Ken Takata wrote:
> After 7.4.016, expand() crashes with a very long string on 32-bit Windows.
> E.g.:
>
> :set enc=utf-8
> :set wildignore=*.foo
> :call expand(repeat('a', 398)) " Crash!
>
>
> Here is a patch:
>
> --- a/src/os_win32.c
> +++ b/src/os_win32.c
> @@ -2778,9 +2778,10 @@ fname_case(
> if (p != NULL)
> {
> char_u *q;
> - WCHAR buf[_MAX_PATH + 2];
> -
> - wcscpy(buf, p);
> + WCHAR buf[_MAX_PATH + 1];
> +
> + wcsncpy(buf, p, _MAX_PATH);
> + buf[_MAX_PATH] = L'\0';
> vim_free(p);
>
> if (fname_casew(buf, (len > 0) ? _MAX_PATH : 0) == OK)
>
>
> Buffer overflow occurs because of wcscpy(). I should have used wcsncpy() to
> check the buffer size. I also changed the size of buf from _MAX_PATH + 2 to
> _MAX_PATH + 1. I think _MAX_PATH + 1 is enough.
Thanks!
--
A computer without Windows is like a fish without a bicycle.
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
