diff options
| author | oni-link <knil.ino@gmail.com> | 2016-04-17 23:22:30 +0200 |
|---|---|---|
| committer | oni-link <knil.ino@gmail.com> | 2016-04-17 23:31:47 +0200 |
| commit | 164bcaf5c944bfecf3b9bede1e77a52b748f2702 (patch) | |
| tree | 73e9bf9e1138c2af7e52e7720f737dbee1d57a63 | |
| parent | 4043725991dd0f13031c0f6a2929722319425fef (diff) | |
| download | rneovim-164bcaf5c944bfecf3b9bede1e77a52b748f2702.tar.gz rneovim-164bcaf5c944bfecf3b9bede1e77a52b748f2702.tar.bz2 rneovim-164bcaf5c944bfecf3b9bede1e77a52b748f2702.zip | |
eval.c: Fix heap corruption error when constructing sourcing_name
A wrong format specifier and not enough allocated memory for
sourcing_name could lead to a heap corruption.
Original patch by Rui Abreu Ferreira (@equalsraf)
Fixes #4582
| -rw-r--r-- | src/nvim/eval.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/src/nvim/eval.c b/src/nvim/eval.c index 51ef777095..0d6e3d3ca3 100644 --- a/src/nvim/eval.c +++ b/src/nvim/eval.c @@ -21038,15 +21038,22 @@ call_user_func ( save_sourcing_name = sourcing_name; save_sourcing_lnum = sourcing_lnum; sourcing_lnum = 1; - // need space for function name + ("function " + 3) or "[number]" + // need space for new sourcing_name: + // * save_sourcing_name + // * "["number"].." or "function " + // * "<SNR>" + fp->uf_name - 3 + // * terminating NUL size_t len = (save_sourcing_name == NULL ? 0 : STRLEN(save_sourcing_name)) - + STRLEN(fp->uf_name) + 20; + + STRLEN(fp->uf_name) + 27; sourcing_name = xmalloc(len); { if (save_sourcing_name != NULL && STRNCMP(save_sourcing_name, "function ", 9) == 0) { - vim_snprintf((char *)sourcing_name, len, "%s[%zu]..", - save_sourcing_name, save_sourcing_lnum); + vim_snprintf((char *)sourcing_name, + len, + "%s[%" PRId64 "]..", + save_sourcing_name, + (int64_t)save_sourcing_lnum); } else { STRCPY(sourcing_name, "function "); } |