mirror of
https://github.com/vim/vim.git
synced 2025-11-16 23:24:03 -05:00
a19b019b87
Problem: potential buffer overrun in bufwrite.c Solution: Use a temporary variable (John Marriott) In my Windows 11 Pro 64-bit build MAXPATHL is 1024 and IOSIZE is 1025. In my Archlinux Linux 64-bit build MAXPATHL is 4096 and IOSIZE is 1025. In funuction buf_write(): There is a check (line 713) that makes sure the length of fname is less than MAXPATHL. There is a call to STRCPY() (line 1208) which copies the string at fname into IObuff (which has size IOSIZE). For Unix builds fname is set to sfname which may or may not be shorter. However, if sfname is NULL sfname is set to fname. Therefore, in builds where MAXPATHL > IOSIZE (eg in my linux build), it is theoretically possible for the STRCPY() call to exceed the bounds of IObuff. This PR addresses this by copying fname into a local variable that has the same maximum size as fname. In addition: Given that the filename is unconditionally overwritten in the for loop, only copy the directory portion of fname. Move variable i closer to where it is used. closes: #18095 Signed-off-by: John Marriott <basilisk@internode.on.net> Signed-off-by: Christian Brabandt <cb@256bit.org>
69 KiB
69 KiB