mirror of
https://github.com/vim/vim.git
synced 2026-05-28 00:21:37 +02:00
patch 9.2.0014: unsafe string functions may lead to buffer overflows
Problem: Unsafe string functions may lead to buffer overflows
Solution: Use vim_strncpy() instead of strpcy(), replace sprintf() by
vim_snprintf() (Yasuhiro Matsumoto)
closes: #19412
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Yasuhiro Matsumoto
committed by
Christian Brabandt
Christian Brabandt
parent
c4b8783970
commit
46e3978f73
+2
-2
@@ -3136,8 +3136,8 @@ vwl_data_source_listener_event_send(
|
||||
if (is_vimenc)
|
||||
{
|
||||
string[0] = (char_u)motion_type;
|
||||
// strcpy copies the NUL terminator too
|
||||
strcpy((char *)string + 1, (char *)p_enc);
|
||||
// Use vim_strncpy for safer copying
|
||||
vim_strncpy(string + 1, p_enc, STRLEN(p_enc));
|
||||
}
|
||||
else if (is_vim)
|
||||
string[0] = (char_u)motion_type;
|
||||
|
||||
+2
-2
@@ -2174,8 +2174,8 @@ init_homedir(void)
|
||||
if (homedrive != NULL
|
||||
&& strlen(homedrive) + strlen(homepath) < sizeof(buf))
|
||||
{
|
||||
snprintf(buf, sizeof(buf), "%s%s", homedrive, homepath);
|
||||
if (buf[0] != NUL)
|
||||
if (snprintf(buf, sizeof(buf), "%s%s", homedrive, homepath) > 0
|
||||
&& buf[0] != NUL)
|
||||
var = buf;
|
||||
}
|
||||
}
|
||||
|
||||
+1
-1
@@ -6560,7 +6560,7 @@ f_getregtype(typval_T *argvars, typval_T *rettv)
|
||||
case MCHAR: buf[0] = 'v'; break;
|
||||
case MBLOCK:
|
||||
buf[0] = Ctrl_V;
|
||||
sprintf((char *)buf + 1, "%ld", reglen + 1);
|
||||
vim_snprintf((char *)buf + 1, NUMBUFLEN + 1, "%ld", reglen + 1);
|
||||
break;
|
||||
}
|
||||
rettv->vval.v_string = vim_strsave(buf);
|
||||
|
||||
+3
-3
@@ -1457,7 +1457,7 @@ cs_insert_filelist(
|
||||
if ((csinfo[i].fname = alloc(strlen(fname)+1)) == NULL)
|
||||
return -1;
|
||||
|
||||
(void)strcpy(csinfo[i].fname, (const char *)fname);
|
||||
vim_strncpy((char_u *)csinfo[i].fname, (char_u *)fname, strlen((const char *)fname));
|
||||
|
||||
if (ppath != NULL)
|
||||
{
|
||||
@@ -1466,7 +1466,7 @@ cs_insert_filelist(
|
||||
VIM_CLEAR(csinfo[i].fname);
|
||||
return -1;
|
||||
}
|
||||
(void)strcpy(csinfo[i].ppath, (const char *)ppath);
|
||||
vim_strncpy((char_u *)csinfo[i].ppath, (char_u *)ppath, strlen((const char *)ppath));
|
||||
}
|
||||
else
|
||||
csinfo[i].ppath = NULL;
|
||||
@@ -1479,7 +1479,7 @@ cs_insert_filelist(
|
||||
VIM_CLEAR(csinfo[i].ppath);
|
||||
return -1;
|
||||
}
|
||||
(void)strcpy(csinfo[i].flags, (const char *)flags);
|
||||
vim_strncpy((char_u *)csinfo[i].flags, (char_u *)flags, strlen((const char *)flags));
|
||||
}
|
||||
else
|
||||
csinfo[i].flags = NULL;
|
||||
|
||||
+1
-1
@@ -2321,7 +2321,7 @@ special_keys(char_u *args)
|
||||
|
||||
if (strlen(tok) + i < KEYBUFLEN)
|
||||
{
|
||||
strcpy(&keybuf[i], tok);
|
||||
vim_strncpy((char_u *)&keybuf[i], (char_u *)tok, KEYBUFLEN - i - 1);
|
||||
vim_snprintf(cmdbuf, sizeof(cmdbuf),
|
||||
"<silent><%s> :nbkey %s<CR>", keybuf, keybuf);
|
||||
do_map(MAPTYPE_MAP, (char_u *)cmdbuf, MODE_NORMAL, FALSE);
|
||||
|
||||
+4
-4
@@ -1656,11 +1656,11 @@ clear_showcmd(void)
|
||||
p_sbr = saved_sbr;
|
||||
curwin->w_p_sbr = saved_w_sbr;
|
||||
#endif
|
||||
sprintf((char *)showcmd_buf, "%ldx%ld", lines,
|
||||
vim_snprintf((char *)showcmd_buf, SHOWCMD_BUFLEN, "%ldx%ld", lines,
|
||||
(long)(rightcol - leftcol + 1));
|
||||
}
|
||||
else if (VIsual_mode == 'V' || VIsual.lnum != curwin->w_cursor.lnum)
|
||||
sprintf((char *)showcmd_buf, "%ld", lines);
|
||||
vim_snprintf((char *)showcmd_buf, SHOWCMD_BUFLEN, "%ld", lines);
|
||||
else
|
||||
{
|
||||
char_u *s, *e;
|
||||
@@ -1692,9 +1692,9 @@ clear_showcmd(void)
|
||||
s += l;
|
||||
}
|
||||
if (bytes == chars)
|
||||
sprintf((char *)showcmd_buf, "%d", chars);
|
||||
vim_snprintf((char *)showcmd_buf, SHOWCMD_BUFLEN, "%d", chars);
|
||||
else
|
||||
sprintf((char *)showcmd_buf, "%d-%d", chars, bytes);
|
||||
vim_snprintf((char *)showcmd_buf, SHOWCMD_BUFLEN, "%d-%d", chars, bytes);
|
||||
}
|
||||
showcmd_buf[SHOWCMD_COLS] = NUL; // truncate
|
||||
showcmd_visual = TRUE;
|
||||
|
||||
@@ -375,8 +375,8 @@ mch_openpty(char **ttyn)
|
||||
static char PtyName[32];
|
||||
static char TtyName[32];
|
||||
|
||||
strcpy(PtyName, PtyProto);
|
||||
strcpy(TtyName, TtyProto);
|
||||
vim_strncpy((char_u *)PtyName, (char_u *)PtyProto, sizeof(PtyName) - 1);
|
||||
vim_strncpy((char_u *)TtyName, (char_u *)TtyProto, sizeof(TtyName) - 1);
|
||||
for (p = PtyName; *p != 'X'; p++)
|
||||
;
|
||||
for (q = TtyName; *q != 'X'; q++)
|
||||
|
||||
+2
-2
@@ -104,7 +104,7 @@ tgetent(
|
||||
nexttmp = _find(tmp, ":|"); // Rhialto
|
||||
if (tmp+tlen == nexttmp && _match(tmp, term) == tlen)
|
||||
{
|
||||
strcpy(tbuf, tmp);
|
||||
vim_strncpy(tbuf, tmp, TBUFSZ - 1);
|
||||
tent = tbuf;
|
||||
return 1;
|
||||
}
|
||||
@@ -115,7 +115,7 @@ tgetent(
|
||||
}
|
||||
if (!(termcap = mch_fopen(tcap, "r")))
|
||||
{
|
||||
strcpy(tbuf, tcap);
|
||||
vim_strncpy(tbuf, tcap, TBUFSZ - 1);
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
@@ -734,6 +734,8 @@ static char *(features[]) =
|
||||
|
||||
static int included_patches[] =
|
||||
{ /* Add new patch number below this line */
|
||||
/**/
|
||||
14,
|
||||
/**/
|
||||
13,
|
||||
/**/
|
||||
|
||||
Reference in New Issue
Block a user