patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()v9.0.1848

Problem: buffer-overflow in vim_regsub_both() Solution: Check remaining space Signed-off-by: Christian Brabandt <cb@256bit.org>
author: Christian Brabandt <cb@256bit.org> 2023-09-02 21:15:52 +0200
committer: Christian Brabandt <cb@256bit.org> 2023-09-02 21:37:04 +0200
commit: ced2c7394aafdc90fb7845e09b3a3fee23d48cb1 (patch)
tree: 9576ca9f0aa1d127ed8d06821375b6d2de50fd5a /src/ex_cmds.c
parent: 889f6af37164775192e33b233a90e86fd3df0f57 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index c30b6fddf2..53c7bb5a37 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4651,6 +4651,9 @@ ex_substitute(exarg_T *eap)
 		mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
 		new_end += copy_len;
 
+		if (new_start_len - copy_len < sublen)
+		    sublen = new_start_len - copy_len - 1;
+
 #ifdef FEAT_EVAL
 		++textlock;
 #endif
author	Christian Brabandt <cb@256bit.org>	2023-09-02 21:15:52 +0200
committer	Christian Brabandt <cb@256bit.org>	2023-09-02 21:37:04 +0200
commit	ced2c7394aafdc90fb7845e09b3a3fee23d48cb1 (patch)
tree	9576ca9f0aa1d127ed8d06821375b6d2de50fd5a /src/ex_cmds.c
parent	889f6af37164775192e33b233a90e86fd3df0f57 (diff)