1 To: vim_dev@googlegroups.com
4 From: Bram Moolenaar <Bram@moolenaar.net>
6 Content-Type: text/plain; charset=UTF-8
7 Content-Transfer-Encoding: 8bit
11 Problem: Unsafe string copying.
12 Solution: Use vim_strncpy() instead of strcpy(). Use vim_strcat() instead
14 Files: src/buffer.c, src/ex_docmd.c, src/hardcopy.c, src/menu.c,
15 src/misc1.c, src/misc2.c, src/proto/misc2.pro, src/netbeans.c,
16 src/os_unix.c, src/spell.c, src/syntax.c, src/tag.c
18 *** ../vim-7.3.159/src/buffer.c 2011-02-15 14:24:42.000000000 +0100
19 --- src/buffer.c 2011-04-11 16:08:38.000000000 +0200
22 /* format: "fname + (path) (1 of 2) - VIM" */
24 if (curbuf->b_fname == NULL)
25 ! STRCPY(buf, _("[No Name]"));
28 p = transstr(gettail(curbuf->b_fname));
30 /* format: "fname + (path) (1 of 2) - VIM" */
32 if (curbuf->b_fname == NULL)
33 ! vim_strncpy(buf, (char_u *)_("[No Name]"), IOSIZE - 100);
36 p = transstr(gettail(curbuf->b_fname));
39 if (serverName != NULL)
42 ! STRCAT(buf, serverName);
47 if (serverName != NULL)
50 ! vim_strcat(buf, serverName, IOSIZE);
54 *** ../vim-7.3.159/src/ex_docmd.c 2011-03-03 15:54:45.000000000 +0100
55 --- src/ex_docmd.c 2011-04-11 15:43:48.000000000 +0200
61 ! STRCPY(buff, _("1 more file to edit. Quit anyway?"));
63 vim_snprintf((char *)buff, IOSIZE,
64 _("%d more files to edit. Quit anyway?"), n);
70 ! (char_u *)_("1 more file to edit. Quit anyway?"),
73 vim_snprintf((char *)buff, IOSIZE,
74 _("%d more files to edit. Quit anyway?"), n);
75 *** ../vim-7.3.159/src/hardcopy.c 2010-08-15 21:57:25.000000000 +0200
76 --- src/hardcopy.c 2011-04-11 15:30:09.000000000 +0200
80 char_u buffer[MAXPATHL + 1];
82 ! STRCPY(resource->name, name);
83 /* Look for named resource file in runtimepath */
84 STRCPY(buffer, "print");
86 ! STRCAT(buffer, name);
87 ! STRCAT(buffer, ".ps");
88 resource->filename[0] = NUL;
89 return (do_in_runtimepath(buffer, FALSE, prt_resource_name,
93 char_u buffer[MAXPATHL + 1];
95 ! vim_strncpy(resource->name, (char_u *)name, 63);
96 /* Look for named resource file in runtimepath */
97 STRCPY(buffer, "print");
99 ! vim_strcat(buffer, (char_u *)name, MAXPATHL);
100 ! vim_strcat(buffer, (char_u *)".ps", MAXPATHL);
101 resource->filename[0] = NUL;
102 return (do_in_runtimepath(buffer, FALSE, prt_resource_name,
104 *** ../vim-7.3.159/src/menu.c 2011-01-04 17:49:25.000000000 +0100
105 --- src/menu.c 2011-04-11 15:17:21.000000000 +0200
110 static vimmenu_T *menu = NULL;
111 ! static char_u tbuffer[256]; /*hack*/
113 #ifdef FEAT_MULTI_LANG
114 static int should_advance = FALSE;
118 static vimmenu_T *menu = NULL;
119 ! #define TBUFFER_LEN 256
120 ! static char_u tbuffer[TBUFFER_LEN]; /*hack*/
122 #ifdef FEAT_MULTI_LANG
123 static int should_advance = FALSE;
127 #ifdef FEAT_MULTI_LANG
129 ! STRCPY(tbuffer, menu->en_dname);
133 ! STRCPY(tbuffer, menu->dname);
134 #ifdef FEAT_MULTI_LANG
135 if (menu->en_dname == NULL)
136 should_advance = TRUE;
139 #ifdef FEAT_MULTI_LANG
141 ! vim_strncpy(tbuffer, menu->en_dname, TBUFFER_LEN - 2);
145 ! vim_strncpy(tbuffer, menu->dname, TBUFFER_LEN - 2);
146 #ifdef FEAT_MULTI_LANG
147 if (menu->en_dname == NULL)
148 should_advance = TRUE;
149 *** ../vim-7.3.159/src/misc1.c 2011-04-11 14:27:34.000000000 +0200
150 --- src/misc1.c 2011-04-11 16:03:22.000000000 +0200
156 ! STRCPY(msg_buf, _("1 more line"));
158 ! STRCPY(msg_buf, _("1 line less"));
163 ! sprintf((char *)msg_buf, _("%ld more lines"), pn);
165 ! sprintf((char *)msg_buf, _("%ld fewer lines"), pn);
168 ! STRCAT(msg_buf, _(" (Interrupted)"));
171 set_keep_msg(msg_buf, 0);
176 ! vim_strncpy(msg_buf, (char_u *)_("1 more line"),
179 ! vim_strncpy(msg_buf, (char_u *)_("1 line less"),
185 ! vim_snprintf((char *)msg_buf, MSG_BUF_LEN,
186 ! _("%ld more lines"), pn);
188 ! vim_snprintf((char *)msg_buf, MSG_BUF_LEN,
189 ! _("%ld fewer lines"), pn);
192 ! vim_strcat(msg_buf, (char_u *)_(" (Interrupted)"), MSG_BUF_LEN);
195 set_keep_msg(msg_buf, 0);
196 *** ../vim-7.3.159/src/misc2.c 2010-12-08 13:11:15.000000000 +0100
197 --- src/misc2.c 2011-04-11 15:30:20.000000000 +0200
204 + * Like strcat(), but make sure the result fits in "tosize" bytes and is
205 + * always NUL terminated.
208 + vim_strcat(to, from, tosize)
213 + size_t tolen = STRLEN(to);
214 + size_t fromlen = STRLEN(from);
216 + if (tolen + fromlen + 1 > tosize)
218 + mch_memmove(to + tolen, from, tosize - tolen - 1);
219 + to[tosize - 1] = NUL;
222 + STRCPY(to + tolen, from);
226 * Isolate one part of a string option where parts are separated with
228 * The part is copied into "buf[maxlen]".
229 *** ../vim-7.3.159/src/proto/misc2.pro 2010-08-15 21:57:28.000000000 +0200
230 --- src/proto/misc2.pro 2011-04-11 15:29:55.000000000 +0200
234 void copy_chars __ARGS((char_u *ptr, size_t count, int c));
235 void del_trailing_spaces __ARGS((char_u *ptr));
236 void vim_strncpy __ARGS((char_u *to, char_u *from, size_t len));
237 + void vim_strcat __ARGS((char_u *to, char_u *from, size_t tosize));
238 int copy_option_part __ARGS((char_u **option, char_u *buf, int maxlen, char *sep_chars));
239 void vim_free __ARGS((void *x));
240 int vim_stricmp __ARGS((char *s1, char *s2));
241 *** ../vim-7.3.159/src/netbeans.c 2011-04-01 15:33:54.000000000 +0200
242 --- src/netbeans.c 2011-04-11 16:02:51.000000000 +0200
248 ! char_u ebuf[BUFSIZ];
250 ! STRCPY(ebuf, (char_u *)_("E505: "));
251 ! STRCAT(ebuf, IObuff);
252 ! STRCAT(ebuf, (char_u *)_("is read-only (add ! to override)"));
253 ! STRCPY(IObuff, ebuf);
254 ! nbdebug((" %s\n", ebuf ));
263 ! char_u msgbuf[IOSIZE];
265 ! vim_snprintf((char *)msgbuf, IOSIZE,
266 ! _("E505: %s is read-only (add ! to override)"), IObuff);
267 ! nbdebug((" %s\n", msgbuf));
272 *** ../vim-7.3.159/src/os_unix.c 2011-02-15 17:39:14.000000000 +0100
273 --- src/os_unix.c 2011-04-11 16:39:11.000000000 +0200
277 if (shell_style == STYLE_PRINT && !did_find_nul)
279 /* If there is a NUL, set did_find_nul, else set check_spaces */
281 if (len && (int)STRLEN(buffer) < (int)len - 1)
289 ! if (mouse_code == NULL)
297 ! if (mouse_code == NULL || STRLEN(mouse_code) > 45)
301 *** ../vim-7.3.159/src/spell.c 2011-02-01 13:59:44.000000000 +0100
302 --- src/spell.c 2011-04-11 15:50:40.000000000 +0200
305 if (ae->ae_add == NULL)
308 ! STRCPY(newword, ae->ae_add);
310 if (ae->ae_chop != NULL)
313 if (ae->ae_add == NULL)
316 ! vim_strncpy(newword, ae->ae_add, MAXWLEN - 1);
318 if (ae->ae_chop != NULL)
324 /* suffix: chop/add at the end of the word */
325 ! STRCPY(newword, word);
326 if (ae->ae_chop != NULL)
328 /* Remove chop string. */
332 /* suffix: chop/add at the end of the word */
333 ! vim_strncpy(newword, word, MAXWLEN - 1);
334 if (ae->ae_chop != NULL)
336 /* Remove chop string. */
339 * Write the .sug file.
340 * Make the file name by changing ".spl" to ".sug".
342 ! STRCPY(fname, wfname);
343 len = (int)STRLEN(fname);
344 fname[len - 2] = 'u';
345 fname[len - 1] = 'g';
347 * Write the .sug file.
348 * Make the file name by changing ".spl" to ".sug".
350 ! vim_strncpy(fname, wfname, MAXPATHL - 1);
351 len = (int)STRLEN(fname);
352 fname[len - 2] = 'u';
353 fname[len - 1] = 'g';
357 /* The suggested word may replace only part of the bad word, add
358 * the not replaced part. */
359 ! STRCPY(wcopy, stp->st_word);
360 if (sug.su_badlen > stp->st_orglen)
361 vim_strncpy(wcopy + stp->st_wordlen,
362 sug.su_badptr + stp->st_orglen,
365 /* The suggested word may replace only part of the bad word, add
366 * the not replaced part. */
367 ! vim_strncpy(wcopy, stp->st_word, MAXWLEN);
368 if (sug.su_badlen > stp->st_orglen)
369 vim_strncpy(wcopy + stp->st_wordlen,
370 sug.su_badptr + stp->st_orglen,
378 /* Add part of the bad word to the good word, so that we soundfold
379 * what replaces the bad word. */
384 ! if (lendiff > 0 && stp->st_wordlen + lendiff < MAXWLEN)
386 /* Add part of the bad word to the good word, so that we soundfold
387 * what replaces the bad word. */
390 for (i = gap->ga_len - 1; i >= 0; --i)
392 /* Need to append what follows to check for "the the". */
393 ! STRCPY(longword, stp[i].st_word);
394 len = stp[i].st_wordlen;
395 vim_strncpy(longword + len, su->su_badptr + stp[i].st_orglen,
398 for (i = gap->ga_len - 1; i >= 0; --i)
400 /* Need to append what follows to check for "the the". */
401 ! vim_strncpy(longword, stp[i].st_word, MAXWLEN);
402 len = stp[i].st_wordlen;
403 vim_strncpy(longword + len, su->su_badptr + stp[i].st_orglen,
412 smp = (salitem_T *)slang->sl_sal.ga_data;
418 ! vim_strncpy(word, s, MAXWLEN - 1);
420 smp = (salitem_T *)slang->sl_sal.ga_data;
422 *** ../vim-7.3.159/src/syntax.c 2011-04-02 15:12:45.000000000 +0200
423 --- src/syntax.c 2011-04-11 15:44:30.000000000 +0200
426 if (iarg & hl_attr_table[i])
430 ! STRCAT(buf, hl_name_table[i]);
431 iarg &= ~hl_attr_table[i]; /* don't want "inverse" */
435 if (iarg & hl_attr_table[i])
438 ! vim_strcat(buf, (char_u *)",", 100);
439 ! vim_strcat(buf, (char_u *)hl_name_table[i], 100);
440 iarg &= ~hl_attr_table[i]; /* don't want "inverse" */
443 *** ../vim-7.3.159/src/tag.c 2011-02-25 15:13:43.000000000 +0100
444 --- src/tag.c 2011-04-11 15:34:59.000000000 +0200
447 p = tag_full_fname(&tagp);
455 p = tag_full_fname(&tagp);
458 ! vim_strncpy(fname, p, MAXPATHL);
462 *** ../vim-7.3.159/src/version.c 2011-04-11 14:29:13.000000000 +0200
463 --- src/version.c 2011-04-11 16:50:53.000000000 +0200
467 { /* Add new patch number below this line */
473 If someone questions your market projections, simply point out that your
474 target market is "People who are nuts" and "People who will buy any damn
475 thing". Nobody is going to tell you there aren't enough of those people
477 (Scott Adams - The Dilbert principle)
479 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\
480 /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
481 \\\ an exciting new programming language -- http://www.Zimbu.org ///
482 \\\ help me help AIDS victims -- http://ICCF-Holland.org ///