patch 9.1.1443: potential buffer underflow in insertchar()
Commit:
https://github.com/vim/vim/commit/82a96e3dc0ee8f45bb0c1fe17a0cec1db7582e8f
Author: jinyaoguo <guo...@purdue.edu>
Date: Mon Jun 9 20:31:17 2025 +0200
patch 9.1.1443: potential buffer underflow in insertchar()
Problem: potential buffer underflow in insertchar()
Solution: verify that end_len is larger than zero
(jinyaoguo)
When parsing the end-comment leader, end_len can be zero if
copy_option_part() writes no characters. The existing check
unconditionally accessed lead_end[end_len-1], causing potential
underflow when end_len == 0.
This change adds an end_len > 0 guard to ensure we only index lead_end
if there is at least one character.
closes: #17476
Signed-off-by: jinyaoguo <guo...@purdue.edu>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/edit.c b/src/edit.c
index b4e6767f2..9cc55ef3d 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -2197,7 +2197,7 @@ insertchar(
i -= middle_len;
// Check some expected things before we go on
- if (i >= 0 && lead_end[end_len - 1] == end_comment_pending)
+ if (i >= 0 && end_len > 0 && lead_end[end_len - 1] ==
end_comment_pending)
{
// Backspace over all the stuff we want to replace
backspace_until_column(i);
diff --git a/src/version.c b/src/version.c
index 6e0081e9b..491b51690 100644
--- a/src/version.c
+++ b/src/version.c
@@ -709,6 +709,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1443,
/**/
1442,
/**/
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/vim_dev/E1uOhUV-009qlK-F0%40256bit.org.
