patch 9.0.1848: [security] buffer-overflow in vim_regsub_both() Problem: buffer-overflow in vim_regsub_both() Solution: Check remaining space Signed-off-by: Christian Brabandt <cb@256bit.org>

commit: ced2c7394aafdc90fb7845e09b3a3fee23d48cb1 [log] [tgz]
author: Christian Brabandt <cb@256bit.org> Sat Sep 02 21:15:52 2023 +0200
committer: Christian Brabandt <cb@256bit.org> Sat Sep 02 21:37:04 2023 +0200
tree: 9576ca9f0aa1d127ed8d06821375b6d2de50fd5a
parent: 889f6af37164775192e33b233a90e86fd3df0f57 [diff] [blame]
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index c30b6fd..53c7bb5 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c

@@ -4651,6 +4651,9 @@
 		mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
 		new_end += copy_len;
 
+		if (new_start_len - copy_len < sublen)
+		    sublen = new_start_len - copy_len - 1;
+
 #ifdef FEAT_EVAL
 		++textlock;
 #endif
commit	ced2c7394aafdc90fb7845e09b3a3fee23d48cb1	[log] [tgz]
author	Christian Brabandt <cb@256bit.org>	Sat Sep 02 21:15:52 2023 +0200
committer	Christian Brabandt <cb@256bit.org>	Sat Sep 02 21:37:04 2023 +0200
tree	9576ca9f0aa1d127ed8d06821375b6d2de50fd5a
parent	889f6af37164775192e33b233a90e86fd3df0f57 [diff] [blame]