patch 9.0.1899: potential buffer overflow in PBYTE macro

Problem:  potential buffer overflow in PBYTE macro
Solution: Check returned memline length

closes: #13083

the PBYTE macro is used to put byte c at a position lp of the returned
memline. However, in case of unexpected errors ml_get_buf() may return
either "???" or an empty line in which case it is quite likely that we
are causing a buffer overrun.

Therefore, switch the macro PBYTE (which is only used in ops.c anyhow)
to a function, that verifies that we will only try to access within the
given length of the buffer.

Also, since the macro is only used in ops.c, move the definition from
macros.h to ops.c

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/macros.h b/src/macros.h
index d86097ced3a526a83d38ef233b168f88d373d82e..cc2d11fdd162a86253674cfcb9ceb33377f08bf6 100644 (file)
--- a/src/macros.h
+++ b/src/macros.h
@@ -13,11 +13,6 @@
  * replaced and an argument is not used more than once.
  */
 
-/*
- * PBYTE(lp, c) - put byte 'c' at position 'lp'
- */
-#define PBYTE(lp, c) (*(ml_get_buf(curbuf, (lp).lnum, TRUE) + (lp).col) = (c))
-
 /*
  * Position comparisons
  */

diff --git a/src/ops.c b/src/ops.c
index f4524d3d7b12884c6926cf79cbd2eade11d7269b..aa6f4af37a7c9656cf30592830c11d043c20b95d 100644 (file)
--- a/src/ops.c
+++ b/src/ops.c
@@ -17,6 +17,9 @@
 static void shift_block(oparg_T *oap, int amount);
 static void    mb_adjust_opend(oparg_T *oap);
 static int     do_addsub(int op_type, pos_T *pos, int length, linenr_T Prenum1);
+static void    pbyte(pos_T lp, int c);
+#define PBYTE(lp, c) pbyte(lp, c)
+
 
 // Flags for third item in "opchars".
 #define OPF_LINES  1   // operator always works on lines
@@ -4349,3 +4352,18 @@ do_pending_operator(cmdarg_T *cap, int old_col, int gui_yank)
     restore_lbr(lbr_saved);
 #endif
 }
+
+// put byte 'c' at position 'lp', but
+// verify, that the position to place
+// is actually safe
+    static void
+pbyte(pos_T lp, int c)
+{
+    char_u *p = ml_get_buf(curbuf, lp.lnum, TRUE);
+    int        len = curbuf->b_ml.ml_line_len;
+
+    // safety check
+    if (lp.col >= len)
+       lp.col = (len > 1 ? len - 2 : 0);
+    *(p + lp.col) = c;
+}

diff --git a/src/version.c b/src/version.c
index ba4be278070109868bc59d3e37a9f942a40338e2..4576d5a4c21a9e0c3f0b6ae742e67b74614a268d 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -699,6 +699,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1899,
 /**/
     1898,
 /**/