Hi,
After 7.4.016, expand() crashes with a very long string on 32-bit Windows.
E.g.:
:set enc=utf-8
:set wildignore=*.foo
:call expand(repeat('a', 398)) " Crash!
Here is a patch:
--- a/src/os_win32.c
+++ b/src/os_win32.c
@@ -2778,9 +2778,10 @@ fname_case(
if (p != NULL)
{
char_u *q;
- WCHAR buf[_MAX_PATH + 2];
-
- wcscpy(buf, p);
+ WCHAR buf[_MAX_PATH + 1];
+
+ wcsncpy(buf, p, _MAX_PATH);
+ buf[_MAX_PATH] = L'\0';
vim_free(p);
if (fname_casew(buf, (len > 0) ? _MAX_PATH : 0) == OK)
Buffer overflow occurs because of wcscpy(). I should have used wcsncpy() to
check the buffer size. I also changed the size of buf from _MAX_PATH + 2 to
_MAX_PATH + 1. I think _MAX_PATH + 1 is enough.
Regards,
Ken Takata
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
