diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2023-09-03 13:47:55 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-09-03 13:47:55 +0800 |
| commit | bebdf1dab345471222f6755c574d04596fea92fd (patch) | |
| tree | 844dd19dd408a76643dcdf6fa7cb569b63c3f148 /src/nvim/regexp.c | |
| parent | 0e11bf0e1af5b3422db49222ab739a64d233b353 (diff) | |
| download | rneovim-bebdf1dab345471222f6755c574d04596fea92fd.tar.gz rneovim-bebdf1dab345471222f6755c574d04596fea92fd.tar.bz2 rneovim-bebdf1dab345471222f6755c574d04596fea92fd.zip | |
vim-patch:9.0.1848: [security] buffer-overflow in vim_regsub_both() (#25001)
Problem: buffer-overflow in vim_regsub_both()
Solution: Check remaining space
https://github.com/vim/vim/commit/ced2c7394aafdc90fb7845e09b3a3fee23d48cb1
The change to do_sub() looks confusing. Maybe it's an overflow check?
Then the crash may not be applicable to Nvim because of different casts.
The test also looks confusing. It seems to source itself recursively.
Also don't call strlen() twice on evaluation result.
N/A patches for version.c:
vim-patch:9.0.1849: CI error on different signedness in ex_cmds.c
vim-patch:9.0.1853: CI error on different signedness in regexp.c
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src/nvim/regexp.c')
| -rw-r--r-- | src/nvim/regexp.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/nvim/regexp.c b/src/nvim/regexp.c index d5d0f3346f..1d0a987780 100644 --- a/src/nvim/regexp.c +++ b/src/nvim/regexp.c @@ -1765,9 +1765,10 @@ static int vim_regsub_both(char *source, typval_T *expr, char *dest, int destlen // "flags & REGSUB_COPY" == 0 to the call with // "flags & REGSUB_COPY" != 0. if (copy) { - if (eval_result[nested] != NULL) { + size_t reslen = eval_result[nested] != NULL ? strlen(eval_result[nested]) : 0; + if (eval_result[nested] != NULL && reslen < (size_t)destlen) { STRCPY(dest, eval_result[nested]); - dst += strlen(eval_result[nested]); + dst += reslen; XFREE_CLEAR(eval_result[nested]); } } else { |