From a77670726e3706973adffc2b118f4576e1f58ea0 Mon Sep 17 00:00:00 2001 From: Yee Cheng Chin Date: Sun, 16 Apr 2023 20:13:12 +0100 Subject: patch 9.0.1458: buffer overflow when expanding long file name Problem: Buffer overflow when expanding long file name. Solution: Use a larger buffer and avoid overflowing it. (Yee Cheng Chin, closes #12201) --- src/filepath.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'src/filepath.c') diff --git a/src/filepath.c b/src/filepath.c index 57e9fb2957..79d4afb2e3 100644 --- a/src/filepath.c +++ b/src/filepath.c @@ -938,9 +938,9 @@ f_filewritable(typval_T *argvars, typval_T *rettv) static void findfilendir( - typval_T *argvars UNUSED, + typval_T *argvars, typval_T *rettv, - int find_what UNUSED) + int find_what) { char_u *fname; char_u *fresult = NULL; @@ -3685,7 +3685,6 @@ unix_expandpath( int didstar) // expanded "**" once already { char_u *buf; - size_t buflen; char_u *path_end; char_u *p, *s, *e; int start_len = gap->ga_len; @@ -3708,8 +3707,8 @@ unix_expandpath( return 0; } - // make room for file name - buflen = STRLEN(path) + BASENAMELEN + 5; + // make room for file name (a bit too much to stay on the safe side) + size_t buflen = STRLEN(path) + MAXPATHL; buf = alloc(buflen); if (buf == NULL) return 0; @@ -3828,7 +3827,7 @@ unix_expandpath( || ((flags & EW_NOTWILD) && fnamencmp(path + (s - buf), dp->d_name, e - s) == 0))) { - STRCPY(s, dp->d_name); + vim_strncpy(s, (char_u *)dp->d_name, buflen - (s - buf) - 1); len = STRLEN(buf); if (starstar && stardepth < 100) -- cgit v1.2.3