diff options
| author | glepnir <glephunter@gmail.com> | 2024-12-05 17:51:58 +0800 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-12-05 09:51:58 +0000 | 
| commit | 6a929b15c9e8ee3cada988e8393a9fd8c209db8b (patch) | |
| tree | c7094cc7c644e21899ebce019736d86353297ba0 /test/functional/legacy/eval_spec.lua | |
| parent | 2f5e7cbac49ed2fde571c5bf85619afec624f8e8 (diff) | |
| download | rneovim-6a929b15c9e8ee3cada988e8393a9fd8c209db8b.tar.gz rneovim-6a929b15c9e8ee3cada988e8393a9fd8c209db8b.tar.bz2 rneovim-6a929b15c9e8ee3cada988e8393a9fd8c209db8b.zip | |
vim-patch:9.1.0903: potential overflow in spell_soundfold_wsal() (#31456)
Problem:  potential overflow in spell_soundfold_wsal()
Solution: Protect wres from buffer overflow, by checking the
          length (Zdenek Dohnal)
Error: OVERRUN (CWE-119):
vim91/src/spell.c:3819: cond_const: Checking "reslen < 254" implies that
"reslen" is 254 on the false branch.
vim91/src/spell.c:3833: incr: Incrementing "reslen". The value of "reslen"
is now 255.
vim91/src/spell.c:3792: overrun-local: Overrunning array "wres" of 254
4-byte elements at element index 254 (byte offset 1019) using index
"reslen - 1" (which evaluates to 254).
 3789|   		    {
 3790|   			// rule with '<' is used
 3791|-> 			if (reslen > 0 && ws != NULL && *ws != NUL
 3792|   				&& (wres[reslen - 1] == c
 3793|   						    || wres[reslen - 1] == *ws))
Error: OVERRUN (CWE-119):
vim91/src/spell.c:3819: cond_const: Checking "reslen < 254" implies that
"reslen" is 254 on the false branch.
vim91/src/spell.c:3833: overrun-local: Overrunning array "wres" of 254
4-byte elements at element index 254 (byte offset 1019) using index
"reslen++" (which evaluates to 254).
 3831|                         {
 3832|                             if (c != NUL)
 3833|->                               wres[reslen++] = c;
 3834|                             mch_memmove(word, word + i + 1,
 3835|                                        sizeof(int) * (wordlen -
(i + 1) + 1));
related: vim/vim#16163
https://github.com/vim/vim/commit/39a94d20487794aeb722c21e84f8816e217f0cfe
Co-authored-by: Zdenek Dohnal <zdohnal@redhat.com>
Diffstat (limited to 'test/functional/legacy/eval_spec.lua')
0 files changed, 0 insertions, 0 deletions
