Blob Blame History Raw
To: vim_dev@googlegroups.com
Subject: Patch 7.3.160
Fcc: outbox
From: Bram Moolenaar <Bram@moolenaar.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
------------

Patch 7.3.160
Problem:    Unsafe string copying.
Solution:   Use vim_strncpy() instead of strcpy().  Use vim_strcat() instead
	    of strcat().
Files:	    src/buffer.c, src/ex_docmd.c, src/hardcopy.c, src/menu.c,
	    src/misc1.c, src/misc2.c, src/proto/misc2.pro, src/netbeans.c,
	    src/os_unix.c, src/spell.c, src/syntax.c, src/tag.c

*** ../vim-7.3.159/src/buffer.c	2011-02-15 14:24:42.000000000 +0100
--- src/buffer.c	2011-04-11 16:08:38.000000000 +0200
***************
*** 3176,3182 ****
  	    /* format: "fname + (path) (1 of 2) - VIM" */
  
  	    if (curbuf->b_fname == NULL)
! 		STRCPY(buf, _("[No Name]"));
  	    else
  	    {
  		p = transstr(gettail(curbuf->b_fname));
--- 3176,3182 ----
  	    /* format: "fname + (path) (1 of 2) - VIM" */
  
  	    if (curbuf->b_fname == NULL)
! 		vim_strncpy(buf, (char_u *)_("[No Name]"), IOSIZE - 100);
  	    else
  	    {
  		p = transstr(gettail(curbuf->b_fname));
***************
*** 3232,3238 ****
  	    if (serverName != NULL)
  	    {
  		STRCAT(buf, " - ");
! 		STRCAT(buf, serverName);
  	    }
  	    else
  #endif
--- 3232,3238 ----
  	    if (serverName != NULL)
  	    {
  		STRCAT(buf, " - ");
! 		vim_strcat(buf, serverName, IOSIZE);
  	    }
  	    else
  #endif
*** ../vim-7.3.159/src/ex_docmd.c	2011-03-03 15:54:45.000000000 +0100
--- src/ex_docmd.c	2011-04-11 15:43:48.000000000 +0200
***************
*** 5096,5102 ****
  		char_u	buff[IOSIZE];
  
  		if (n == 1)
! 		    STRCPY(buff, _("1 more file to edit.  Quit anyway?"));
  		else
  		    vim_snprintf((char *)buff, IOSIZE,
  			      _("%d more files to edit.  Quit anyway?"), n);
--- 5096,5104 ----
  		char_u	buff[IOSIZE];
  
  		if (n == 1)
! 		    vim_strncpy(buff,
! 			    (char_u *)_("1 more file to edit.  Quit anyway?"),
! 								  IOSIZE - 1);
  		else
  		    vim_snprintf((char *)buff, IOSIZE,
  			      _("%d more files to edit.  Quit anyway?"), n);
*** ../vim-7.3.159/src/hardcopy.c	2010-08-15 21:57:25.000000000 +0200
--- src/hardcopy.c	2011-04-11 15:30:09.000000000 +0200
***************
*** 1761,1772 ****
  {
      char_u	buffer[MAXPATHL + 1];
  
!     STRCPY(resource->name, name);
      /* Look for named resource file in runtimepath */
      STRCPY(buffer, "print");
      add_pathsep(buffer);
!     STRCAT(buffer, name);
!     STRCAT(buffer, ".ps");
      resource->filename[0] = NUL;
      return (do_in_runtimepath(buffer, FALSE, prt_resource_name,
  							   resource->filename)
--- 1761,1772 ----
  {
      char_u	buffer[MAXPATHL + 1];
  
!     vim_strncpy(resource->name, (char_u *)name, 63);
      /* Look for named resource file in runtimepath */
      STRCPY(buffer, "print");
      add_pathsep(buffer);
!     vim_strcat(buffer, (char_u *)name, MAXPATHL);
!     vim_strcat(buffer, (char_u *)".ps", MAXPATHL);
      resource->filename[0] = NUL;
      return (do_in_runtimepath(buffer, FALSE, prt_resource_name,
  							   resource->filename)
*** ../vim-7.3.159/src/menu.c	2011-01-04 17:49:25.000000000 +0100
--- src/menu.c	2011-04-11 15:17:21.000000000 +0200
***************
*** 1394,1400 ****
      int		idx;
  {
      static vimmenu_T	*menu = NULL;
!     static char_u	tbuffer[256]; /*hack*/
      char_u		*str;
  #ifdef FEAT_MULTI_LANG
      static  int		should_advance = FALSE;
--- 1394,1401 ----
      int		idx;
  {
      static vimmenu_T	*menu = NULL;
! #define TBUFFER_LEN 256
!     static char_u	tbuffer[TBUFFER_LEN]; /*hack*/
      char_u		*str;
  #ifdef FEAT_MULTI_LANG
      static  int		should_advance = FALSE;
***************
*** 1428,1438 ****
  	{
  #ifdef FEAT_MULTI_LANG
  	    if (should_advance)
! 		STRCPY(tbuffer, menu->en_dname);
  	    else
  	    {
  #endif
! 		STRCPY(tbuffer, menu->dname);
  #ifdef FEAT_MULTI_LANG
  		if (menu->en_dname == NULL)
  		    should_advance = TRUE;
--- 1429,1439 ----
  	{
  #ifdef FEAT_MULTI_LANG
  	    if (should_advance)
! 		vim_strncpy(tbuffer, menu->en_dname, TBUFFER_LEN - 2);
  	    else
  	    {
  #endif
! 		vim_strncpy(tbuffer, menu->dname,  TBUFFER_LEN - 2);
  #ifdef FEAT_MULTI_LANG
  		if (menu->en_dname == NULL)
  		    should_advance = TRUE;
*** ../vim-7.3.159/src/misc1.c	2011-04-11 14:27:34.000000000 +0200
--- src/misc1.c	2011-04-11 16:03:22.000000000 +0200
***************
*** 3332,3350 ****
  	if (pn == 1)
  	{
  	    if (n > 0)
! 		STRCPY(msg_buf, _("1 more line"));
  	    else
! 		STRCPY(msg_buf, _("1 line less"));
  	}
  	else
  	{
  	    if (n > 0)
! 		sprintf((char *)msg_buf, _("%ld more lines"), pn);
  	    else
! 		sprintf((char *)msg_buf, _("%ld fewer lines"), pn);
  	}
  	if (got_int)
! 	    STRCAT(msg_buf, _(" (Interrupted)"));
  	if (msg(msg_buf))
  	{
  	    set_keep_msg(msg_buf, 0);
--- 3332,3354 ----
  	if (pn == 1)
  	{
  	    if (n > 0)
! 		vim_strncpy(msg_buf, (char_u *)_("1 more line"),
! 							     MSG_BUF_LEN - 1);
  	    else
! 		vim_strncpy(msg_buf, (char_u *)_("1 line less"),
! 							     MSG_BUF_LEN - 1);
  	}
  	else
  	{
  	    if (n > 0)
! 		vim_snprintf((char *)msg_buf, MSG_BUF_LEN,
! 						     _("%ld more lines"), pn);
  	    else
! 		vim_snprintf((char *)msg_buf, MSG_BUF_LEN,
! 						    _("%ld fewer lines"), pn);
  	}
  	if (got_int)
! 	    vim_strcat(msg_buf, (char_u *)_(" (Interrupted)"), MSG_BUF_LEN);
  	if (msg(msg_buf))
  	{
  	    set_keep_msg(msg_buf, 0);
*** ../vim-7.3.159/src/misc2.c	2010-12-08 13:11:15.000000000 +0100
--- src/misc2.c	2011-04-11 15:30:20.000000000 +0200
***************
*** 1647,1652 ****
--- 1647,1674 ----
  }
  
  /*
+  * Like strcat(), but make sure the result fits in "tosize" bytes and is
+  * always NUL terminated.
+  */
+     void
+ vim_strcat(to, from, tosize)
+     char_u	*to;
+     char_u	*from;
+     size_t	tosize;
+ {
+     size_t tolen = STRLEN(to);
+     size_t fromlen = STRLEN(from);
+ 
+     if (tolen + fromlen + 1 > tosize)
+     {
+ 	mch_memmove(to + tolen, from, tosize - tolen - 1);
+ 	to[tosize - 1] = NUL;
+     }
+     else
+ 	STRCPY(to + tolen, from);
+ }
+ 
+ /*
   * Isolate one part of a string option where parts are separated with
   * "sep_chars".
   * The part is copied into "buf[maxlen]".
*** ../vim-7.3.159/src/proto/misc2.pro	2010-08-15 21:57:28.000000000 +0200
--- src/proto/misc2.pro	2011-04-11 15:29:55.000000000 +0200
***************
*** 40,45 ****
--- 40,46 ----
  void copy_chars __ARGS((char_u *ptr, size_t count, int c));
  void del_trailing_spaces __ARGS((char_u *ptr));
  void vim_strncpy __ARGS((char_u *to, char_u *from, size_t len));
+ void vim_strcat __ARGS((char_u *to, char_u *from, size_t tosize));
  int copy_option_part __ARGS((char_u **option, char_u *buf, int maxlen, char *sep_chars));
  void vim_free __ARGS((void *x));
  int vim_stricmp __ARGS((char *s1, char *s2));
*** ../vim-7.3.159/src/netbeans.c	2011-04-01 15:33:54.000000000 +0200
--- src/netbeans.c	2011-04-11 16:02:51.000000000 +0200
***************
*** 3914,3927 ****
      }
      else
      {
! 	char_u ebuf[BUFSIZ];
  
! 	STRCPY(ebuf, (char_u *)_("E505: "));
! 	STRCAT(ebuf, IObuff);
! 	STRCAT(ebuf, (char_u *)_("is read-only (add ! to override)"));
! 	STRCPY(IObuff, ebuf);
! 	nbdebug(("    %s\n", ebuf ));
! 	emsg(IObuff);
      }
  }
  
--- 3914,3925 ----
      }
      else
      {
! 	char_u msgbuf[IOSIZE];
  
! 	vim_snprintf((char *)msgbuf, IOSIZE,
! 		_("E505: %s is read-only (add ! to override)"), IObuff);
! 	nbdebug(("    %s\n", msgbuf));
! 	emsg(msgbuf);
      }
  }
  
*** ../vim-7.3.159/src/os_unix.c	2011-02-15 17:39:14.000000000 +0100
--- src/os_unix.c	2011-04-11 16:39:11.000000000 +0200
***************
*** 5725,5730 ****
--- 5725,5731 ----
  	if (shell_style == STYLE_PRINT && !did_find_nul)
  	{
  	    /* If there is a NUL, set did_find_nul, else set check_spaces */
+ 	    buffer[len] = NUL;
  	    if (len && (int)STRLEN(buffer) < (int)len - 1)
  		did_find_nul = TRUE;
  	    else
***************
*** 6594,6600 ****
  	    xterm_hints.x = 2;
  	return TRUE;
      }
!     if (mouse_code == NULL)
      {
  	xterm_trace = 0;
  	return FALSE;
--- 6595,6601 ----
  	    xterm_hints.x = 2;
  	return TRUE;
      }
!     if (mouse_code == NULL || STRLEN(mouse_code) > 45)
      {
  	xterm_trace = 0;
  	return FALSE;
*** ../vim-7.3.159/src/spell.c	2011-02-01 13:59:44.000000000 +0100
--- src/spell.c	2011-04-11 15:50:40.000000000 +0200
***************
*** 6957,6963 ****
  			    if (ae->ae_add == NULL)
  				*newword = NUL;
  			    else
! 				STRCPY(newword, ae->ae_add);
  			    p = word;
  			    if (ae->ae_chop != NULL)
  			    {
--- 6957,6963 ----
  			    if (ae->ae_add == NULL)
  				*newword = NUL;
  			    else
! 				vim_strncpy(newword, ae->ae_add, MAXWLEN - 1);
  			    p = word;
  			    if (ae->ae_chop != NULL)
  			    {
***************
*** 6978,6984 ****
  			else
  			{
  			    /* suffix: chop/add at the end of the word */
! 			    STRCPY(newword, word);
  			    if (ae->ae_chop != NULL)
  			    {
  				/* Remove chop string. */
--- 6978,6984 ----
  			else
  			{
  			    /* suffix: chop/add at the end of the word */
! 			    vim_strncpy(newword, word, MAXWLEN - 1);
  			    if (ae->ae_chop != NULL)
  			    {
  				/* Remove chop string. */
***************
*** 8654,8660 ****
       * Write the .sug file.
       * Make the file name by changing ".spl" to ".sug".
       */
!     STRCPY(fname, wfname);
      len = (int)STRLEN(fname);
      fname[len - 2] = 'u';
      fname[len - 1] = 'g';
--- 8654,8660 ----
       * Write the .sug file.
       * Make the file name by changing ".spl" to ".sug".
       */
!     vim_strncpy(fname, wfname, MAXPATHL - 1);
      len = (int)STRLEN(fname);
      fname[len - 2] = 'u';
      fname[len - 1] = 'g';
***************
*** 10261,10267 ****
  
  	    /* The suggested word may replace only part of the bad word, add
  	     * the not replaced part. */
! 	    STRCPY(wcopy, stp->st_word);
  	    if (sug.su_badlen > stp->st_orglen)
  		vim_strncpy(wcopy + stp->st_wordlen,
  					       sug.su_badptr + stp->st_orglen,
--- 10261,10267 ----
  
  	    /* The suggested word may replace only part of the bad word, add
  	     * the not replaced part. */
! 	    vim_strncpy(wcopy, stp->st_word, MAXWLEN);
  	    if (sug.su_badlen > stp->st_orglen)
  		vim_strncpy(wcopy + stp->st_wordlen,
  					       sug.su_badptr + stp->st_orglen,
***************
*** 13162,13168 ****
  	pbad = badsound2;
      }
  
!     if (lendiff > 0)
      {
  	/* Add part of the bad word to the good word, so that we soundfold
  	 * what replaces the bad word. */
--- 13162,13168 ----
  	pbad = badsound2;
      }
  
!     if (lendiff > 0 && stp->st_wordlen + lendiff < MAXWLEN)
      {
  	/* Add part of the bad word to the good word, so that we soundfold
  	 * what replaces the bad word. */
***************
*** 13875,13881 ****
      for (i = gap->ga_len - 1; i >= 0; --i)
      {
  	/* Need to append what follows to check for "the the". */
! 	STRCPY(longword, stp[i].st_word);
  	len = stp[i].st_wordlen;
  	vim_strncpy(longword + len, su->su_badptr + stp[i].st_orglen,
  							       MAXWLEN - len);
--- 13875,13881 ----
      for (i = gap->ga_len - 1; i >= 0; --i)
      {
  	/* Need to append what follows to check for "the the". */
! 	vim_strncpy(longword, stp[i].st_word, MAXWLEN);
  	len = stp[i].st_wordlen;
  	vim_strncpy(longword + len, su->su_badptr + stp[i].st_orglen,
  							       MAXWLEN - len);
***************
*** 14221,14227 ****
  	*t = NUL;
      }
      else
! 	STRCPY(word, s);
  
      smp = (salitem_T *)slang->sl_sal.ga_data;
  
--- 14221,14227 ----
  	*t = NUL;
      }
      else
! 	vim_strncpy(word, s, MAXWLEN - 1);
  
      smp = (salitem_T *)slang->sl_sal.ga_data;
  
*** ../vim-7.3.159/src/syntax.c	2011-04-02 15:12:45.000000000 +0200
--- src/syntax.c	2011-04-11 15:44:30.000000000 +0200
***************
*** 8576,8583 ****
  		if (iarg & hl_attr_table[i])
  		{
  		    if (buf[0] != NUL)
! 			STRCAT(buf, ",");
! 		    STRCAT(buf, hl_name_table[i]);
  		    iarg &= ~hl_attr_table[i];	    /* don't want "inverse" */
  		}
  	    }
--- 8576,8583 ----
  		if (iarg & hl_attr_table[i])
  		{
  		    if (buf[0] != NUL)
! 			vim_strcat(buf, (char_u *)",", 100);
! 		    vim_strcat(buf, (char_u *)hl_name_table[i], 100);
  		    iarg &= ~hl_attr_table[i];	    /* don't want "inverse" */
  		}
  	    }
*** ../vim-7.3.159/src/tag.c	2011-02-25 15:13:43.000000000 +0100
--- src/tag.c	2011-04-11 15:34:59.000000000 +0200
***************
*** 806,812 ****
  		    p = tag_full_fname(&tagp);
  		    if (p == NULL)
  			continue;
! 		    STRCPY(fname, p);
  		    vim_free(p);
  
  		    /*
--- 806,812 ----
  		    p = tag_full_fname(&tagp);
  		    if (p == NULL)
  			continue;
! 		    vim_strncpy(fname, p, MAXPATHL);
  		    vim_free(p);
  
  		    /*
*** ../vim-7.3.159/src/version.c	2011-04-11 14:29:13.000000000 +0200
--- src/version.c	2011-04-11 16:50:53.000000000 +0200
***************
*** 716,717 ****
--- 716,719 ----
  {   /* Add new patch number below this line */
+ /**/
+     160,
  /**/

-- 
If someone questions your market projections, simply point out that your
target market is "People who are nuts" and "People who will buy any damn
thing".  Nobody is going to tell you there aren't enough of those people
to go around.
				(Scott Adams - The Dilbert principle)

 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\  an exciting new programming language -- http://www.Zimbu.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///