Mercurial > vim
changeset 25907:637588377056 v8.2.3487
patch 8.2.3487: illegal memory access if buffer name is very long
Commit: https://github.com/vim/vim/commit/826bfe4bbd7594188e3d74d2539d9707b1c6a14b
Author: Bram Moolenaar <Bram@vim.org>
Date: Fri Oct 8 18:39:28 2021 +0100
patch 8.2.3487: illegal memory access if buffer name is very long
Problem: Illegal memory access if buffer name is very long.
Solution: Make sure not to go over the end of the buffer.
| author | Bram Moolenaar <Bram@vim.org> |
|---|---|
| date | Fri, 08 Oct 2021 19:45:04 +0200 |
| parents | bdcc6192f333 |
| children | 013f7b601a66 |
| files | src/drawscreen.c src/testdir/test_statusline.vim src/version.c |
| diffstat | 3 files changed, 17 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/src/drawscreen.c +++ b/src/drawscreen.c @@ -464,13 +464,13 @@ win_redr_status(win_T *wp, int ignore_pu *(p + len++) = ' '; if (bt_help(wp->w_buffer)) { - STRCPY(p + len, _("[Help]")); + vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]")); len += (int)STRLEN(p + len); } #ifdef FEAT_QUICKFIX if (wp->w_p_pvw) { - STRCPY(p + len, _("[Preview]")); + vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]")); len += (int)STRLEN(p + len); } #endif @@ -480,12 +480,12 @@ win_redr_status(win_T *wp, int ignore_pu #endif ) { - STRCPY(p + len, "[+]"); - len += 3; + vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]"); + len += (int)STRLEN(p + len); } if (wp->w_buffer->b_p_ro) { - STRCPY(p + len, _("[RO]")); + vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]")); len += (int)STRLEN(p + len); }
--- a/src/testdir/test_statusline.vim +++ b/src/testdir/test_statusline.vim @@ -522,4 +522,14 @@ func Test_statusline_mbyte_fillchar() %bw! endfunc +" Used to write beyond allocated memory. This assumes MAXPATHL is 4096 bytes. +func Test_statusline_verylong_filename() + let fname = repeat('x', 4090) + exe "new " .. fname + set buftype=help + set previewwindow + redraw + bwipe! +endfunc + " vim: shiftwidth=2 sts=2 expandtab