vim-patch:9.0.1847: [security] potential oob write in do_addsub()

Problem: potential oob write in do_addsub() Solution: don't overflow buf2, check size in for loop() https://github.com/vim/vim/commit/889f6af37164775192e33b233a90e86fd3df0f57 Co-authored-by: Christian Brabandt <cb@256bit.org>
author: zeertzjq <zeertzjq@outlook.com> 2023-09-03 09:14:45 +0800
committer: zeertzjq <zeertzjq@outlook.com> 2023-09-03 09:16:27 +0800
commit: 15298e79269e95899b9812c78af19f954b3bcba6 (patch)
tree: 4acf57e7a0c466c11e34d2c9dd9603dffa82ffb6
parent: b55010a539c37efcce10b08ee38df9dd4b4d9fb7 (diff)
download: rneovim-15298e79269e95899b9812c78af19f954b3bcba6.tar.gz
rneovim-15298e79269e95899b9812c78af19f954b3bcba6.tar.bz2
rneovim-15298e79269e95899b9812c78af19f954b3bcba6.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/src/nvim/ops.c b/src/nvim/ops.c
index 8270641256..96deae228f 100644
--- a/src/nvim/ops.c
+++ b/src/nvim/ops.c
@@ -4770,7 +4770,7 @@ int do_addsub(int op_type, pos_T *pos, int length, linenr_T Prenum1)
         }
       }
 
-      while (bits > 0) {
+      while (bits > 0 && i < NUMBUFLEN - 1) {
         buf2[i++] = ((n >> --bits) & 0x1) ? '1' : '0';
       }
author	zeertzjq <zeertzjq@outlook.com>	2023-09-03 09:14:45 +0800
committer	zeertzjq <zeertzjq@outlook.com>	2023-09-03 09:16:27 +0800
commit	15298e79269e95899b9812c78af19f954b3bcba6 (patch)
tree	4acf57e7a0c466c11e34d2c9dd9603dffa82ffb6
parent	b55010a539c37efcce10b08ee38df9dd4b4d9fb7 (diff)
download	rneovim-15298e79269e95899b9812c78af19f954b3bcba6.tar.gz rneovim-15298e79269e95899b9812c78af19f954b3bcba6.tar.bz2 rneovim-15298e79269e95899b9812c78af19f954b3bcba6.zip