diff options
author | Christian Brabandt <cb@256bit.org> | 2023-09-02 21:15:52 +0200 |
---|---|---|
committer | Christian Brabandt <cb@256bit.org> | 2023-09-02 21:37:04 +0200 |
commit | ced2c7394aafdc90fb7845e09b3a3fee23d48cb1 (patch) | |
tree | 9576ca9f0aa1d127ed8d06821375b6d2de50fd5a /src/ex_cmds.c | |
parent | 889f6af37164775192e33b233a90e86fd3df0f57 (diff) |
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()v9.0.1848
Problem: buffer-overflow in vim_regsub_both()
Solution: Check remaining space
Signed-off-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src/ex_cmds.c')
-rw-r--r-- | src/ex_cmds.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/ex_cmds.c b/src/ex_cmds.c index c30b6fddf2..53c7bb5a37 100644 --- a/src/ex_cmds.c +++ b/src/ex_cmds.c @@ -4651,6 +4651,9 @@ ex_substitute(exarg_T *eap) mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len); new_end += copy_len; + if (new_start_len - copy_len < sublen) + sublen = new_start_len - copy_len - 1; + #ifdef FEAT_EVAL ++textlock; #endif |