patch 9.0.2142: [security]: stack-buffer-overflow in option callback functionsv9.0.2142

Problem: [security]: stack-buffer-overflow in option callback functions Solution: pass size of errbuf down the call stack, use snprintf() instead of sprintf() We pass the error buffer down to the option callback functions, but in some parts of the code, we simply use sprintf(buf) to write into the error buffer, which can overflow. So let's pass down the length of the error buffer and use sprintf(buf, size) instead. Reported by @henices, thanks! Signed-off-by: Christian Brabandt <cb@256bit.org>
author: Christian Brabandt <cb@256bit.org> 2023-11-29 11:34:05 +0100
committer: Christian Brabandt <cb@256bit.org> 2023-12-01 18:58:51 +0100
commit: b39b240c386a5a29241415541f1c99e2e6b8ce47 (patch)
tree: 25ac23d0f18efb91f00bc053d326fa8549e9d484 /src/map.c
parent: 0fb375aae608d7306b4baf9c1f906961f32e2abf (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/map.c b/src/map.c
index 5988445bd1..98785e722c 100644
--- a/src/map.c
+++ b/src/map.c
@@ -3114,7 +3114,7 @@ did_set_langmap(optset_T *args UNUSED)
 		    {
 			if (p[0] != ',')
 			{
-			    sprintf(args->os_errbuf,
+			    snprintf(args->os_errbuf, args->os_errbuflen,
 				    _(e_langmap_extra_characters_after_semicolon_str),
 				    p);
 			    return args->os_errbuf;
author	Christian Brabandt <cb@256bit.org>	2023-11-29 11:34:05 +0100
committer	Christian Brabandt <cb@256bit.org>	2023-12-01 18:58:51 +0100
commit	b39b240c386a5a29241415541f1c99e2e6b8ce47 (patch)
tree	25ac23d0f18efb91f00bc053d326fa8549e9d484 /src/map.c
parent	0fb375aae608d7306b4baf9c1f906961f32e2abf (diff)