aboutsummaryrefslogtreecommitdiff
path: root/src/nvim/shada.c
diff options
context:
space:
mode:
authorDevon Gardner <devon@goosur.com>2024-10-05 14:18:00 +0000
committerGitHub <noreply@github.com>2024-10-05 07:18:00 -0700
commitff7832ad3fce55671ac4032716164ada0350b0ec (patch)
tree958f6d73001c67f67552ad138698ff3844b9dcfd /src/nvim/shada.c
parent988482d9422b40e86225935326127063d881b090 (diff)
downloadrneovim-ff7832ad3fce55671ac4032716164ada0350b0ec.tar.gz
rneovim-ff7832ad3fce55671ac4032716164ada0350b0ec.tar.bz2
rneovim-ff7832ad3fce55671ac4032716164ada0350b0ec.zip
fix(coverity/497355): shada_read_when_writing out of bounds read #30665
Problem: There appears to be an intentional array out of bounds read when indexing global and numbered marks since they are adjacent in the struct that holds them. Solution: Explicitly index numeric marks array to avoid reading out of bounds from global marks array.
Diffstat (limited to 'src/nvim/shada.c')
-rw-r--r--src/nvim/shada.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/src/nvim/shada.c b/src/nvim/shada.c
index 6b8770e22d..1ea9f214fb 100644
--- a/src/nvim/shada.c
+++ b/src/nvim/shada.c
@@ -1886,13 +1886,18 @@ static inline ShaDaWriteResult shada_read_when_writing(FileDescriptor *const sd_
shada_free_shada_entry(&entry);
break;
}
- if (wms->global_marks[idx].data.type == kSDItemMissing) {
+
+ // Global or numbered mark.
+ PossiblyFreedShadaEntry *mark
+ = idx < 26 ? &wms->global_marks[idx] : &wms->numbered_marks[idx];
+
+ if (mark->data.type == kSDItemMissing) {
if (namedfm[idx].fmark.timestamp >= entry.timestamp) {
shada_free_shada_entry(&entry);
break;
}
}
- COMPARE_WITH_ENTRY(&wms->global_marks[idx], entry);
+ COMPARE_WITH_ENTRY(mark, entry);
}
break;
case kSDItemChange:
generated by cgit (git 2.34.1) at 2025-04-28 21:14:04 +0000