# HG changeset patch # User Bram Moolenaar # Date 1681672503 -7200 # Node ID 1f29252237de1492108b2360d5f7945a495486c7 # Parent 3d135f6b76895a8b6db54605449a20bb2d831e89 patch 9.0.1458: buffer overflow when expanding long file name Commit: https://github.com/vim/vim/commit/a77670726e3706973adffc2b118f4576e1f58ea0 Author: Yee Cheng Chin Date: Sun Apr 16 20:13:12 2023 +0100 patch 9.0.1458: buffer overflow when expanding long file name Problem: Buffer overflow when expanding long file name. Solution: Use a larger buffer and avoid overflowing it. (Yee Cheng Chin, closes #12201) diff --git a/src/filepath.c b/src/filepath.c --- a/src/filepath.c +++ b/src/filepath.c @@ -938,9 +938,9 @@ f_filewritable(typval_T *argvars, typval static void findfilendir( - typval_T *argvars UNUSED, + typval_T *argvars, typval_T *rettv, - int find_what UNUSED) + int find_what) { char_u *fname; char_u *fresult = NULL; @@ -3685,7 +3685,6 @@ unix_expandpath( int didstar) // expanded "**" once already { char_u *buf; - size_t buflen; char_u *path_end; char_u *p, *s, *e; int start_len = gap->ga_len; @@ -3708,8 +3707,8 @@ unix_expandpath( return 0; } - // make room for file name - buflen = STRLEN(path) + BASENAMELEN + 5; + // make room for file name (a bit too much to stay on the safe side) + size_t buflen = STRLEN(path) + MAXPATHL; buf = alloc(buflen); if (buf == NULL) return 0; @@ -3828,7 +3827,7 @@ unix_expandpath( || ((flags & EW_NOTWILD) && fnamencmp(path + (s - buf), dp->d_name, e - s) == 0))) { - STRCPY(s, dp->d_name); + vim_strncpy(s, (char_u *)dp->d_name, buflen - (s - buf) - 1); len = STRLEN(buf); if (starstar && stardepth < 100) diff --git a/src/version.c b/src/version.c --- a/src/version.c +++ b/src/version.c @@ -696,6 +696,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 1458, +/**/ 1457, /**/ 1456,