Hi,
I just came across a possible buffer overflow in dosinst.c.
---- l 368 ----
static void
get_vim_env(void)
{
char *vim;
char buf[BUFSIZE];
FILE *fd;
char fname[BUFSIZE];
/* First get $VIMRUNTIME. If it's set, remove the tail. */
vim = getenv("VIMRUNTIME");
if (vim != NULL && *vim != 0)
{
strcpy(buf, vim);
---- l 380 ----
We can see that if the environment variable if longer than BUFSIZE, we are in a
typical case of buffer overflow.
We know that BUFSIZE is 512 and "the maximum size of a user-defined environment
variable is 32,767 characters"
(http://msdn.microsoft.com/en-us/library/windows/desktop/ms682653(v=vs.85).aspx).
This can only be "useful" if the install process is launched "as"
administrator, and the "evil" user took the time to set VIMRUNTIME in adequacy.
I apologize, but I don't have any Windows VM, so I can't check if I'm wrong.
Regards,
Thomas.
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
