vim: src/structs.h comparison

comparison src/structs.h @ 33864:6e4c686b6b5b v9.0.2142

patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions Commit: https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47 Author: Christian Brabandt <cb@256bit.org> Date: Wed Nov 29 11:34:05 2023 +0100 patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions Problem: [security]: stack-buffer-overflow in option callback functions Solution: pass size of errbuf down the call stack, use snprintf() instead of sprintf() We pass the error buffer down to the option callback functions, but in some parts of the code, we simply use sprintf(buf) to write into the error buffer, which can overflow. So let's pass down the length of the error buffer and use sprintf(buf, size) instead. Reported by @henices, thanks! Signed-off-by: Christian Brabandt <cb@256bit.org>

author	Christian Brabandt <cb@256bit.org>
date	Sun, 10 Dec 2023 15:16:04 +0100
parents	26a3250fa5b2
children	2f9090601258

comparison

equal deleted inserted replaced

-:3b8089d550eb
+:6e4c686b6b5b
 // If the value specified for an option is not valid and the error message
 // is parameterized, then the "os_errbuf" buffer is used to store the error
 // message (when it is not NULL).
 char	*os_errbuf;
+// length of the error buffer
+int		os_errbuflen;
 } optset_T;
 /*
 * Argument for the callback function (opt_expand_cb_T) invoked after a string
 * option value is expanded for cmdline completion.

Mercurial > vim

comparison src/structs.h @ 33864:6e4c686b6b5b v9.0.2142