Mercurial > vim
changeset 32254:1f29252237de v9.0.1458
patch 9.0.1458: buffer overflow when expanding long file name
Commit: https://github.com/vim/vim/commit/a77670726e3706973adffc2b118f4576e1f58ea0
Author: Yee Cheng Chin <ychin.git@gmail.com>
Date: Sun Apr 16 20:13:12 2023 +0100
patch 9.0.1458: buffer overflow when expanding long file name
Problem: Buffer overflow when expanding long file name.
Solution: Use a larger buffer and avoid overflowing it. (Yee Cheng Chin,
closes #12201)
author | Bram Moolenaar <Bram@vim.org> |
---|---|
date | Sun, 16 Apr 2023 21:15:03 +0200 |
parents | 3d135f6b7689 |
children | 70a10f7133a8 |
files | src/filepath.c src/version.c |
diffstat | 2 files changed, 7 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/src/filepath.c +++ b/src/filepath.c @@ -938,9 +938,9 @@ f_filewritable(typval_T *argvars, typval static void findfilendir( - typval_T *argvars UNUSED, + typval_T *argvars, typval_T *rettv, - int find_what UNUSED) + int find_what) { char_u *fname; char_u *fresult = NULL; @@ -3685,7 +3685,6 @@ unix_expandpath( int didstar) // expanded "**" once already { char_u *buf; - size_t buflen; char_u *path_end; char_u *p, *s, *e; int start_len = gap->ga_len; @@ -3708,8 +3707,8 @@ unix_expandpath( return 0; } - // make room for file name - buflen = STRLEN(path) + BASENAMELEN + 5; + // make room for file name (a bit too much to stay on the safe side) + size_t buflen = STRLEN(path) + MAXPATHL; buf = alloc(buflen); if (buf == NULL) return 0; @@ -3828,7 +3827,7 @@ unix_expandpath( || ((flags & EW_NOTWILD) && fnamencmp(path + (s - buf), dp->d_name, e - s) == 0))) { - STRCPY(s, dp->d_name); + vim_strncpy(s, (char_u *)dp->d_name, buflen - (s - buf) - 1); len = STRLEN(buf); if (starstar && stardepth < 100)