Mercurial > vim
view src/proto/alloc.pro @ 33864:6e4c686b6b5b v9.0.2142
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Commit: https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47
Author: Christian Brabandt <cb@256bit.org>
Date: Wed Nov 29 11:34:05 2023 +0100
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Problem: [security]: stack-buffer-overflow in option callback functions
Solution: pass size of errbuf down the call stack, use snprintf()
instead of sprintf()
We pass the error buffer down to the option callback functions, but in
some parts of the code, we simply use sprintf(buf) to write into the error
buffer, which can overflow.
So let's pass down the length of the error buffer and use sprintf(buf, size)
instead.
Reported by @henices, thanks!
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Sun, 10 Dec 2023 15:16:04 +0100 |
parents | 3626ca6a20ea |
children |
line wrap: on
line source
/* alloc.c */ void vim_mem_profile_dump(void); int alloc_does_fail(size_t size); void *alloc(size_t size); void *alloc_id(size_t size, alloc_id_T id); void *alloc_clear(size_t size); void *alloc_clear_id(size_t size, alloc_id_T id); void *lalloc_clear(size_t size, int message); void *lalloc(size_t size, int message); void *lalloc_id(size_t size, int message, alloc_id_T id); void *mem_realloc(void *ptr, size_t size); void do_outofmem_msg(size_t size); void free_all_mem(void); char_u *vim_memsave(char_u *p, size_t len); void vim_free(void *x); void ga_clear(garray_T *gap); void ga_clear_strings(garray_T *gap); int ga_copy_strings(garray_T *from, garray_T *to); void ga_init(garray_T *gap); void ga_init2(garray_T *gap, size_t itemsize, int growsize); int ga_grow(garray_T *gap, int n); int ga_grow_id(garray_T *gap, int n, alloc_id_T id); int ga_grow_inner(garray_T *gap, int n); char_u *ga_concat_strings(garray_T *gap, char *sep); int ga_copy_string(garray_T *gap, char_u *p); int ga_add_string(garray_T *gap, char_u *p); void ga_concat(garray_T *gap, char_u *s); void ga_concat_len(garray_T *gap, char_u *s, size_t len); int ga_append(garray_T *gap, int c); void append_ga_line(garray_T *gap); /* vim: set ft=c : */