patch 9.2.0186: heap buffer overflow with long generic function name
Commit:
https://github.com/vim/vim/commit/f9bed026acb6e9222d93098f4cb96b2595fadbbe
Author: Kaixuan Li <[email protected]>
Date: Tue Mar 17 19:07:53 2026 +0000
patch 9.2.0186: heap buffer overflow with long generic function name
Problem: Using a long generic function name may cause a heap buffer
overflow in common_function().
Solution: Allocate memory for the full name instead of using IObuff
(Kaixuan Li).
closes: #19727
Signed-off-by: Kaixuan Li <[email protected]>
Signed-off-by: Yegappan Lakshmanan <[email protected]>
Signed-off-by: Christian Brabandt <[email protected]>
diff --git a/src/evalfunc.c b/src/evalfunc.c
index 6d40794c0..f790aa826 100644
--- a/src/evalfunc.c
+++ b/src/evalfunc.c
@@ -5436,9 +5436,13 @@ common_function(typval_T *argvars, typval_T *rettv, int
is_funcref)
else
{
// generic function
- STRCPY(IObuff, name);
- STRCAT(IObuff, start_bracket);
- rettv->vval.v_string = vim_strsave(IObuff);
+ size_t len = STRLEN(name) + STRLEN(start_bracket);
+ rettv->vval.v_string = alloc(len + 1);
+ if (rettv->vval.v_string != NULL)
+ {
+ STRCPY(rettv->vval.v_string, name);
+ STRCAT(rettv->vval.v_string, start_bracket);
+ }
vim_free(name);
}
}
diff --git a/src/testdir/test_vimscript.vim b/src/testdir/test_vimscript.vim
index a79c68279..9248c5d6b 100644
--- a/src/testdir/test_vimscript.vim
+++ b/src/testdir/test_vimscript.vim
@@ -7689,6 +7689,19 @@ func Test_catch_pattern_trailing_chars()
bw!
endfunc
+" Test for long gerneric type name {{{1
+func Test_function_long_generic_name()
+ func TestFunc()
+ return
+ endfunc
+
+ let name = 'TestFunc<' .. repeat('T', 1100) .. '>'
+
+ call function(name)
+ call funcref(name)
+ delfunc TestFunc
+endfunc
+
"-------------------------------------------------------------------------------
" Modelines {{{1
" vim: ts=8 sw=2 sts=2 expandtab tw=80 fdm=marker
diff --git a/src/version.c b/src/version.c
index 1f2cf0ec2..05bc54c3a 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 186,
/**/
185,
/**/
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/vim_dev/E1w2Zsd-00AMdD-R5%40256bit.org.
