patch 8.2.3669: buffer overflow with long help argument
Problem: Buffer overflow with long help argument. Solution: Use snprintf().
This commit is contained in:
		| @ -422,8 +422,7 @@ find_help_tags( | |||||||
| 		    || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL | 		    || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL | ||||||
| 							   && arg[2] != NUL))) | 							   && arg[2] != NUL))) | ||||||
| 	{ | 	{ | ||||||
| 	    STRCPY(d, "/\\\\"); | 	    vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1); | ||||||
| 	    STRCPY(d + 3, arg + 1); |  | ||||||
| 	    // Check for "/\\_$", should be "/\\_\$" | 	    // Check for "/\\_$", should be "/\\_\$" | ||||||
| 	    if (d[3] == '_' && d[4] == '$') | 	    if (d[3] == '_' && d[4] == '$') | ||||||
| 		STRCPY(d + 4, "\\$"); | 		STRCPY(d + 4, "\\$"); | ||||||
|  | |||||||
| @ -134,4 +134,13 @@ func Test_help_window_height() | |||||||
|   close |   close | ||||||
| endfunc | endfunc | ||||||
|  |  | ||||||
|  | func Test_help_long_argument() | ||||||
|  |   try | ||||||
|  |     exe 'help \%' .. repeat('0', 1021) | ||||||
|  |   catch | ||||||
|  |     call assert_match("E149:", v:exception) | ||||||
|  |   endtry | ||||||
|  | endfunc | ||||||
|  |  | ||||||
|  |  | ||||||
| " vim: shiftwidth=2 sts=2 expandtab | " vim: shiftwidth=2 sts=2 expandtab | ||||||
|  | |||||||
| @ -757,6 +757,8 @@ static char *(features[]) = | |||||||
|  |  | ||||||
| static int included_patches[] = | static int included_patches[] = | ||||||
| {   /* Add new patch number below this line */ | {   /* Add new patch number below this line */ | ||||||
|  | /**/ | ||||||
|  |     3669, | ||||||
| /**/ | /**/ | ||||||
|     3668, |     3668, | ||||||
| /**/ | /**/ | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user