patch 9.0.1458: buffer overflow when expanding long file name

author Yee Cheng Chin <ychin.git@gmail.com>

Sun, 16 Apr 2023 19:13:12 +0000 (20:13 +0100)

committer Bram Moolenaar <Bram@vim.org>

Sun, 16 Apr 2023 19:13:12 +0000 (20:13 +0100)
author Yee Cheng Chin <ychin.git@gmail.com>
Sun, 16 Apr 2023 19:13:12 +0000 (20:13 +0100)
committer Bram Moolenaar <Bram@vim.org>
Sun, 16 Apr 2023 19:13:12 +0000 (20:13 +0100)
diff --git a/src/filepath.c b/src/filepath.c

index 57e9fb29571aaadf4f4a7c18a607dfa1bfc6fbea..79d4afb2e3c7803a2081bcda0236aad2b6c34342 100644 (file)
--- a/src/filepath.c
+++ b/src/filepath.c
@@ -938,9 +938,9 @@ f_filewritable(typval_T *argvars, typval_T *rettv)
  
      static void
  findfilendir(
-    typval_T   *argvars UNUSED,
+    typval_T   *argvars,
      typval_T   *rettv,
-    int                find_what UNUSED)
+    int                find_what)
  {
      char_u     *fname;
      char_u     *fresult = NULL;
@@ -3685,7 +3685,6 @@ unix_expandpath(
      int                didstar)        // expanded "**" once already
  {
      char_u     *buf;
-    size_t     buflen;
      char_u     *path_end;
      char_u     *p, *s, *e;
      int                start_len = gap->ga_len;
@@ -3708,8 +3707,8 @@ unix_expandpath(
             return 0;
      }
  
-    // make room for file name
-    buflen = STRLEN(path) + BASENAMELEN + 5;
+    // make room for file name (a bit too much to stay on the safe side)
+    size_t buflen = STRLEN(path) + MAXPATHL;
      buf = alloc(buflen);
      if (buf == NULL)
         return 0;
@@ -3828,7 +3827,7 @@ unix_expandpath(
                    || ((flags & EW_NOTWILD)
                      && fnamencmp(path + (s - buf), dp->d_name, e - s) == 0)))
             {
-               STRCPY(s, dp->d_name);
+               vim_strncpy(s, (char_u *)dp->d_name, buflen - (s - buf) - 1);
                 len = STRLEN(buf);
  
                 if (starstar && stardepth < 100)
diff --git a/src/version.c b/src/version.c

index ca4774dc38adf50362c2492ac2c86eb0bcc330e2..018fcf5d61cc962ecc46239354b57e2944325996 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -695,6 +695,8 @@ static char *(features[]) =
  
  static int included_patches[] =
  {   /* Add new patch number below this line */
+/**/
+    1458,
  /**/
      1457,
  /**/
author	Yee Cheng Chin <ychin.git@gmail.com>
	Sun, 16 Apr 2023 19:13:12 +0000 (20:13 +0100)
committer	Bram Moolenaar <Bram@vim.org>
	Sun, 16 Apr 2023 19:13:12 +0000 (20:13 +0100)
src/filepath.c		patch \| blob \| blame \| history
src/version.c		patch \| blob \| blame \| history