Mercurial > vim
annotate src/proto/vim9execute.pro @ 33864:6e4c686b6b5b v9.0.2142
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Commit: https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47
Author: Christian Brabandt <cb@256bit.org>
Date: Wed Nov 29 11:34:05 2023 +0100
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Problem: [security]: stack-buffer-overflow in option callback functions
Solution: pass size of errbuf down the call stack, use snprintf()
instead of sprintf()
We pass the error buffer down to the option callback functions, but in
some parts of the code, we simply use sprintf(buf) to write into the error
buffer, which can overflow.
So let's pass down the length of the error buffer and use sprintf(buf, size)
instead.
Reported by @henices, thanks!
Signed-off-by: Christian Brabandt <cb@256bit.org>
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Sun, 10 Dec 2023 15:16:04 +0100 |
| parents | f99f5a56ff27 |
| children | 19cdfe768104 |
| rev | line source |
|---|---|
|
19181
94eda51ba9ba
patch 8.2.0149: maintaining a Vim9 branch separately is more work
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
1 /* vim9execute.c */ |
|
21771
fcf978444298
patch 8.2.1435: Vim9: always converting to string for ".." leads to mistakes
Bram Moolenaar <Bram@vim.org>
parents:
20433
diff
changeset
|
2 void to_string_error(vartype_T vartype); |
|
28097
632a84e2ce92
patch 8.2.4573: a nested function is compiled for debugging without context
Bram Moolenaar <Bram@vim.org>
parents:
26560
diff
changeset
|
3 void update_has_breakpoint(ufunc_T *ufunc); |
|
30302
6a1ed021a0c0
patch 9.0.0487: using freed memory with combination of closures
Bram Moolenaar <Bram@vim.org>
parents:
30299
diff
changeset
|
4 int funcstack_check_refcount(funcstack_T *funcstack); |
|
26560
454a1c9ef797
patch 8.2.3809: Vim9: crash when garbage collecting a nested partial
Bram Moolenaar <Bram@vim.org>
parents:
25719
diff
changeset
|
5 int set_ref_in_funcstacks(int copyID); |
|
30083
a542dfb1c1a2
patch 9.0.0379: cleaning up after writefile() is a hassle
Bram Moolenaar <Bram@vim.org>
parents:
28447
diff
changeset
|
6 int in_def_function(void); |
|
33532
f99f5a56ff27
patch 9.0.2015: Vim9: does not handle islocked() from a method correctly
Christian Brabandt <cb@256bit.org>
parents:
31416
diff
changeset
|
7 int fill_exec_lval_root(lval_root_T *lr); |
|
30986
360f286b5869
patch 9.0.0828: various typos
Bram Moolenaar <Bram@vim.org>
parents:
30333
diff
changeset
|
8 ectx_T *clear_current_ectx(void); |
|
30126
01408b56f093
patch 9.0.0399: using :defer in expression funcref not tested
Bram Moolenaar <Bram@vim.org>
parents:
30122
diff
changeset
|
9 void restore_current_ectx(ectx_T *ectx); |
|
30083
a542dfb1c1a2
patch 9.0.0379: cleaning up after writefile() is a hassle
Bram Moolenaar <Bram@vim.org>
parents:
28447
diff
changeset
|
10 int add_defer_function(char_u *name, int argcount, typval_T *argvars); |
|
23551
1bb7fa4f9b35
patch 8.2.2318: Vim9: string and list index work differently
Bram Moolenaar <Bram@vim.org>
parents:
23285
diff
changeset
|
11 char_u *char_from_string(char_u *str, varnumber_T index); |
|
23604
1816ea68c022
patch 8.2.2344: using inclusive index for slice is not always desired
Bram Moolenaar <Bram@vim.org>
parents:
23551
diff
changeset
|
12 char_u *string_slice(char_u *str, varnumber_T first, varnumber_T last, int exclusive); |
|
31416
f088f1d97eee
patch 9.0.1041: cannot define a method in a class
Bram Moolenaar <Bram@vim.org>
parents:
30986
diff
changeset
|
13 int fill_partial_and_closure(partial_T *pt, ufunc_T *ufunc, loopvarinfo_T *lvi, ectx_T *ectx); |
|
28447
6f753a8125f0
patch 8.2.4748: cannot use an imported function in a mapping
Bram Moolenaar <Bram@vim.org>
parents:
28097
diff
changeset
|
14 int may_load_script(int sid, int *loaded); |
|
24918
f11779c1d123
patch 8.2.2996: Vim9: when debugging cannot inspect local variables
Bram Moolenaar <Bram@vim.org>
parents:
24909
diff
changeset
|
15 typval_T *lookup_debug_var(char_u *name); |
|
25719
154663508d9b
patch 8.2.3395: Vim9: expression breakpoint not checked in :def function
Bram Moolenaar <Bram@vim.org>
parents:
24918
diff
changeset
|
16 int may_break_in_function(ufunc_T *ufunc); |
|
30333
fc0830246f49
patch 9.0.0502: a closure in a nested loop in a :def function does not work
Bram Moolenaar <Bram@vim.org>
parents:
30302
diff
changeset
|
17 int loopvars_check_refcount(loopvars_T *loopvars); |
|
30299
5c181bb6c855
patch 9.0.0485: in :def function all closures in loop get the same variables
Bram Moolenaar <Bram@vim.org>
parents:
30291
diff
changeset
|
18 int set_ref_in_loopvars(int copyID); |
|
24606
a4fda40e0bb9
patch 8.2.2842: Vim9: skip argument to searchpair() is not compiled
Bram Moolenaar <Bram@vim.org>
parents:
24488
diff
changeset
|
19 int exe_typval_instr(typval_T *tv, typval_T *rettv); |
|
24488
f293bb501b30
patch 8.2.2784: Vim9: cannot use =expr in :substitute
Bram Moolenaar <Bram@vim.org>
parents:
23604
diff
changeset
|
20 char_u *exe_substitute_instr(void); |
|
31416
f088f1d97eee
patch 9.0.1041: cannot define a method in a class
Bram Moolenaar <Bram@vim.org>
parents:
30986
diff
changeset
|
21 int call_def_function(ufunc_T *ufunc, int argc_arg, typval_T *argv, int flags, partial_T *partial, object_T *object, funccall_T *funccal, typval_T *rettv); |
|
30122
458162398682
patch 9.0.0397: :defer not tested with exceptions and ":qa!"
Bram Moolenaar <Bram@vim.org>
parents:
30083
diff
changeset
|
22 void unwind_def_callstack(ectx_T *ectx); |
|
458162398682
patch 9.0.0397: :defer not tested with exceptions and ":qa!"
Bram Moolenaar <Bram@vim.org>
parents:
30083
diff
changeset
|
23 void may_invoke_defer_funcs(ectx_T *ectx); |
|
24909
09d222e89a84
patch 8.2.2992: Vim9: completion for :disassemble is incomplete
Bram Moolenaar <Bram@vim.org>
parents:
24606
diff
changeset
|
24 void set_context_in_disassemble_cmd(expand_T *xp, char_u *arg); |
|
09d222e89a84
patch 8.2.2992: Vim9: completion for :disassemble is incomplete
Bram Moolenaar <Bram@vim.org>
parents:
24606
diff
changeset
|
25 char_u *get_disassemble_argument(expand_T *xp, int idx); |
|
19181
94eda51ba9ba
patch 8.2.0149: maintaining a Vim9 branch separately is more work
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
26 void ex_disassemble(exarg_T *eap); |
|
94eda51ba9ba
patch 8.2.0149: maintaining a Vim9 branch separately is more work
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
27 int tv2bool(typval_T *tv); |
|
22860
53acb89ec9f2
patch 8.2.1977: Vim9: error for using a string in a condition is confusing
Bram Moolenaar <Bram@vim.org>
parents:
22541
diff
changeset
|
28 void emsg_using_string_as(typval_T *tv, int as_number); |
|
19181
94eda51ba9ba
patch 8.2.0149: maintaining a Vim9 branch separately is more work
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
29 int check_not_string(typval_T *tv); |
|
94eda51ba9ba
patch 8.2.0149: maintaining a Vim9 branch separately is more work
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
30 /* vim: set ft=c : */ |