From: Yee Cheng Chin Date: Sun, 16 Apr 2023 19:13:12 +0000 (+0100) Subject: patch 9.0.1458: buffer overflow when expanding long file name X-Git-Tag: v9.0.1458 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a77670726e3706973adffc2b118f4576e1f58ea0;p=thirdparty%2Fvim.git patch 9.0.1458: buffer overflow when expanding long file name Problem: Buffer overflow when expanding long file name. Solution: Use a larger buffer and avoid overflowing it. (Yee Cheng Chin, closes #12201) --- diff --git a/src/filepath.c b/src/filepath.c index 57e9fb2957..79d4afb2e3 100644 --- a/src/filepath.c +++ b/src/filepath.c @@ -938,9 +938,9 @@ f_filewritable(typval_T *argvars, typval_T *rettv) static void findfilendir( - typval_T *argvars UNUSED, + typval_T *argvars, typval_T *rettv, - int find_what UNUSED) + int find_what) { char_u *fname; char_u *fresult = NULL; @@ -3685,7 +3685,6 @@ unix_expandpath( int didstar) // expanded "**" once already { char_u *buf; - size_t buflen; char_u *path_end; char_u *p, *s, *e; int start_len = gap->ga_len; @@ -3708,8 +3707,8 @@ unix_expandpath( return 0; } - // make room for file name - buflen = STRLEN(path) + BASENAMELEN + 5; + // make room for file name (a bit too much to stay on the safe side) + size_t buflen = STRLEN(path) + MAXPATHL; buf = alloc(buflen); if (buf == NULL) return 0; @@ -3828,7 +3827,7 @@ unix_expandpath( || ((flags & EW_NOTWILD) && fnamencmp(path + (s - buf), dp->d_name, e - s) == 0))) { - STRCPY(s, dp->d_name); + vim_strncpy(s, (char_u *)dp->d_name, buflen - (s - buf) - 1); len = STRLEN(buf); if (starstar && stardepth < 100) diff --git a/src/version.c b/src/version.c index ca4774dc38..018fcf5d61 100644 --- a/src/version.c +++ b/src/version.c @@ -695,6 +695,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 1458, /**/ 1457, /**/