patch 8.2.3669: buffer overflow with long help argument

Problem: Buffer overflow with long help argument. Solution: Use snprintf().
2025-09-25 03:54:15 -04:00 · 2021-11-25 10:50:12 +00:00
parent bb277fd89f
commit bd228fd097
3 changed files with 12 additions and 2 deletions
--- a/src/help.c
+++ b/src/help.c
@@ -422,8 +422,7 @@ find_help_tags(
 		    || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL
 							   && arg[2] != NUL)))
 	{
-	    STRCPY(d, "/\\\\");
-	    STRCPY(d + 3, arg + 1);
+	    vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1);
 	    // Check for "/\\_$", should be "/\\_\$"
 	    if (d[3] == '_' && d[4] == '$')
 		STRCPY(d + 4, "\\$");