patch 9.0.1458: buffer overflow when expanding long file name
Problem: Buffer overflow when expanding long file name.
Solution: Use a larger buffer and avoid overflowing it. (Yee Cheng Chin,
closes #12201)
diff --git a/src/filepath.c b/src/filepath.c
index 57e9fb2..79d4afb 100644
--- a/src/filepath.c
+++ b/src/filepath.c
@@ -938,9 +938,9 @@
static void
findfilendir(
- typval_T *argvars UNUSED,
+ typval_T *argvars,
typval_T *rettv,
- int find_what UNUSED)
+ int find_what)
{
char_u *fname;
char_u *fresult = NULL;
@@ -3685,7 +3685,6 @@
int didstar) // expanded "**" once already
{
char_u *buf;
- size_t buflen;
char_u *path_end;
char_u *p, *s, *e;
int start_len = gap->ga_len;
@@ -3708,8 +3707,8 @@
return 0;
}
- // make room for file name
- buflen = STRLEN(path) + BASENAMELEN + 5;
+ // make room for file name (a bit too much to stay on the safe side)
+ size_t buflen = STRLEN(path) + MAXPATHL;
buf = alloc(buflen);
if (buf == NULL)
return 0;
@@ -3828,7 +3827,7 @@
|| ((flags & EW_NOTWILD)
&& fnamencmp(path + (s - buf), dp->d_name, e - s) == 0)))
{
- STRCPY(s, dp->d_name);
+ vim_strncpy(s, (char_u *)dp->d_name, buflen - (s - buf) - 1);
len = STRLEN(buf);
if (starstar && stardepth < 100)
diff --git a/src/version.c b/src/version.c
index ca4774d..018fcf5 100644
--- a/src/version.c
+++ b/src/version.c
@@ -696,6 +696,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 1458,
+/**/
1457,
/**/
1456,