From: Christian Brabandt <cb@256bit.org>
Date: Sat, 2 Sep 2023 17:43:33 +0000 (+0200)
Subject: patch 9.0.1847: [security] potential oob write in do_addsub()
X-Git-Tag: v9.0.1847
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=889f6af37164775192e33b233a90e86fd3df0f57;p=thirdparty%2Fvim.git

patch 9.0.1847: [security] potential oob write in do_addsub()

Problem:  potential oob write in do_addsub()
Solution: don't overflow buf2, check size in for loop()

Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/ops.c b/src/ops.c
index d46a049fe4..f4524d3d7b 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -2919,7 +2919,7 @@ do_addsub(
 	    for (bit = bits; bit > 0; bit--)
 		if ((n >> (bit - 1)) & 0x1) break;
 
-	    for (i = 0; bit > 0; bit--)
+	    for (i = 0; bit > 0 && i < (NUMBUFLEN - 1); bit--)
 		buf2[i++] = ((n >> (bit - 1)) & 0x1) ? '1' : '0';
 
 	    buf2[i] = '\0';
diff --git a/src/version.c b/src/version.c
index 5cde7c1855..c638a107e3 100644
--- a/src/version.c
+++ b/src/version.c
@@ -699,6 +699,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1847,
 /**/
     1846,
 /**/