Mercurial > vim

changeset 33262:6eac4f616293 v9.0.1899

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 9.0.1899: potential buffer overflow in PBYTE macro Commit: https://github.com/vim/vim/commit/ffb13674d1af1c90beb229867ec989e4fb232df3 Author: Christian Brabandt <cb@256bit.org> Date: Fri Sep 15 20:22:02 2023 +0200 patch 9.0.1899: potential buffer overflow in PBYTE macro Problem: potential buffer overflow in PBYTE macro Solution: Check returned memline length closes: #13083 the PBYTE macro is used to put byte c at a position lp of the returned memline. However, in case of unexpected errors ml_get_buf() may return either "???" or an empty line in which case it is quite likely that we are causing a buffer overrun. Therefore, switch the macro PBYTE (which is only used in ops.c anyhow) to a function, that verifies that we will only try to access within the given length of the buffer. Also, since the macro is only used in ops.c, move the definition from macros.h to ops.c Signed-off-by: Christian Brabandt <cb@256bit.org>
author Christian Brabandt <cb@256bit.org>
date Fri, 15 Sep 2023 20:30:07 +0200
parents cc83932e459d
children f20388fbebd8
files src/macros.h src/ops.c src/version.c
diffstat 3 files changed, 20 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/src/macros.h
+++ b/src/macros.h
@@ -14,11 +14,6 @@
  */
 
 /*
- * PBYTE(lp, c) - put byte 'c' at position 'lp'
- */
-#define PBYTE(lp, c) (*(ml_get_buf(curbuf, (lp).lnum, TRUE) + (lp).col) = (c))
-
-/*
  * Position comparisons
  */
 #define LT_POS(a, b) (((a).lnum != (b).lnum) \
--- a/src/ops.c
+++ b/src/ops.c
@@ -17,6 +17,9 @@
 static void shift_block(oparg_T *oap, int amount);
 static void	mb_adjust_opend(oparg_T *oap);
 static int	do_addsub(int op_type, pos_T *pos, int length, linenr_T Prenum1);
+static void	pbyte(pos_T lp, int c);
+#define PBYTE(lp, c) pbyte(lp, c)
+
 
 // Flags for third item in "opchars".
 #define OPF_LINES  1	// operator always works on lines
@@ -4349,3 +4352,18 @@ do_pending_operator(cmdarg_T *cap, int o
     restore_lbr(lbr_saved);
 #endif
 }
+
+// put byte 'c' at position 'lp', but
+// verify, that the position to place
+// is actually safe
+    static void
+pbyte(pos_T lp, int c)
+{
+    char_u *p = ml_get_buf(curbuf, lp.lnum, TRUE);
+    int	len = curbuf->b_ml.ml_line_len;
+
+    // safety check
+    if (lp.col >= len)
+	lp.col = (len > 1 ? len - 2 : 0);
+    *(p + lp.col) = c;
+}
--- a/src/version.c
+++ b/src/version.c
@@ -700,6 +700,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    1899,
+/**/
     1898,
 /**/
     1897,