Headline
CVE-2021-4019: patch 8.2.3669: buffer overflow with long help argument · vim/vim@bd228fd
vim is vulnerable to Heap-based Buffer Overflow
Permalink
Browse files
patch 8.2.3669: buffer overflow with long help argument
Problem: Buffer overflow with long help argument. Solution: Use snprintf().
- Loading branch information
1 parent bb277fd commit bd228fd097b41a798f90944b5d1245eddd484142
Showing with 12 additions and 2 deletions.
- +1 −2 src/help.c
- +9 −0 src/testdir/test_help.vim
- +2 −0 src/version.c
@@ -422,8 +422,7 @@ find_help_tags(
|| (vim_strchr((char_u *)"%_z@", arg[1]) != NULL
&& arg[2] != NUL)))
{
STRCPY(d, “/\\\\”);
STRCPY(d + 3, arg + 1);
vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1);
// Check for "/\\_$", should be “/\\_\$”
if (d[3] == ‘_’ && d[4] == ‘$’)
STRCPY(d + 4, “\\$”);
@@ -134,4 +134,13 @@ func Test_help_window_height()
close
endfunc
func Test_help_long_argument()
try
exe ‘help \%’ … repeat('0’, 1021)
catch
call assert_match("E149:", v:exception)
endtry
endfunc
" vim: shiftwidth=2 sts=2 expandtab
@@ -757,6 +757,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
3669,
/**/
3668,
/**/
0 comments on commit bd228fd
Please sign in to comment.