Mercurial > vim
view src/proto/cmdhist.pro @ 33864:6e4c686b6b5b v9.0.2142
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Commit: https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47
Author: Christian Brabandt <cb@256bit.org>
Date: Wed Nov 29 11:34:05 2023 +0100
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Problem: [security]: stack-buffer-overflow in option callback functions
Solution: pass size of errbuf down the call stack, use snprintf()
instead of sprintf()
We pass the error buffer down to the option callback functions, but in
some parts of the code, we simply use sprintf(buf) to write into the error
buffer, which can overflow.
So let's pass down the length of the error buffer and use sprintf(buf, size)
instead.
Reported by @henices, thanks!
Signed-off-by: Christian Brabandt <cb@256bit.org>
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Sun, 10 Dec 2023 15:16:04 +0100 |
| parents | 05b240971884 |
| children | ffeda71f42d7 |
line wrap: on
line source
/* cmdhist.c */ int get_hislen(void); histentry_T *get_histentry(int hist_type); void set_histentry(int hist_type, histentry_T *entry); int *get_hisidx(int hist_type); int *get_hisnum(int hist_type); int hist_char2type(int c); char_u *get_history_arg(expand_T *xp, int idx); void init_history(void); void clear_hist_entry(histentry_T *hisptr); int in_history(int type, char_u *str, int move_to_front, int sep, int writing); void add_to_history(int histype, char_u *new_entry, int in_map, int sep); void f_histadd(typval_T *argvars, typval_T *rettv); void f_histdel(typval_T *argvars, typval_T *rettv); void f_histget(typval_T *argvars, typval_T *rettv); void f_histnr(typval_T *argvars, typval_T *rettv); void remove_key_from_history(void); void ex_history(exarg_T *eap); /* vim: set ft=c : */