1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
From: Markus Koschany <apo@debian.org>
Date: Wed, 19 Oct 2022 18:47:02 +0200
Subject: CVE-2021-3872
Origin: https://github.com/vim/vim/commit/826bfe4bbd7594188e3d74d2539d9707b1c6a14b
---
src/screen.c | 10 +++++-----
src/testdir/test_statusline.vim | 14 ++++++++++++++
2 files changed, 19 insertions(+), 5 deletions(-)
--- a/src/screen.c
+++ b/src/screen.c
@@ -6887,13 +6887,13 @@ win_redr_status(win_T *wp, int ignore_pu
*(p + len++) = ' ';
if (bt_help(wp->w_buffer))
{
- STRCPY(p + len, _("[Help]"));
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
len += (int)STRLEN(p + len);
}
#ifdef FEAT_QUICKFIX
if (wp->w_p_pvw)
{
- STRCPY(p + len, _("[Preview]"));
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
len += (int)STRLEN(p + len);
}
#endif
@@ -6903,12 +6903,12 @@ win_redr_status(win_T *wp, int ignore_pu
#endif
)
{
- STRCPY(p + len, "[+]");
- len += 3;
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
+ len += (int)STRLEN(p + len);
}
if (wp->w_buffer->b_p_ro)
{
- STRCPY(p + len, _("[RO]"));
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
len += (int)STRLEN(p + len);
}
--- a/src/testdir/test_statusline.vim
+++ b/src/testdir/test_statusline.vim
@@ -341,3 +341,17 @@ func Test_statusline()
set laststatus&
set splitbelow&
endfunc
+
+
+" CVE-2021-3872
+" Used to write beyond allocated memory. This assumes MAXPATHL is 4096 bytes.
+function Test_statusline_verylong_filename()
+ let fname = repeat('x', 4090)
+ exe "new " . fname
+ set buftype=help
+ set previewwindow
+ redraw
+ bwipe!
+endfunc
+
+
|
