patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()

Problem: buffer-overflow in vim_regsub_both() Solution: Check remaining space Signed-off-by: Christian Brabandt <cb@256bit.org>
2023-09-02 21:15:52 +02:00
parent 889f6af371
commit ced2c7394a
5 changed files with 27 additions and 2 deletions
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -2051,7 +2051,8 @@ vim_regsub_both(
 	// "flags & REGSUB_COPY" != 0.
 	if (copy)
 	{
-	    if (eval_result[nested] != NULL)
+	    if (eval_result[nested] != NULL &&
+		    STRLEN(eval_result[nested]) < destlen)
 	    {
 		STRCPY(dest, eval_result[nested]);
 		dst += STRLEN(eval_result[nested]);