Mercurial > vim
view src/proto/syntax.pro @ 33864:6e4c686b6b5b v9.0.2142
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Commit: https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47
Author: Christian Brabandt <cb@256bit.org>
Date: Wed Nov 29 11:34:05 2023 +0100
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Problem: [security]: stack-buffer-overflow in option callback functions
Solution: pass size of errbuf down the call stack, use snprintf()
instead of sprintf()
We pass the error buffer down to the option callback functions, but in
some parts of the code, we simply use sprintf(buf) to write into the error
buffer, which can overflow.
So let's pass down the length of the error buffer and use sprintf(buf, size)
instead.
Reported by @henices, thanks!
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Sun, 10 Dec 2023 15:16:04 +0100 |
parents | fbeebe308514 |
children |
line wrap: on
line source
/* syntax.c */ void syntax_start(win_T *wp, linenr_T lnum); void syn_stack_free_all(synblock_T *block); void syn_stack_apply_changes(buf_T *buf); void syntax_end_parsing(win_T *wp, linenr_T lnum); int syntax_check_changed(linenr_T lnum); int get_syntax_attr(colnr_T col, int *can_spell, int keep_state); void syntax_clear(synblock_T *block); void reset_synblock(win_T *wp); void ex_syntax(exarg_T *eap); void ex_ownsyntax(exarg_T *eap); int syntax_present(win_T *win); void reset_expand_highlight(void); void set_context_in_echohl_cmd(expand_T *xp, char_u *arg); void set_context_in_syntax_cmd(expand_T *xp, char_u *arg); char_u *get_syntax_name(expand_T *xp, int idx); int syn_get_id(win_T *wp, long lnum, colnr_T col, int trans, int *spellp, int keep_state); int get_syntax_info(int *seqnrp); int syn_get_sub_char(void); int syn_get_stack_item(int i); int syn_get_foldlevel(win_T *wp, long lnum); void ex_syntime(exarg_T *eap); char_u *get_syntime_arg(expand_T *xp, int idx); /* vim: set ft=c : */