aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-09-25 03:54:15 -04:00
Code Activity

patch 8.2.3669: buffer overflow with long help argument

Browse Source 
Problem:    Buffer overflow with long help argument.
Solution:   Use snprintf().
This commit is contained in:
Bram Moolenaar
2021-11-25 10:50:12 +00:00
parent bb277fd89f
commit bd228fd097
3 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/help.c
View File

@@ -422,8 +422,7 @@ find_help_tags(
|| (vim_strchr((char_u *)"%_z@", arg[1]) != NULL || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL
&& arg[2] != NUL))) && arg[2] != NUL)))
{ {
STRCPY(d, "/\\\\"); vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1);
STRCPY(d + 3, arg + 1);
// Check for "/\\_$", should be "/\\_\$" // Check for "/\\_$", should be "/\\_\$"
if (d[3] == '_' && d[4] == '$') if (d[3] == '_' && d[4] == '$')
STRCPY(d + 4, "\\$"); STRCPY(d + 4, "\\$");

9
src/testdir/test_help.vim
View File

@@ -134,4 +134,13 @@ func Test_help_window_height()
close close
endfunc endfunc
func Test_help_long_argument()
try
exe 'help \%' .. repeat('0', 1021)
catch
call assert_match("E149:", v:exception)
endtry
endfunc
" vim: shiftwidth=2 sts=2 expandtab " vim: shiftwidth=2 sts=2 expandtab

2
src/version.c
View File

@@ -757,6 +757,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
3669,
/**/ /**/
3668, 3668,
/**/ /**/