commit b0b61c42b3abc9fbbe7f3b06914f8022a6154598
parent ad5bced63798b99d3e423414ac3ca3ebdc02cbc2
Author: zeertzjq <zeertzjq@outlook.com>
Date: Sat, 15 Mar 2025 08:16:28 +0800
vim-patch:9.0.1458: buffer overflow when expanding long file name
Problem: Buffer overflow when expanding long file name.
Solution: Use a larger buffer and avoid overflowing it. (Yee Cheng Chin,
closes vim/vim#12201)
https://github.com/vim/vim/commit/a77670726e3706973adffc2b118f4576e1f58ea0
Co-authored-by: Yee Cheng Chin <ychin.git@gmail.com>
Diffstat:
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/nvim/path.c b/src/nvim/path.c
@@ -627,7 +627,7 @@ static size_t do_path_expand(garray_T *gap, const char *path, size_t wildoff, in
// Make room for file name. When doing encoding conversion the actual
// length may be quite a bit longer, thus use the maximum possible length.
- const size_t buflen = MAXPATHL;
+ const size_t buflen = strlen(path) + MAXPATHL;
char *buf = xmalloc(buflen);
// Find the first part in the path name that contains a wildcard.
@@ -740,7 +740,7 @@ static size_t do_path_expand(garray_T *gap, const char *path, size_t wildoff, in
&& ((regmatch.regprog != NULL && vim_regexec(®match, name, 0))
|| ((flags & EW_NOTWILD)
&& path_fnamencmp(path + (s - buf), name, (size_t)(e - s)) == 0))) {
- STRCPY(s, name);
+ xstrlcpy(s, name, buflen - (size_t)(s - buf));
len = strlen(buf);
if (starstar && stardepth < 100) {
