thac0/vim
1
0
Fork 0
forked from aniani/vim
Code

patch 9.1.1443: potential buffer underflow in insertchar()

Browse Source 
Problem:  potential buffer underflow in insertchar()
Solution: verify that end_len is larger than zero
          (jinyaoguo)

When parsing the end-comment leader, end_len can be zero if
copy_option_part() writes no characters. The existing check
unconditionally accessed lead_end[end_len-1], causing potential
underflow when end_len == 0.

This change adds an end_len > 0 guard to ensure we only index lead_end
if there is at least one character.

closes: #17476

Signed-off-by: jinyaoguo <guo846@purdue.edu>
Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
jinyaoguo 2025-06-09 20:31:17 +02:00 committed by Christian Brabandt
parent 69565e3618
commit 82a96e3dc0
No known key found for this signature in database
GPG Key ID: F3F92DA383FDDE09
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/edit.c
View File

@ -2197,7 +2197,7 @@ insertchar(
i -= middle_len; i -= middle_len;
// Check some expected things before we go on // Check some expected things before we go on
if (i >= 0 && lead_end[end_len - 1] == end_comment_pending) if (i >= 0 && end_len > 0 && lead_end[end_len - 1] == end_comment_pending)
{ {
// Backspace over all the stuff we want to replace // Backspace over all the stuff we want to replace
backspace_until_column(i); backspace_until_column(i);

2
src/version.c
View File

@ -709,6 +709,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
1443,
/**/ /**/
1442, 1442,
/**/ /**/