averello/vim-mirror
1
0
Fork 0
mirror of https://github.com/vim/vim.git synced 2026-05-28 00:21:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

patch 9.2.0131: potential buffer overflow in regdump()

Browse Source 
Problem:  Potential buffer overflow in regdump()
Solution: Add the size to the compiled regular expression and ensure we
          don't read over the limit.

Note: this is not a security issue, because regdump() is typically not
compiled in any version of Vim, so should not affect anybody.

supported by AI claude.

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2026-03-08 19:18:28 +00:00
parent 49b8d9903b
commit 9360647715
3 changed files with 20 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/regexp.h
+3
View File
@@ -73,6 +73,9 @@ typedef struct
char_u reganch;
char_u *regmust;
int regmlen;
#ifdef DEBUG
int regsz;
#endif
#ifdef FEAT_SYN_HL
char_u reghasz;
#endif
src/regexp_bt.c
+15 -4
View File
@@ -2497,6 +2497,9 @@ bt_regcomp(char_u *expr, int re_flags)
if (r == NULL)
return NULL;
r->re_in_use = FALSE;
#ifdef DEBUG
r->regsz = regsize;
#endif
// Second pass: emit code.
regcomp_start(expr, re_flags);
@@ -5200,11 +5203,11 @@ regdump(char_u *pattern, bt_regprog_T *r)
s = r->program + 1;
// Loop until we find the END that isn't before a referred next (an END
// can also appear in a NOMATCH operand).
while (op != END || s <= end)
while ((op != END || s <= end) && s < r->program + r->regsz)
{
op = OP(s);
fprintf(f, "%2d%s", (int)(s - r->program), regprop(s)); // Where, what.
next = regnext(s);
next = (s + 3 <= r->program + r->regsz) ? regnext(s) : NULL;
if (next == NULL) // Next ptr.
fprintf(f, "(0)");
else
@@ -5230,14 +5233,22 @@ regdump(char_u *pattern, bt_regprog_T *r)
s += 5;
}
s += 3;
if (op == MULTIBYTECODE)
{
fprintf(f, " mbc=%d", utf_ptr2char(s));
s += utfc_ptr2len(s);
}
if (op == ANYOF || op == ANYOF + ADD_NL
|| op == ANYBUT || op == ANYBUT + ADD_NL
|| op == EXACTLY)
{
// Literal string, where present.
fprintf(f, "\nxxxxxxxxx\n");
while (*s != NUL)
fprintf(f, "%c", *s++);
while (*s != NUL && s < r->program + r->regsz)
{
fprintf(f, "%c", *s);
s += utfc_ptr2len(s); // advance by full char including combining
}
fprintf(f, "\nxxxxxxxxx\n");
s++;
}
src/version.c
+2
View File
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
131,
/**/
130,
/**/