Thomas Gwae wrote:
> I just came across a possible buffer overflow in dosinst.c.
>
> ---- l 368 ----
> static void
> get_vim_env(void)
> {
> char *vim;
> char buf[BUFSIZE];
> FILE *fd;
> char fname[BUFSIZE];
>
> /* First get $VIMRUNTIME. If it's set, remove the tail. */
> vim = getenv("VIMRUNTIME");
> if (vim != NULL && *vim != 0)
> {
> strcpy(buf, vim);
> ---- l 380 ----
>
> We can see that if the environment variable if longer than BUFSIZE, we are in
> a typical case of buffer overflow.
>
> We know that BUFSIZE is 512 and "the maximum size of a user-defined
> environment variable is 32,767 characters"
> (http://msdn.microsoft.com/en-us/library/windows/desktop/ms682653(v=vs.85).aspx).
>
> This can only be "useful" if the install process is launched "as"
> administrator, and the "evil" user took the time to set VIMRUNTIME in
> adequacy.
>
> I apologize, but I don't have any Windows VM, so I can't check if I'm wrong.
I'll add a note in the todo list. If an attacker manages to set your
VIMRUNTIME environment variable it may already be too late. But we can
fix it anyway.
--
Yesterday, all my deadlines seemed so far away
now it looks as though it's freeze in four days
oh I believe in cvs..
[ CVS log "Beatles style" for FreeBSD ports/INDEX, Satoshi Asami ]
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
