diff options
author | Bram Moolenaar <Bram@vim.org> | 2022-05-16 12:37:36 +0100 |
---|---|---|
committer | Bram Moolenaar <Bram@vim.org> | 2022-05-16 12:37:36 +0100 |
commit | 386c24cd262edac66a31add2fd989c96c4c2c952 (patch) | |
tree | 65e1393becad8ecdf5cbc5e7c043edd40221d1fc | |
parent | 5a8fad32ea9c075f045b37d6c7739891d458f82b (diff) |
patch 8.2.4963: expanding path with "/**" may overrun end of bufferv8.2.4963
Problem: Expanding path with "/**" may overrun end of buffer.
Solution: Use vim_snprintf().
-rw-r--r-- | src/filepath.c | 10 | ||||
-rw-r--r-- | src/version.c | 2 |
2 files changed, 8 insertions, 4 deletions
diff --git a/src/filepath.c b/src/filepath.c index 56a99e40d7..3f7825ceda 100644 --- a/src/filepath.c +++ b/src/filepath.c @@ -3589,6 +3589,7 @@ unix_expandpath( int didstar) // expanded "**" once already { char_u *buf; + size_t buflen; char_u *path_end; char_u *p, *s, *e; int start_len = gap->ga_len; @@ -3612,7 +3613,8 @@ unix_expandpath( } // make room for file name - buf = alloc(STRLEN(path) + BASENAMELEN + 5); + buflen = STRLEN(path) + BASENAMELEN + 5; + buf = alloc(buflen); if (buf == NULL) return 0; @@ -3737,14 +3739,14 @@ unix_expandpath( { // For "**" in the pattern first go deeper in the tree to // find matches. - STRCPY(buf + len, "/**"); - STRCPY(buf + len + 3, path_end); + vim_snprintf((char *)buf + len, buflen - len, + "/**%s", path_end); ++stardepth; (void)unix_expandpath(gap, buf, len + 1, flags, TRUE); --stardepth; } - STRCPY(buf + len, path_end); + vim_snprintf((char *)buf + len, buflen - len, "%s", path_end); if (mch_has_exp_wildcard(path_end)) // handle more wildcards { // need to expand another component of the path diff --git a/src/version.c b/src/version.c index 1a33a7398e..fddf7d909a 100644 --- a/src/version.c +++ b/src/version.c @@ -747,6 +747,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 4963, +/**/ 4962, /**/ 4961, |