averello/vim-mirror
1
0
Fork 0
mirror of https://github.com/vim/vim.git synced 2026-05-28 00:21:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

patch 9.2.0078: [security]: stack-buffer-overflow in build_stl_str_hl()

Browse Source 
Problem:  A stack-buffer-overflow occurs when rendering a statusline
          with a multi-byte fill character on a very wide terminal.
          The size check in build_stl_str_hl() uses the cell width
          rather than the byte length, allowing the subsequent fill
          loop to write beyond the 4096-byte MAXPATHL buffer
          (ehdgks0627, un3xploitable).
Solution: Update the size check to account for the byte length of
          the fill character (using MB_CHAR2LEN).

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-gmqx-prf2-8mwf

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2026-02-24 20:29:20 +00:00
parent 65c1a143c3
commit 4e5b9e31cb
2 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/buffer.c
+2 -1
View File
@@ -5296,7 +5296,8 @@ build_stl_str_hl(
}
width = maxwidth;
}
else if (width < maxwidth && outputlen + maxwidth - width + 1 < outlen)
else if (width < maxwidth &&
outputlen + (maxwidth - width) * MB_CHAR2LEN(fillchar) + 1 < outlen)
{
// Find how many separators there are, which we will use when
// figuring out how many groups there are.
src/version.c
+2
View File
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
78,
/**/
77,
/**/