patch 9.2.0014: unsafe string functions may lead to buffer overflows

author Yasuhiro Matsumoto <mattn.jp@gmail.com>

Mon, 16 Feb 2026 22:03:29 +0000 (22:03 +0000)

committer Christian Brabandt <cb@256bit.org>

Mon, 16 Feb 2026 22:03:29 +0000 (22:03 +0000)
author Yasuhiro Matsumoto <mattn.jp@gmail.com>
Mon, 16 Feb 2026 22:03:29 +0000 (22:03 +0000)
committer Christian Brabandt <cb@256bit.org>
Mon, 16 Feb 2026 22:03:29 +0000 (22:03 +0000)
diff --git a/src/clipboard.c b/src/clipboard.c

index e0e2256d0d3ccaeac0149cdb1468d6dff0bc3840..9223e8101b19fbe1b759a3c724eb057cf0e3a85a 100644 (file)
--- a/src/clipboard.c
+++ b/src/clipboard.c
@@ -3136,8 +3136,8 @@ vwl_data_source_listener_event_send(
      if (is_vimenc)
      {
         string[0] = (char_u)motion_type;
-       // strcpy copies the NUL terminator too
-       strcpy((char *)string + 1, (char *)p_enc);
+       // Use vim_strncpy for safer copying
+       vim_strncpy(string + 1, p_enc, STRLEN(p_enc));
      }
      else if (is_vim)
         string[0] = (char_u)motion_type;
diff --git a/src/dosinst.c b/src/dosinst.c

index 76643e53b99e1ab63eed4044398df4c173fe847e..8d0dea574d16d948195d21206724b71189e9a503 100644 (file)
--- a/src/dosinst.c
+++ b/src/dosinst.c
@@ -2174,8 +2174,8 @@ init_homedir(void)
         if (homedrive != NULL
                    && strlen(homedrive) + strlen(homepath) < sizeof(buf))
         {
-           snprintf(buf, sizeof(buf), "%s%s", homedrive, homepath);
-           if (buf[0] != NUL)
+           if (snprintf(buf, sizeof(buf), "%s%s", homedrive, homepath) > 0
+               && buf[0] != NUL)
                 var = buf;
         }
      }
diff --git a/src/evalfunc.c b/src/evalfunc.c

index 47f187ee705f9d3ba079b75abe2c3e1711a138ea..b4dd971f460a25de3a89fb7b586017dbb2a4e975 100644 (file)
--- a/src/evalfunc.c
+++ b/src/evalfunc.c
@@ -6560,7 +6560,7 @@ f_getregtype(typval_T *argvars, typval_T *rettv)
         case MCHAR: buf[0] = 'v'; break;
         case MBLOCK:
                 buf[0] = Ctrl_V;
-               sprintf((char *)buf + 1, "%ld", reglen + 1);
+               vim_snprintf((char *)buf + 1, NUMBUFLEN + 1, "%ld", reglen + 1);
                 break;
      }
      rettv->vval.v_string = vim_strsave(buf);
diff --git a/src/if_cscope.c b/src/if_cscope.c

index 4e65da99a4ef4e024b26ca6e715da25b87cc4c64..e23d78d97ff95b16f82e13052d39c0748bdc72ae 100644 (file)
--- a/src/if_cscope.c
+++ b/src/if_cscope.c
@@ -1457,7 +1457,7 @@ cs_insert_filelist(
      if ((csinfo[i].fname = alloc(strlen(fname)+1)) == NULL)
         return -1;
  
-    (void)strcpy(csinfo[i].fname, (const char *)fname);
+    vim_strncpy((char_u *)csinfo[i].fname, (char_u *)fname, strlen((const char *)fname));
  
      if (ppath != NULL)
      {
@@ -1466,7 +1466,7 @@ cs_insert_filelist(
             VIM_CLEAR(csinfo[i].fname);
             return -1;
         }
-       (void)strcpy(csinfo[i].ppath, (const char *)ppath);
+       vim_strncpy((char_u *)csinfo[i].ppath, (char_u *)ppath, strlen((const char *)ppath));
      }
      else
         csinfo[i].ppath = NULL;
@@ -1479,7 +1479,7 @@ cs_insert_filelist(
             VIM_CLEAR(csinfo[i].ppath);
             return -1;
         }
-       (void)strcpy(csinfo[i].flags, (const char *)flags);
+       vim_strncpy((char_u *)csinfo[i].flags, (char_u *)flags, strlen((const char *)flags));
      }
      else
         csinfo[i].flags = NULL;
diff --git a/src/netbeans.c b/src/netbeans.c

index a098adc3027050c44e7ad936c11e315357c34aa9..516ac16da63b787f80d80ac03b1f6ccbf41c05f2 100644 (file)
--- a/src/netbeans.c
+++ b/src/netbeans.c
@@ -2321,7 +2321,7 @@ special_keys(char_u *args)
  
         if (strlen(tok) + i < KEYBUFLEN)
         {
-           strcpy(&keybuf[i], tok);
+           vim_strncpy((char_u *)&keybuf[i], (char_u *)tok, KEYBUFLEN - i - 1);
             vim_snprintf(cmdbuf, sizeof(cmdbuf),
                                  "<silent><%s> :nbkey %s<CR>", keybuf, keybuf);
             do_map(MAPTYPE_MAP, (char_u *)cmdbuf, MODE_NORMAL, FALSE);
diff --git a/src/normal.c b/src/normal.c

index 1534ab3c56afd631bbcf0d485e7cb808bd36c74e..42e9eafec55ede118b93cf3b573b08cd00fb3fac 100644 (file)
--- a/src/normal.c
+++ b/src/normal.c
@@ -1656,11 +1656,11 @@ clear_showcmd(void)
             p_sbr = saved_sbr;
             curwin->w_p_sbr = saved_w_sbr;
  #endif
-           sprintf((char *)showcmd_buf, "%ldx%ld", lines,
+           vim_snprintf((char *)showcmd_buf, SHOWCMD_BUFLEN, "%ldx%ld", lines,
                                               (long)(rightcol - leftcol + 1));
         }
         else if (VIsual_mode == 'V' || VIsual.lnum != curwin->w_cursor.lnum)
-           sprintf((char *)showcmd_buf, "%ld", lines);
+           vim_snprintf((char *)showcmd_buf, SHOWCMD_BUFLEN, "%ld", lines);
         else
         {
             char_u  *s, *e;
@@ -1692,9 +1692,9 @@ clear_showcmd(void)
                 s += l;
             }
             if (bytes == chars)
-               sprintf((char *)showcmd_buf, "%d", chars);
+               vim_snprintf((char *)showcmd_buf, SHOWCMD_BUFLEN, "%d", chars);
             else
-               sprintf((char *)showcmd_buf, "%d-%d", chars, bytes);
+               vim_snprintf((char *)showcmd_buf, SHOWCMD_BUFLEN, "%d-%d", chars, bytes);
         }
         showcmd_buf[SHOWCMD_COLS] = NUL;        // truncate
         showcmd_visual = TRUE;
diff --git a/src/pty.c b/src/pty.c

index 5600cbd9a1f6e10cc423e94b5a75a1f24d973161..55bbf94d54790419388f4e8ca1f3262452674811 100644 (file)
--- a/src/pty.c
+++ b/src/pty.c
@@ -375,8 +375,8 @@ mch_openpty(char **ttyn)
      static char PtyName[32];
      static char TtyName[32];
  
-    strcpy(PtyName, PtyProto);
-    strcpy(TtyName, TtyProto);
+    vim_strncpy((char_u *)PtyName, (char_u *)PtyProto, sizeof(PtyName) - 1);
+    vim_strncpy((char_u *)TtyName, (char_u *)TtyProto, sizeof(TtyName) - 1);
      for (p = PtyName; *p != 'X'; p++)
         ;
      for (q = TtyName; *q != 'X'; q++)
diff --git a/src/termlib.c b/src/termlib.c

index 42eccf5e90c2b5321f69d5db0671128001fb2662..c0639500775ca7ec2e125d77d5c6b5587e76a4ef 100644 (file)
--- a/src/termlib.c
+++ b/src/termlib.c
@@ -104,7 +104,7 @@ tgetent(
                 nexttmp  = _find(tmp, ":|");    // Rhialto
                 if (tmp+tlen == nexttmp && _match(tmp, term) == tlen)
                 {
-                   strcpy(tbuf, tmp);
+                   vim_strncpy(tbuf, tmp, TBUFSZ - 1);
                     tent = tbuf;
                     return 1;
                 }
@@ -115,7 +115,7 @@ tgetent(
      }
      if (!(termcap = mch_fopen(tcap, "r")))
      {
-       strcpy(tbuf, tcap);
+       vim_strncpy(tbuf, tcap, TBUFSZ - 1);
         return -1;
      }
  
diff --git a/src/version.c b/src/version.c

index 3add220987c377f3a6763644150c9ff413fa5f67..8db19f9a4ef732e805afa7a407b3a6e22b2cb57e 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
  
  static int included_patches[] =
  {   /* Add new patch number below this line */
+/**/
+    14,
  /**/
      13,
  /**/
author	Yasuhiro Matsumoto <mattn.jp@gmail.com>
	Mon, 16 Feb 2026 22:03:29 +0000 (22:03 +0000)
committer	Christian Brabandt <cb@256bit.org>
	Mon, 16 Feb 2026 22:03:29 +0000 (22:03 +0000)
src/clipboard.c		patch \| blob \| blame \| history
src/dosinst.c		patch \| blob \| blame \| history
src/evalfunc.c		patch \| blob \| blame \| history
src/if_cscope.c		patch \| blob \| blame \| history
src/netbeans.c		patch \| blob \| blame \| history
src/normal.c		patch \| blob \| blame \| history
src/pty.c		patch \| blob \| blame \| history
src/termlib.c		patch \| blob \| blame \| history
src/version.c		patch \| blob \| blame \| history