patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()

Problem: buffer-overflow in vim_regsub_both() Solution: Check remaining space Signed-off-by: Christian Brabandt <cb@256bit.org>
2023-09-02 21:15:52 +02:00
parent 889f6af371
commit ced2c7394a
5 changed files with 27 additions and 2 deletions
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4651,6 +4651,9 @@ ex_substitute(exarg_T *eap)
 		mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
 		new_end += copy_len;

+		if (new_start_len - copy_len < sublen)
+		    sublen = new_start_len - copy_len - 1;
+
 #ifdef FEAT_EVAL
 		++textlock;
 #endif