vim-patch:8.2.4895: buffer overflow with invalid command with composing chars

Problem: Buffer overflow with invalid command with composing chars. Solution: Check that the whole character fits in the buffer. https://github.com/vim/vim/commit/d88934406c5375d88f8f1b65331c9f0cab68cc6c
author: zeertzjq <zeertzjq@outlook.com> 2022-06-24 06:25:34 +0800
committer: zeertzjq <zeertzjq@outlook.com> 2022-06-24 07:26:06 +0800
commit: 0cf0be302beb3029d245814eca427f4a4ebd2f67 (patch)
tree: 696dd4495dc7a9b5172f1549325264067c97d9df /src/nvim/ex_docmd.c
parent: 764dc7c383235950c153a133d399523e2bbffed4 (diff)
download: rneovim-0cf0be302beb3029d245814eca427f4a4ebd2f67.tar.gz
rneovim-0cf0be302beb3029d245814eca427f4a4ebd2f67.tar.bz2
rneovim-0cf0be302beb3029d245814eca427f4a4ebd2f67.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/src/nvim/ex_docmd.c b/src/nvim/ex_docmd.c
index 53a05ccc04..671e83def6 100644
--- a/src/nvim/ex_docmd.c
+++ b/src/nvim/ex_docmd.c
@@ -2892,11 +2892,13 @@ static void append_command(char *cmd)
 
   STRCAT(IObuff, ": ");
   d = (char *)IObuff + STRLEN(IObuff);
-  while (*s != NUL && (char_u *)d - IObuff < IOSIZE - 7) {
+  while (*s != NUL && (char_u *)d - IObuff + 5 < IOSIZE) {
     if ((char_u)s[0] == 0xc2 && (char_u)s[1] == 0xa0) {
       s += 2;
       STRCPY(d, "<a0>");
       d += 4;
+    } else if ((char_u *)d - IObuff + utfc_ptr2len(s) + 1 >= IOSIZE) {
+      break;
     } else {
       mb_copy_char((const char_u **)&s, (char_u **)&d);
     }
author	zeertzjq <zeertzjq@outlook.com>	2022-06-24 06:25:34 +0800
committer	zeertzjq <zeertzjq@outlook.com>	2022-06-24 07:26:06 +0800
commit	0cf0be302beb3029d245814eca427f4a4ebd2f67 (patch)
tree	696dd4495dc7a9b5172f1549325264067c97d9df /src/nvim/ex_docmd.c
parent	764dc7c383235950c153a133d399523e2bbffed4 (diff)
download	rneovim-0cf0be302beb3029d245814eca427f4a4ebd2f67.tar.gz rneovim-0cf0be302beb3029d245814eca427f4a4ebd2f67.tar.bz2 rneovim-0cf0be302beb3029d245814eca427f4a4ebd2f67.zip