patch 9.0.1899: potential buffer overflow in PBYTE macro
Commit:
https://github.com/vim/vim/commit/ffb13674d1af1c90beb229867ec989e4fb232df3
Author: Christian Brabandt <c...@256bit.org>
Date: Fri Sep 15 20:22:02 2023 +0200
patch 9.0.1899: potential buffer overflow in PBYTE macro
Problem: potential buffer overflow in PBYTE macro
Solution: Check returned memline length
closes: #13083
the PBYTE macro is used to put byte c at a position lp of the returned
memline. However, in case of unexpected errors ml_get_buf() may return
either "???" or an empty line in which case it is quite likely that we
are causing a buffer overrun.
Therefore, switch the macro PBYTE (which is only used in ops.c anyhow)
to a function, that verifies that we will only try to access within the
given length of the buffer.
Also, since the macro is only used in ops.c, move the definition from
macros.h to ops.c
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/macros.h b/src/macros.h
index d86097ced..cc2d11fdd 100644
--- a/src/macros.h
+++ b/src/macros.h
@@ -13,11 +13,6 @@
* replaced and an argument is not used more than once.
*/
-/*
- * PBYTE(lp, c) - put byte 'c' at position 'lp'
- */
-#define PBYTE(lp, c) (*(ml_get_buf(curbuf, (lp).lnum, TRUE) + (lp).col) = (c))
-
/*
* Position comparisons
*/
diff --git a/src/ops.c b/src/ops.c
index f4524d3d7..aa6f4af37 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -17,6 +17,9 @@
static void shift_block(oparg_T *oap, int amount);
static void mb_adjust_opend(oparg_T *oap);
static int do_addsub(int op_type, pos_T *pos, int length, linenr_T
Prenum1);
+static void pbyte(pos_T lp, int c);
+#define PBYTE(lp, c) pbyte(lp, c)
+
// Flags for third item in "opchars".
#define OPF_LINES 1 // operator always works on lines
@@ -4349,3 +4352,18 @@ do_pending_operator(cmdarg_T *cap, int old_col, int
gui_yank)
restore_lbr(lbr_saved);
#endif
}
+
+// put byte 'c' at position 'lp', but
+// verify, that the position to place
+// is actually safe
+ static void
+pbyte(pos_T lp, int c)
+{
+ char_u *p = ml_get_buf(curbuf, lp.lnum, TRUE);
+ int len = curbuf->b_ml.ml_line_len;
+
+ // safety check
+ if (lp.col >= len)
+ lp.col = (len > 1 ? len - 2 : 0);
+ *(p + lp.col) = c;
+}
diff --git a/src/version.c b/src/version.c
index ba4be2780..4576d5a4c 100644
--- a/src/version.c
+++ b/src/version.c
@@ -699,6 +699,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1899,
/**/
1898,
/**/
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/vim_dev/E1qhDZv-00DnxG-Hl%40256bit.org.
