patch 9.0.1848: [security] buffer-overflow in vim_regsub_both() Problem: buffer-overflow in vim_regsub_both() Solution: Check remaining space Signed-off-by: Christian Brabandt <cb@256bit.org>

commit: ced2c7394aafdc90fb7845e09b3a3fee23d48cb1 [log] [tgz]
author: Christian Brabandt <cb@256bit.org> Sat Sep 02 21:15:52 2023 +0200
committer: Christian Brabandt <cb@256bit.org> Sat Sep 02 21:37:04 2023 +0200
tree: 9576ca9f0aa1d127ed8d06821375b6d2de50fd5a
parent: 889f6af37164775192e33b233a90e86fd3df0f57 [diff] [blame]
diff --git a/src/regexp.c b/src/regexp.c
index 9c576c6..edd1293 100644
--- a/src/regexp.c
+++ b/src/regexp.c

@@ -2051,7 +2051,8 @@
 	// "flags & REGSUB_COPY" != 0.
 	if (copy)
 	{
-	    if (eval_result[nested] != NULL)
+	    if (eval_result[nested] != NULL &&
+		    STRLEN(eval_result[nested]) < destlen)
 	    {
 		STRCPY(dest, eval_result[nested]);
 		dst += STRLEN(eval_result[nested]);
commit	ced2c7394aafdc90fb7845e09b3a3fee23d48cb1	[log] [tgz]
author	Christian Brabandt <cb@256bit.org>	Sat Sep 02 21:15:52 2023 +0200
committer	Christian Brabandt <cb@256bit.org>	Sat Sep 02 21:37:04 2023 +0200
tree	9576ca9f0aa1d127ed8d06821375b6d2de50fd5a
parent	889f6af37164775192e33b233a90e86fd3df0f57 [diff] [blame]