diff options
author | Christian Brabandt <cb@256bit.org> | 2023-11-29 11:34:05 +0100 |
---|---|---|
committer | Christian Brabandt <cb@256bit.org> | 2023-12-01 18:58:51 +0100 |
commit | b39b240c386a5a29241415541f1c99e2e6b8ce47 (patch) | |
tree | 25ac23d0f18efb91f00bc053d326fa8549e9d484 /src/map.c | |
parent | 0fb375aae608d7306b4baf9c1f906961f32e2abf (diff) |
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functionsv9.0.2142
Problem: [security]: stack-buffer-overflow in option callback functions
Solution: pass size of errbuf down the call stack, use snprintf()
instead of sprintf()
We pass the error buffer down to the option callback functions, but in
some parts of the code, we simply use sprintf(buf) to write into the error
buffer, which can overflow.
So let's pass down the length of the error buffer and use sprintf(buf, size)
instead.
Reported by @henices, thanks!
Signed-off-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src/map.c')
-rw-r--r-- | src/map.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -3114,7 +3114,7 @@ did_set_langmap(optset_T *args UNUSED) { if (p[0] != ',') { - sprintf(args->os_errbuf, + snprintf(args->os_errbuf, args->os_errbuflen, _(e_langmap_extra_characters_after_semicolon_str), p); return args->os_errbuf; |