|
|
44ca1a |
From 826bfe4bbd7594188e3d74d2539d9707b1c6a14b Mon Sep 17 00:00:00 2001
|
|
|
44ca1a |
From: Bram Moolenaar <Bram@vim.org>
|
|
|
44ca1a |
Date: Fri, 8 Oct 2021 18:39:28 +0100
|
|
|
44ca1a |
Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very
|
|
|
44ca1a |
long
|
|
|
44ca1a |
|
|
|
44ca1a |
Problem: Illegal memory access if buffer name is very long.
|
|
|
44ca1a |
Solution: Make sure not to go over the end of the buffer.
|
|
|
44ca1a |
---
|
|
|
44ca1a |
src/drawscreen.c | 10 +++++-----
|
|
|
44ca1a |
src/testdir/test_statusline.vim | 10 ++++++++++
|
|
|
44ca1a |
src/version.c | 2 ++
|
|
|
44ca1a |
3 files changed, 17 insertions(+), 5 deletions(-)
|
|
|
44ca1a |
|
|
|
44ca1a |
diff --git a/src/drawscreen.c b/src/drawscreen.c
|
|
|
44ca1a |
index 82e53753b..e38ca9586 100644
|
|
|
44ca1a |
--- a/src/drawscreen.c
|
|
|
44ca1a |
+++ b/src/drawscreen.c
|
|
|
44ca1a |
@@ -464,13 +464,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
|
|
|
44ca1a |
*(p + len++) = ' ';
|
|
|
44ca1a |
if (bt_help(wp->w_buffer))
|
|
|
44ca1a |
{
|
|
|
44ca1a |
- STRCPY(p + len, _("[Help]"));
|
|
|
44ca1a |
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
|
|
|
44ca1a |
len += (int)STRLEN(p + len);
|
|
|
44ca1a |
}
|
|
|
44ca1a |
#ifdef FEAT_QUICKFIX
|
|
|
44ca1a |
if (wp->w_p_pvw)
|
|
|
44ca1a |
{
|
|
|
44ca1a |
- STRCPY(p + len, _("[Preview]"));
|
|
|
44ca1a |
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
|
|
|
44ca1a |
len += (int)STRLEN(p + len);
|
|
|
44ca1a |
}
|
|
|
44ca1a |
#endif
|
|
|
44ca1a |
@@ -480,12 +480,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
|
|
|
44ca1a |
#endif
|
|
|
44ca1a |
)
|
|
|
44ca1a |
{
|
|
|
44ca1a |
- STRCPY(p + len, "[+]");
|
|
|
44ca1a |
- len += 3;
|
|
|
44ca1a |
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
|
|
|
44ca1a |
+ len += (int)STRLEN(p + len);
|
|
|
44ca1a |
}
|
|
|
44ca1a |
if (wp->w_buffer->b_p_ro)
|
|
|
44ca1a |
{
|
|
|
44ca1a |
- STRCPY(p + len, _("[RO]"));
|
|
|
44ca1a |
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
|
|
|
44ca1a |
len += (int)STRLEN(p + len);
|
|
|
44ca1a |
}
|
|
|
44ca1a |
|
|
|
44ca1a |
diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim
|
|
|
44ca1a |
index f3eea2e71..a952de69b 100644
|
|
|
44ca1a |
--- a/src/testdir/test_statusline.vim
|
|
|
44ca1a |
+++ b/src/testdir/test_statusline.vim
|
|
|
44ca1a |
@@ -522,4 +522,14 @@ func Test_statusline_mbyte_fillchar()
|
|
|
44ca1a |
%bw!
|
|
|
44ca1a |
endfunc
|
|
|
44ca1a |
|
|
|
44ca1a |
+" Used to write beyond allocated memory. This assumes MAXPATHL is 4096 bytes.
|
|
|
44ca1a |
+func Test_statusline_verylong_filename()
|
|
|
44ca1a |
+ let fname = repeat('x', 4090)
|
|
|
44ca1a |
+ exe "new " .. fname
|
|
|
44ca1a |
+ set buftype=help
|
|
|
44ca1a |
+ set previewwindow
|
|
|
44ca1a |
+ redraw
|
|
|
44ca1a |
+ bwipe!
|
|
|
44ca1a |
+endfunc
|
|
|
44ca1a |
+
|
|
|
44ca1a |
" vim: shiftwidth=2 sts=2 expandtab
|
|
|
44ca1a |
--
|
|
|
44ca1a |
2.31.1
|
|
|
44ca1a |
|