From: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date: Mon, 16 Feb 2026 22:03:29 +0000 (+0000)
Subject: patch 9.2.0014: unsafe string functions may lead to buffer overflows
X-Git-Tag: v9.2.0014^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=46e3978f73e02b9c525834d48fd650689f074965;p=thirdparty%2Fvim.git

patch 9.2.0014: unsafe string functions may lead to buffer overflows

Problem:  Unsafe string functions may lead to buffer overflows
Solution: Use vim_strncpy() instead of strpcy(), replace sprintf() by
          vim_snprintf() (Yasuhiro Matsumoto)

closes: #19412

Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/clipboard.c b/src/clipboard.c
index e0e2256d0d..9223e8101b 100644
--- a/src/clipboard.c
+++ b/src/clipboard.c
@@ -3136,8 +3136,8 @@ vwl_data_source_listener_event_send(
     if (is_vimenc)
     {
 	string[0] = (char_u)motion_type;
-	// strcpy copies the NUL terminator too
-	strcpy((char *)string + 1, (char *)p_enc);
+	// Use vim_strncpy for safer copying
+	vim_strncpy(string + 1, p_enc, STRLEN(p_enc));
     }
     else if (is_vim)
 	string[0] = (char_u)motion_type;
diff --git a/src/dosinst.c b/src/dosinst.c
index 76643e53b9..8d0dea574d 100644
--- a/src/dosinst.c
+++ b/src/dosinst.c
@@ -2174,8 +2174,8 @@ init_homedir(void)
 	if (homedrive != NULL
 		   && strlen(homedrive) + strlen(homepath) < sizeof(buf))
 	{
-	    snprintf(buf, sizeof(buf), "%s%s", homedrive, homepath);
-	    if (buf[0] != NUL)
+	    if (snprintf(buf, sizeof(buf), "%s%s", homedrive, homepath) > 0
+		&& buf[0] != NUL)
 		var = buf;
 	}
     }
diff --git a/src/evalfunc.c b/src/evalfunc.c
index 47f187ee70..b4dd971f46 100644
--- a/src/evalfunc.c
+++ b/src/evalfunc.c
@@ -6560,7 +6560,7 @@ f_getregtype(typval_T *argvars, typval_T *rettv)
 	case MCHAR: buf[0] = 'v'; break;
 	case MBLOCK:
 		buf[0] = Ctrl_V;
-		sprintf((char *)buf + 1, "%ld", reglen + 1);
+		vim_snprintf((char *)buf + 1, NUMBUFLEN + 1, "%ld", reglen + 1);
 		break;
     }
     rettv->vval.v_string = vim_strsave(buf);
diff --git a/src/if_cscope.c b/src/if_cscope.c
index 4e65da99a4..e23d78d97f 100644
--- a/src/if_cscope.c
+++ b/src/if_cscope.c
@@ -1457,7 +1457,7 @@ cs_insert_filelist(
     if ((csinfo[i].fname = alloc(strlen(fname)+1)) == NULL)
 	return -1;
 
-    (void)strcpy(csinfo[i].fname, (const char *)fname);
+    vim_strncpy((char_u *)csinfo[i].fname, (char_u *)fname, strlen((const char *)fname));
 
     if (ppath != NULL)
     {
@@ -1466,7 +1466,7 @@ cs_insert_filelist(
 	    VIM_CLEAR(csinfo[i].fname);
 	    return -1;
 	}
-	(void)strcpy(csinfo[i].ppath, (const char *)ppath);
+	vim_strncpy((char_u *)csinfo[i].ppath, (char_u *)ppath, strlen((const char *)ppath));
     }
     else
 	csinfo[i].ppath = NULL;
@@ -1479,7 +1479,7 @@ cs_insert_filelist(
 	    VIM_CLEAR(csinfo[i].ppath);
 	    return -1;
 	}
-	(void)strcpy(csinfo[i].flags, (const char *)flags);
+	vim_strncpy((char_u *)csinfo[i].flags, (char_u *)flags, strlen((const char *)flags));
     }
     else
 	csinfo[i].flags = NULL;
diff --git a/src/netbeans.c b/src/netbeans.c
index a098adc302..516ac16da6 100644
--- a/src/netbeans.c
+++ b/src/netbeans.c
@@ -2321,7 +2321,7 @@ special_keys(char_u *args)
 
 	if (strlen(tok) + i < KEYBUFLEN)
 	{
-	    strcpy(&keybuf[i], tok);
+	    vim_strncpy((char_u *)&keybuf[i], (char_u *)tok, KEYBUFLEN - i - 1);
 	    vim_snprintf(cmdbuf, sizeof(cmdbuf),
 				 "<silent><%s> :nbkey %s<CR>", keybuf, keybuf);
 	    do_map(MAPTYPE_MAP, (char_u *)cmdbuf, MODE_NORMAL, FALSE);
diff --git a/src/normal.c b/src/normal.c
index 1534ab3c56..42e9eafec5 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -1656,11 +1656,11 @@ clear_showcmd(void)
 	    p_sbr = saved_sbr;
 	    curwin->w_p_sbr = saved_w_sbr;
 #endif
-	    sprintf((char *)showcmd_buf, "%ldx%ld", lines,
+	    vim_snprintf((char *)showcmd_buf, SHOWCMD_BUFLEN, "%ldx%ld", lines,
 					      (long)(rightcol - leftcol + 1));
 	}
 	else if (VIsual_mode == 'V' || VIsual.lnum != curwin->w_cursor.lnum)
-	    sprintf((char *)showcmd_buf, "%ld", lines);
+	    vim_snprintf((char *)showcmd_buf, SHOWCMD_BUFLEN, "%ld", lines);
 	else
 	{
 	    char_u  *s, *e;
@@ -1692,9 +1692,9 @@ clear_showcmd(void)
 		s += l;
 	    }
 	    if (bytes == chars)
-		sprintf((char *)showcmd_buf, "%d", chars);
+		vim_snprintf((char *)showcmd_buf, SHOWCMD_BUFLEN, "%d", chars);
 	    else
-		sprintf((char *)showcmd_buf, "%d-%d", chars, bytes);
+		vim_snprintf((char *)showcmd_buf, SHOWCMD_BUFLEN, "%d-%d", chars, bytes);
 	}
 	showcmd_buf[SHOWCMD_COLS] = NUL;	// truncate
 	showcmd_visual = TRUE;
diff --git a/src/pty.c b/src/pty.c
index 5600cbd9a1..55bbf94d54 100644
--- a/src/pty.c
+++ b/src/pty.c
@@ -375,8 +375,8 @@ mch_openpty(char **ttyn)
     static char PtyName[32];
     static char TtyName[32];
 
-    strcpy(PtyName, PtyProto);
-    strcpy(TtyName, TtyProto);
+    vim_strncpy((char_u *)PtyName, (char_u *)PtyProto, sizeof(PtyName) - 1);
+    vim_strncpy((char_u *)TtyName, (char_u *)TtyProto, sizeof(TtyName) - 1);
     for (p = PtyName; *p != 'X'; p++)
 	;
     for (q = TtyName; *q != 'X'; q++)
diff --git a/src/termlib.c b/src/termlib.c
index 42eccf5e90..c063950077 100644
--- a/src/termlib.c
+++ b/src/termlib.c
@@ -104,7 +104,7 @@ tgetent(
 		nexttmp  = _find(tmp, ":|");	// Rhialto
 		if (tmp+tlen == nexttmp && _match(tmp, term) == tlen)
 		{
-		    strcpy(tbuf, tmp);
+		    vim_strncpy(tbuf, tmp, TBUFSZ - 1);
 		    tent = tbuf;
 		    return 1;
 		}
@@ -115,7 +115,7 @@ tgetent(
     }
     if (!(termcap = mch_fopen(tcap, "r")))
     {
-	strcpy(tbuf, tcap);
+	vim_strncpy(tbuf, tcap, TBUFSZ - 1);
 	return -1;
     }
 
diff --git a/src/version.c b/src/version.c
index 3add220987..8db19f9a4e 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    14,
 /**/
     13,
 /**/