diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2023-12-02 10:10:25 +0800 |
|---|---|---|
| committer | zeertzjq <zeertzjq@outlook.com> | 2023-12-02 10:41:31 +0800 |
| commit | 9cc346119bee505e0be3827b35c573701a307001 (patch) | |
| tree | 90da4ca3281025b6dd94d02c03538b7d8ee2f234 /test/functional/legacy/messages_spec.lua | |
| parent | 01edcd6db85ab2abffa95bc4dce6cfb8de617bca (diff) | |
| download | rneovim-9cc346119bee505e0be3827b35c573701a307001.tar.gz rneovim-9cc346119bee505e0be3827b35c573701a307001.tar.bz2 rneovim-9cc346119bee505e0be3827b35c573701a307001.zip | |
vim-patch:9.0.2142: [security]: stack-buffer-overflow in option callback functions
Problem: [security]: stack-buffer-overflow in option callback functions
Solution: pass size of errbuf down the call stack, use snprintf()
instead of sprintf()
We pass the error buffer down to the option callback functions, but in
some parts of the code, we simply use sprintf(buf) to write into the error
buffer, which can overflow.
So let's pass down the length of the error buffer and use sprintf(buf, size)
instead.
Reported by @henices, thanks!
https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'test/functional/legacy/messages_spec.lua')
| -rw-r--r-- | test/functional/legacy/messages_spec.lua | 5 |
1 files changed, 0 insertions, 5 deletions
diff --git a/test/functional/legacy/messages_spec.lua b/test/functional/legacy/messages_spec.lua index e0cc1dc79c..146b00acb0 100644 --- a/test/functional/legacy/messages_spec.lua +++ b/test/functional/legacy/messages_spec.lua @@ -801,9 +801,4 @@ describe('messages', function() ]]) os.remove('b.txt') end) - - it('no crash when truncating overlong message', function() - pcall(command, 'source test/old/testdir/crash/vim_msg_trunc_poc') - assert_alive() - end) end) |