patch 9.0.1070: reading beyond array size
Problem: Reading beyond array size.
Solution: Only use name[0] and name[1], do not use "name" as a string.
diff --git a/src/term.c b/src/term.c
index b2b14e3..7483974 100644
--- a/src/term.c
+++ b/src/term.c
@@ -4389,7 +4389,8 @@
#define ATC_FROM_TERM 55
/*
- * Add a new entry to the list of terminal codes.
+ * Add a new entry for "name[2]" to the list of terminal codes.
+ * Note that "name" may not have a terminating NUL.
* The list is kept alphabetical for ":set termcap"
* "flags" is TRUE when replacing 7-bit by 8-bit controls is desired.
* "flags" can also be ATC_FROM_TERM for got_code_from_term().
@@ -4497,7 +4498,8 @@
{
// They are equal but for the ";*": don't add it.
#ifdef FEAT_EVAL
- ch_log(NULL, "Termcap entry %s did not change", name);
+ ch_log(NULL, "Termcap entry %c%c did not change",
+ name[0], name[1]);
#endif
vim_free(s);
return;
@@ -4507,8 +4509,8 @@
{
// Replace old code.
#ifdef FEAT_EVAL
- ch_log(NULL, "Termcap entry %s was: %s",
- name, termcodes[i].code);
+ ch_log(NULL, "Termcap entry %c%c was: %s",
+ name[0], name[1], termcodes[i].code);
#endif
vim_free(termcodes[i].code);
--tc_len;
@@ -4528,7 +4530,7 @@
}
#ifdef FEAT_EVAL
- ch_log(NULL, "%s termcap entry %s to %s", action, name, s);
+ ch_log(NULL, "%s termcap entry %c%c to %s", action, name[0], name[1], s);
#endif
termcodes[i].name[0] = name[0];
termcodes[i].name[1] = name[1];