aboutsummaryrefslogtreecommitdiff
path: root/test/functional/legacy/command_count_spec.lua
diff options
context:
space:
mode:
authorglepnir <glephunter@gmail.com>2024-12-05 17:51:58 +0800
committerGitHub <noreply@github.com>2024-12-05 09:51:58 +0000
commit6a929b15c9e8ee3cada988e8393a9fd8c209db8b (patch)
treec7094cc7c644e21899ebce019736d86353297ba0 /test/functional/legacy/command_count_spec.lua
parent2f5e7cbac49ed2fde571c5bf85619afec624f8e8 (diff)
downloadrneovim-6a929b15c9e8ee3cada988e8393a9fd8c209db8b.tar.gz
rneovim-6a929b15c9e8ee3cada988e8393a9fd8c209db8b.tar.bz2
rneovim-6a929b15c9e8ee3cada988e8393a9fd8c209db8b.zip
vim-patch:9.1.0903: potential overflow in spell_soundfold_wsal() (#31456)
Problem: potential overflow in spell_soundfold_wsal() Solution: Protect wres from buffer overflow, by checking the length (Zdenek Dohnal) Error: OVERRUN (CWE-119): vim91/src/spell.c:3819: cond_const: Checking "reslen < 254" implies that "reslen" is 254 on the false branch. vim91/src/spell.c:3833: incr: Incrementing "reslen". The value of "reslen" is now 255. vim91/src/spell.c:3792: overrun-local: Overrunning array "wres" of 254 4-byte elements at element index 254 (byte offset 1019) using index "reslen - 1" (which evaluates to 254). 3789| { 3790| // rule with '<' is used 3791|-> if (reslen > 0 && ws != NULL && *ws != NUL 3792| && (wres[reslen - 1] == c 3793| || wres[reslen - 1] == *ws)) Error: OVERRUN (CWE-119): vim91/src/spell.c:3819: cond_const: Checking "reslen < 254" implies that "reslen" is 254 on the false branch. vim91/src/spell.c:3833: overrun-local: Overrunning array "wres" of 254 4-byte elements at element index 254 (byte offset 1019) using index "reslen++" (which evaluates to 254). 3831| { 3832| if (c != NUL) 3833|-> wres[reslen++] = c; 3834| mch_memmove(word, word + i + 1, 3835| sizeof(int) * (wordlen - (i + 1) + 1)); related: vim/vim#16163 https://github.com/vim/vim/commit/39a94d20487794aeb722c21e84f8816e217f0cfe Co-authored-by: Zdenek Dohnal <zdohnal@redhat.com>
Diffstat (limited to 'test/functional/legacy/command_count_spec.lua')
0 files changed, 0 insertions, 0 deletions