From 164bcaf5c944bfecf3b9bede1e77a52b748f2702 Mon Sep 17 00:00:00 2001
From: oni-link <knil.ino@gmail.com>
Date: Sun, 17 Apr 2016 23:22:30 +0200
Subject: eval.c: Fix heap corruption error when constructing sourcing_name

A wrong format specifier and not enough allocated memory for
sourcing_name could lead to a heap corruption.

Original patch by Rui Abreu Ferreira (@equalsraf)

Fixes #4582
---
 src/nvim/eval.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/nvim/eval.c b/src/nvim/eval.c
index 51ef777095..0d6e3d3ca3 100644
--- a/src/nvim/eval.c
+++ b/src/nvim/eval.c
@@ -21038,15 +21038,22 @@ call_user_func (
   save_sourcing_name = sourcing_name;
   save_sourcing_lnum = sourcing_lnum;
   sourcing_lnum = 1;
-  // need space for function name + ("function " + 3) or "[number]"
+  // need space for new sourcing_name:
+  // * save_sourcing_name
+  // * "["number"].." or "function "
+  // * "<SNR>" + fp->uf_name - 3
+  // * terminating NUL
   size_t len = (save_sourcing_name == NULL ? 0 : STRLEN(save_sourcing_name))
-               + STRLEN(fp->uf_name) + 20;
+               + STRLEN(fp->uf_name) + 27;
   sourcing_name = xmalloc(len);
   {
     if (save_sourcing_name != NULL
         && STRNCMP(save_sourcing_name, "function ", 9) == 0) {
-      vim_snprintf((char *)sourcing_name, len, "%s[%zu]..",
-                   save_sourcing_name, save_sourcing_lnum);
+      vim_snprintf((char *)sourcing_name,
+                   len,
+                   "%s[%" PRId64 "]..",
+                   save_sourcing_name,
+                   (int64_t)save_sourcing_lnum);
     } else {
       STRCPY(sourcing_name, "function ");
     }
-- 
cgit