Patch 8.1.0976
Problem: Dosinstall still has buffer overflow problems.
Solution: Adjust buffer sizes. (Yasuhiro Matsumoto, closes #4002)
Files: src/dosinst.c, src/dosinst.h, src/uninstal.c
*** ../vim-8.1.0975/src/dosinst.c 2019-02-18 22:19:29.124186022 +0100
--- src/dosinst.c 2019-02-22 19:37:38.442404717 +0100
***************
*** 388,394 ****
/* First get $VIMRUNTIME. If it's set, remove the tail. */
vim = getenv("VIMRUNTIME");
! if (vim != NULL && *vim != 0 && strlen(vim) < BUFSIZE)
{
strcpy(buf, vim);
remove_tail(buf);
--- 388,394 ----
/* First get $VIMRUNTIME. If it's set, remove the tail. */
vim = getenv("VIMRUNTIME");
! if (vim != NULL && *vim != 0 && strlen(vim) < sizeof(buf))
{
strcpy(buf, vim);
remove_tail(buf);
***************
*** 411,417 ****
/* NSIS also uses GetTempPath(), thus we should get the same directory
* name as where NSIS will look for vimini.ini. */
! GetTempPath(BUFSIZE, fname);
add_pathsep(fname);
strcat(fname, "vimini.ini");
--- 411,417 ----
/* NSIS also uses GetTempPath(), thus we should get the same directory
* name as where NSIS will look for vimini.ini. */
! GetTempPath(sizeof(fname) - 12, fname);
add_pathsep(fname);
strcat(fname, "vimini.ini");
***************
*** 456,462 ****
static int
run_silent_uninstall(char *uninst_exe)
{
! char vimrt_dir[MAX_PATH];
char temp_uninst[BUFSIZE];
char temp_dir[MAX_PATH];
char buf[BUFSIZE * 2 + 10];
--- 456,462 ----
static int
run_silent_uninstall(char *uninst_exe)
{
! char vimrt_dir[BUFSIZE];
char temp_uninst[BUFSIZE];
char temp_dir[MAX_PATH];
char buf[BUFSIZE * 2 + 10];
***************
*** 506,512 ****
char *uninstall_key =
"software\\Microsoft\\Windows\\CurrentVersion\\Uninstall";
char subkey_name_buff[BUFSIZE];
char temp_string_buffer[BUFSIZE-2];
! DWORD local_bufsize = BUFSIZE;
FILETIME temp_pfiletime;
DWORD key_index;
char input;
--- 506,512 ----
char *uninstall_key =
"software\\Microsoft\\Windows\\CurrentVersion\\Uninstall";
char subkey_name_buff[BUFSIZE];
char temp_string_buffer[BUFSIZE-2];
! DWORD local_bufsize;
FILETIME temp_pfiletime;
DWORD key_index;
char input;
***************
*** 521,532 ****
KEY_WOW64_64KEY | KEY_READ, &key_handle);
CHECK_REG_ERROR(code);
! for (key_index = 0;
! RegEnumKeyEx(key_handle, key_index, subkey_name_buff, &local_bufsize,
! NULL, NULL, NULL, &temp_pfiletime) != ERROR_NO_MORE_ITEMS;
! key_index++)
{
! local_bufsize = BUFSIZE;
if (strncmp("Vim", subkey_name_buff, 3) == 0)
{
/* Open the key named Vim* */
--- 521,534 ----
KEY_WOW64_64KEY | KEY_READ, &key_handle);
CHECK_REG_ERROR(code);
! key_index = 0;
! while (TRUE)
{
! local_bufsize = sizeof(subkey_name_buff);
! if (RegEnumKeyEx(key_handle, key_index, subkey_name_buff,
&local_bufsize,
! NULL, NULL, NULL, &temp_pfiletime) == ERROR_NO_MORE_ITEMS)
! break;
!
if (strncmp("Vim", subkey_name_buff, 3) == 0)
{
/* Open the key named Vim* */
***************
*** 535,544 ****
CHECK_REG_ERROR(code);
/* get the DisplayName out of it to show the user */
code = RegQueryValueEx(uninstall_key_handle, "displayname", 0,
&value_type, (LPBYTE)temp_string_buffer,
&local_bufsize);
- local_bufsize = BUFSIZE;
CHECK_REG_ERROR(code);
allow_silent = 0;
--- 537,546 ----
CHECK_REG_ERROR(code);
/* get the DisplayName out of it to show the user */
+ local_bufsize = sizeof(temp_string_buffer);
code = RegQueryValueEx(uninstall_key_handle, "displayname", 0,
&value_type, (LPBYTE)temp_string_buffer,
&local_bufsize);
CHECK_REG_ERROR(code);
allow_silent = 0;
***************
*** 568,576 ****
fflush(stdout);
/* get the UninstallString */
code = RegQueryValueEx(uninstall_key_handle, "uninstallstring", 0,
&value_type, (LPBYTE)temp_string_buffer, &local_bufsize);
- local_bufsize = BUFSIZE;
CHECK_REG_ERROR(code);
/* Remember the directory, it is used as the default for NSIS. */
--- 570,578 ----
fflush(stdout);
/* get the UninstallString */
+ local_bufsize = sizeof(temp_string_buffer);
code = RegQueryValueEx(uninstall_key_handle, "uninstallstring", 0,
&value_type, (LPBYTE)temp_string_buffer, &local_bufsize);
CHECK_REG_ERROR(code);
/* Remember the directory, it is used as the default for NSIS. */
***************
*** 683,688 ****
--- 685,692 ----
RegCloseKey(uninstall_key_handle);
}
+
+ key_index++;
}
RegCloseKey(key_handle);
***************
*** 1826,1832 ****
/* translate the (possibly) multibyte shortcut filename to windows
* Unicode so it can be used as a file name.
*/
! MultiByteToWideChar(CP_ACP, 0, shortcut_name, -1, wsz, BUFSIZE);
/* set the attributes */
shelllink_ptr->lpVtbl->SetPath(shelllink_ptr, shortcut_target);
--- 1830,1836 ----
/* translate the (possibly) multibyte shortcut filename to windows
* Unicode so it can be used as a file name.
*/
! MultiByteToWideChar(CP_ACP, 0, shortcut_name, -1, wsz,
sizeof(wsz)/sizeof(wsz[0]));
/* set the attributes */
shelllink_ptr->lpVtbl->SetPath(shelllink_ptr, shortcut_target);
***************
*** 2135,2141 ****
* result in "to[]".
*/
static void
! dir_remove_last(const char *path, char to[BUFSIZE])
{
char c;
long last_char_to_copy;
--- 2139,2145 ----
* result in "to[]".
*/
static void
! dir_remove_last(const char *path, char to[MAX_PATH])
{
char c;
long last_char_to_copy;
***************
*** 2206,2212 ****
if (homepath == NULL || *homepath == NUL)
homepath = "\\";
if (homedrive != NULL
! && strlen(homedrive) + strlen(homepath) < MAX_PATH)
{
sprintf(buf, "%s%s", homedrive, homepath);
if (buf[0] != NUL)
--- 2210,2216 ----
if (homepath == NULL || *homepath == NUL)
homepath = "\\";
if (homedrive != NULL
! && strlen(homedrive) + strlen(homepath) < sizeof(buf))
{
sprintf(buf, "%s%s", homedrive, homepath);
if (buf[0] != NUL)
***************
*** 2234,2243 ****
buf[p - (var + 1)] = NUL;
exp = getenv(buf);
if (exp != NULL && *exp != NUL
! && strlen(exp) + strlen(p) < MAX_PATH)
{
! _snprintf(buf, MAX_PATH, "%s%s", exp, p + 1);
! buf[MAX_PATH - 1] = NUL;
var = buf;
}
}
--- 2238,2246 ----
buf[p - (var + 1)] = NUL;
exp = getenv(buf);
if (exp != NULL && *exp != NUL
! && strlen(exp) + strlen(p) < sizeof(buf))
{
! sprintf(buf, "%s%s", exp, p + 1);
var = buf;
}
}
***************
*** 2351,2360 ****
// Check if the "compiler" directory already exists. That's a good
// indication that the plugin directories were already created.
! if (getenv("HOME") != NULL)
{
vimfiles_dir_choice = (int)vimfiles_dir_home;
! sprintf(tmp_dirname, "%s\\vimfiles\\compiler", getenv("HOME"));
if (stat(tmp_dirname, &st) == 0)
vimfiles_dir_choice = (int)vimfiles_dir_none;
}
--- 2354,2364 ----
// Check if the "compiler" directory already exists. That's a good
// indication that the plugin directories were already created.
! p = getenv("HOME");
! if (p != NULL)
{
vimfiles_dir_choice = (int)vimfiles_dir_home;
! sprintf(tmp_dirname, "%s\\vimfiles\\compiler", p);
if (stat(tmp_dirname, &st) == 0)
vimfiles_dir_choice = (int)vimfiles_dir_none;
}
*** ../vim-8.1.0975/src/dosinst.h 2019-02-18 22:19:29.124186022 +0100
--- src/dosinst.h 2019-02-22 19:33:42.519738742 +0100
***************
*** 59,65 ****
/* ---------------------------------------- */
! #define BUFSIZE 512 /* long enough to hold a file name path */
#define NUL 0
#define FAIL 0
--- 59,65 ----
/* ---------------------------------------- */
! #define BUFSIZE (MAX_PATH*2) /* long enough to hold a file name path
*/
#define NUL 0
#define FAIL 0
***************
*** 93,107 ****
static void *
alloc(int len)
{
! char *s;
! s = malloc(len);
! if (s == NULL)
{
printf("ERROR: out of memory\n");
exit(1);
}
! return (void *)s;
}
/*
--- 93,107 ----
static void *
alloc(int len)
{
! void *p;
! p = malloc(len);
! if (p == NULL)
{
printf("ERROR: out of memory\n");
exit(1);
}
! return p;
}
/*
***************
*** 512,518 ****
do_inits(char **argv)
{
/* Find out the full path of our executable. */
! if (my_fullpath(installdir, argv[0], BUFSIZE) == NULL)
{
printf("ERROR: Cannot get name of executable\n");
myexit(1);
--- 512,518 ----
do_inits(char **argv)
{
/* Find out the full path of our executable. */
! if (my_fullpath(installdir, argv[0], sizeof(installdir)) == NULL)
{
printf("ERROR: Cannot get name of executable\n");
myexit(1);
*** ../vim-8.1.0975/src/uninstal.c 2019-02-18 22:19:29.124186022 +0100
--- src/uninstal.c 2019-02-22 19:33:42.519738742 +0100
***************
*** 60,70 ****
* Returns non-zero when it's found.
*/
static int
! popup_gvim_path(char *buf)
{
HKEY key_handle;
DWORD value_type;
- DWORD bufsize = BUFSIZE;
int r;
/* Open the key where the path to gvim.exe is stored. */
--- 60,69 ----
* Returns non-zero when it's found.
*/
static int
! popup_gvim_path(char *buf, DWORD bufsize)
{
HKEY key_handle;
DWORD value_type;
int r;
/* Open the key where the path to gvim.exe is stored. */
***************
*** 87,97 ****
* Returns non-zero when it's found.
*/
static int
! openwith_gvim_path(char *buf)
{
HKEY key_handle;
DWORD value_type;
- DWORD bufsize = BUFSIZE;
int r;
/* Open the key where the path to gvim.exe is stored. */
--- 86,95 ----
* Returns non-zero when it's found.
*/
static int
! openwith_gvim_path(char *buf, DWORD bufsize)
{
HKEY key_handle;
DWORD value_type;
int r;
/* Open the key where the path to gvim.exe is stored. */
***************
*** 209,215 ****
fd = fopen(path, "r");
if (fd != NULL)
{
! while (fgets(line, BUFSIZE, fd) != NULL)
{
for (p = line; *p != 0; ++p)
/* don't accept "vim60an" when looking for "vim60". */
--- 207,213 ----
fd = fopen(path, "r");
if (fd != NULL)
{
! while (fgets(line, sizeof(line), fd) != NULL)
{
for (p = line; *p != 0; ++p)
/* don't accept "vim60an" when looking for "vim60". */
***************
*** 335,341 ****
printf("This program will remove the following items:\n");
! if (popup_gvim_path(popup_path))
{
printf(" - the \"Edit with Vim\" entry in the popup menu\n");
printf(" which uses \"%s\"\n", popup_path);
--- 333,339 ----
printf("This program will remove the following items:\n");
! if (popup_gvim_path(popup_path, sizeof(popup_path)))
{
printf(" - the \"Edit with Vim\" entry in the popup menu\n");
printf(" which uses \"%s\"\n", popup_path);
***************
*** 349,355 ****
remove_openwith();
}
}
! else if (openwith_gvim_path(popup_path))
{
printf(" - the Vim \"Open With...\" entry in the popup menu\n");
printf(" which uses \"%s\"\n", popup_path);
--- 347,353 ----
remove_openwith();
}
}
! else if (openwith_gvim_path(popup_path, sizeof(popup_path)))
{
printf(" - the Vim \"Open With...\" entry in the popup menu\n");
printf(" which uses \"%s\"\n", popup_path);
*** ../vim-8.1.0975/src/version.c 2019-02-22 19:14:46.774074872 +0100
--- src/version.c 2019-02-22 19:34:21.703520330 +0100
***************
*** 781,782 ****
--- 781,784 ----
{ /* Add new patch number below this line */
+ /**/
+ 976,
/**/
--
When a fly lands on the ceiling, does it do a half roll or
a half loop?
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
