Blame SOURCES/0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch

44ca1a
From 826bfe4bbd7594188e3d74d2539d9707b1c6a14b Mon Sep 17 00:00:00 2001
44ca1a
From: Bram Moolenaar <Bram@vim.org>
44ca1a
Date: Fri, 8 Oct 2021 18:39:28 +0100
44ca1a
Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very
44ca1a
 long
44ca1a
44ca1a
Problem:    Illegal memory access if buffer name is very long.
44ca1a
Solution:   Make sure not to go over the end of the buffer.
44ca1a
---
44ca1a
 src/drawscreen.c                | 10 +++++-----
44ca1a
 src/testdir/test_statusline.vim | 10 ++++++++++
44ca1a
 src/version.c                   |  2 ++
44ca1a
 3 files changed, 17 insertions(+), 5 deletions(-)
44ca1a
44ca1a
diff --git a/src/drawscreen.c b/src/drawscreen.c
44ca1a
index 82e53753b..e38ca9586 100644
44ca1a
--- a/src/drawscreen.c
44ca1a
+++ b/src/drawscreen.c
44ca1a
@@ -464,13 +464,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
44ca1a
 	    *(p + len++) = ' ';
44ca1a
 	if (bt_help(wp->w_buffer))
44ca1a
 	{
44ca1a
-	    STRCPY(p + len, _("[Help]"));
44ca1a
+	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
44ca1a
 	    len += (int)STRLEN(p + len);
44ca1a
 	}
44ca1a
 #ifdef FEAT_QUICKFIX
44ca1a
 	if (wp->w_p_pvw)
44ca1a
 	{
44ca1a
-	    STRCPY(p + len, _("[Preview]"));
44ca1a
+	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
44ca1a
 	    len += (int)STRLEN(p + len);
44ca1a
 	}
44ca1a
 #endif
44ca1a
@@ -480,12 +480,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
44ca1a
 #endif
44ca1a
 		)
44ca1a
 	{
44ca1a
-	    STRCPY(p + len, "[+]");
44ca1a
-	    len += 3;
44ca1a
+	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
44ca1a
+	    len += (int)STRLEN(p + len);
44ca1a
 	}
44ca1a
 	if (wp->w_buffer->b_p_ro)
44ca1a
 	{
44ca1a
-	    STRCPY(p + len, _("[RO]"));
44ca1a
+	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
44ca1a
 	    len += (int)STRLEN(p + len);
44ca1a
 	}
44ca1a
 
44ca1a
diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim
44ca1a
index f3eea2e71..a952de69b 100644
44ca1a
--- a/src/testdir/test_statusline.vim
44ca1a
+++ b/src/testdir/test_statusline.vim
44ca1a
@@ -522,4 +522,14 @@ func Test_statusline_mbyte_fillchar()
44ca1a
   %bw!
44ca1a
 endfunc
44ca1a
 
44ca1a
+" Used to write beyond allocated memory.  This assumes MAXPATHL is 4096 bytes.
44ca1a
+func Test_statusline_verylong_filename()
44ca1a
+  let fname = repeat('x', 4090)
44ca1a
+  exe "new " .. fname
44ca1a
+  set buftype=help
44ca1a
+  set previewwindow
44ca1a
+  redraw
44ca1a
+  bwipe!
44ca1a
+endfunc
44ca1a
+
44ca1a
 " vim: shiftwidth=2 sts=2 expandtab
44ca1a
-- 
44ca1a
2.31.1
44ca1a