patch 9.2.0186: heap buffer overflow with long generic function name

Problem: Using a long generic function name may cause a heap buffer overflow in common_function(). Solution: Allocate memory for the full name instead of using IObuff (Kaixuan Li). closes: #19727 Signed-off-by: Kaixuan Li <kaixuanli0131@gmail.com> Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
2026-05-28 00:21:37 +02:00 · 2026-03-17 19:07:53 +00:00
parent ed7c7fb225
commit f9bed026ac
3 changed files with 22 additions and 3 deletions
@@ -5436,9 +5436,13 @@ common_function(typval_T *argvars, typval_T *rettv, int is_funcref)
 	    else
 	    {
 		// generic function
-		STRCPY(IObuff, name);
-		STRCAT(IObuff, start_bracket);
-		rettv->vval.v_string = vim_strsave(IObuff);
+		size_t len = STRLEN(name) + STRLEN(start_bracket);
+		rettv->vval.v_string = alloc(len + 1);
+		if (rettv->vval.v_string != NULL)
+		{
+		    STRCPY(rettv->vval.v_string, name);
+		    STRCAT(rettv->vval.v_string, start_bracket);
+		}
 		vim_free(name);
 	    }
 	}
@@ -7689,6 +7689,19 @@ func Test_catch_pattern_trailing_chars()
  bw!
 endfunc

+" Test for long gerneric type name {{{1
+func Test_function_long_generic_name()
+  func TestFunc()
+    return
+  endfunc
+
+  let name = 'TestFunc<' .. repeat('T', 1100) .. '>'
+
+  call function(name)
+  call funcref(name)
+  delfunc TestFunc
+endfunc
+
 "-------------------------------------------------------------------------------
 " Modelines								    {{{1
 " vim: ts=8 sw=2 sts=2 expandtab tw=80 fdm=marker
@@ -734,6 +734,8 @@ static char *(features[]) =

 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    186,
 /**/
    185,
 /**/