changeset 28881:3ddaf476a874 v8.2.4963

patch 8.2.4963: expanding path with "/**" may overrun end of buffer Commit: https://github.com/vim/vim/commit/386c24cd262edac66a31add2fd989c96c4c2c952 Author: Bram Moolenaar <Bram@vim.org> Date: Mon May 16 12:37:36 2022 +0100 patch 8.2.4963: expanding path with "/**" may overrun end of buffer Problem: Expanding path with "/**" may overrun end of buffer. Solution: Use vim_snprintf().
author Bram Moolenaar <Bram@vim.org>
date Mon, 16 May 2022 13:45:02 +0200
parents 58035f47b8c7
children ae2f1551a6dc
files src/filepath.c src/version.c
diffstat 2 files changed, 8 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/src/filepath.c
+++ b/src/filepath.c
@@ -3589,6 +3589,7 @@ unix_expandpath(
     int		didstar)	// expanded "**" once already
 {
     char_u	*buf;
+    size_t	buflen;
     char_u	*path_end;
     char_u	*p, *s, *e;
     int		start_len = gap->ga_len;
@@ -3612,7 +3613,8 @@ unix_expandpath(
     }
 
     // make room for file name
-    buf = alloc(STRLEN(path) + BASENAMELEN + 5);
+    buflen = STRLEN(path) + BASENAMELEN + 5;
+    buf = alloc(buflen);
     if (buf == NULL)
 	return 0;
 
@@ -3737,14 +3739,14 @@ unix_expandpath(
 		{
 		    // For "**" in the pattern first go deeper in the tree to
 		    // find matches.
-		    STRCPY(buf + len, "/**");
-		    STRCPY(buf + len + 3, path_end);
+		    vim_snprintf((char *)buf + len, buflen - len,
+							    "/**%s", path_end);
 		    ++stardepth;
 		    (void)unix_expandpath(gap, buf, len + 1, flags, TRUE);
 		    --stardepth;
 		}
 
-		STRCPY(buf + len, path_end);
+		vim_snprintf((char *)buf + len, buflen - len, "%s", path_end);
 		if (mch_has_exp_wildcard(path_end)) // handle more wildcards
 		{
 		    // need to expand another component of the path
--- a/src/version.c
+++ b/src/version.c
@@ -747,6 +747,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    4963,
+/**/
     4962,
 /**/
     4961,