commit 1afdcb8f2b3b63e241adecc0e0d5aad98d3640ea
parent efacb107092602d4458623811a331c821ae9d49e
Author: Jan Edmund Lazo <jan.lazo@mail.utoronto.ca>
Date: Sun, 21 Dec 2025 23:59:28 -0500
vim-patch:9.0.1899: potential buffer overflow in PBYTE macro
Problem: potential buffer overflow in PBYTE macro
Solution: Check returned memline length
closes: vim/vim#13083
the PBYTE macro is used to put byte c at a position lp of the returned
memline. However, in case of unexpected errors ml_get_buf() may return
either "???" or an empty line in which case it is quite likely that we
are causing a buffer overrun.
Therefore, switch the macro PBYTE (which is only used in ops.c anyhow)
to a function, that verifies that we will only try to access within the
given length of the buffer.
Also, since the macro is only used in ops.c, move the definition from
macros.h to ops.c
https://github.com/vim/vim/commit/ffb13674d1af1c90beb229867ec989e4fb232df3
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat:
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/nvim/ops.c b/src/nvim/ops.c
@@ -1046,11 +1046,20 @@ static void mb_adjust_opend(oparg_T *oap)
}
}
-/// Put character 'c' at position 'lp'
-static inline void pbyte(pos_T lp, int c)
+/// put byte 'c' at position 'lp', but
+/// verify, that the position to place
+/// is actually safe
+static void pbyte(pos_T lp, int c)
{
assert(c <= UCHAR_MAX);
- *(ml_get_buf_mut(curbuf, lp.lnum) + lp.col) = (char)c;
+ char *p = ml_get_buf_mut(curbuf, lp.lnum);
+ colnr_T len = curbuf->b_ml.ml_line_len;
+
+ // safety check
+ if (lp.col >= len) {
+ lp.col = (len > 1 ? len - 2 : 0);
+ }
+ *(p + lp.col) = (char)c;
if (!curbuf_splice_pending) {
extmark_splice_cols(curbuf, (int)lp.lnum - 1, lp.col, 1, 1, kExtmarkUndo);
}
