but this means, we may run into the last else clause with e still being
larger than buflen. So a buffer overflow occurs.
So instead of using `buf[e - 1]`, let's just always
truncate at `buf[buflen - 1]` which should always be writable.
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Mon, 02 Oct 2023 21:30:04 +0200 |
parents | 3fc0f57ecb91 |
children |
rev | line source |
---|---|
7 | 1 /* XPM */ |
2 static char * tb_new_xpm[] = { | |
3 /* width height ncolors cpp [x_hot y_hot] */ | |
4 "18 18 5 1 0 0", | |
5 /* colors */ | |
6 " s none m none c none", | |
7 ". s bottomShadowColor m black c #5D6069", | |
8 "X s iconColor2 m none c #FFFFFF", | |
9 "o s iconColor1 m black c #000000", | |
10 "O s topShadowColor m none c #DCDEE5", | |
11 /* pixels */ | |
12 " . .X. ", | |
13 " X. .X. X.", | |
14 " ooooooo.X.oXoX.X", | |
15 " oOOOOOOOoXXXXo..", | |
16 " oOOOOOOOXXXXXXXX", | |
17 " oOOXOOOOoXoXXo..", | |
18 " oOXXOOO.OXoXoX ", | |
19 " oOOOOO.OOXoX..X ", | |
20 " oOOOOOOOOXoX. .X", | |
21 " oOOOOOOOOXo. .", | |
22 " oOOOOOOOOXo. ", | |
23 " oOOOOOOOOXo. ", | |
24 " oOOOOOOOOXo. ", | |
25 " oOOOOOOOOXo. ", | |
26 " oOOOOOOOOXo. ", | |
27 " oXXXXXXXXXo. ", | |
28 " ooooooooooo. ", | |
29 " .......... "}; |