diff options
author | Devon Gardner <devon@goosur.com> | 2024-10-05 14:18:00 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-10-05 07:18:00 -0700 |
commit | ff7832ad3fce55671ac4032716164ada0350b0ec (patch) | |
tree | 958f6d73001c67f67552ad138698ff3844b9dcfd | |
parent | 988482d9422b40e86225935326127063d881b090 (diff) | |
download | rneovim-ff7832ad3fce55671ac4032716164ada0350b0ec.tar.gz rneovim-ff7832ad3fce55671ac4032716164ada0350b0ec.tar.bz2 rneovim-ff7832ad3fce55671ac4032716164ada0350b0ec.zip |
fix(coverity/497355): shada_read_when_writing out of bounds read #30665
Problem:
There appears to be an intentional array out of bounds read when
indexing global and numbered marks since they are adjacent in the struct
that holds them.
Solution:
Explicitly index numeric marks array to avoid reading out of bounds from
global marks array.
-rw-r--r-- | src/nvim/shada.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/nvim/shada.c b/src/nvim/shada.c index 6b8770e22d..1ea9f214fb 100644 --- a/src/nvim/shada.c +++ b/src/nvim/shada.c @@ -1886,13 +1886,18 @@ static inline ShaDaWriteResult shada_read_when_writing(FileDescriptor *const sd_ shada_free_shada_entry(&entry); break; } - if (wms->global_marks[idx].data.type == kSDItemMissing) { + + // Global or numbered mark. + PossiblyFreedShadaEntry *mark + = idx < 26 ? &wms->global_marks[idx] : &wms->numbered_marks[idx]; + + if (mark->data.type == kSDItemMissing) { if (namedfm[idx].fmark.timestamp >= entry.timestamp) { shada_free_shada_entry(&entry); break; } } - COMPARE_WITH_ENTRY(&wms->global_marks[idx], entry); + COMPARE_WITH_ENTRY(mark, entry); } break; case kSDItemChange: |