Commit: ccfilter: uses unbounded strcat()/strcpy()
2 views
Skip to first unread message
Christian Brabandt
May 17, 2026, 4:30:13 AM (3 days ago) May 17
to vim...@googlegroups.com
ccfilter: uses unbounded strcat()/strcpy()
Commit: https://github.com/vim/vim/commit/403ba303b997b47c79241247e0d2b5fc698e3dd0
Author: orbisai0security <mediratt...@gmail.com>
Date: Sun May 17 08:19:14 2026 +0000
ccfilter: uses unbounded strcat()/strcpy()
Problem: ccfilter.c copies compiler output into fixed-size buffers
with strcat() and strcpy(), so very long diagnostics can
overflow.
Solution: replace with snprintf() bounded by LINELENGTH.
Automated security fix generated by Orbis Security AI
closes: #20233
Signed-off-by: orbisai0security <mediratt...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/runtime/tools/ccfilter.c b/runtime/tools/ccfilter.c
index ae1443e20..269e4ee66 100644
--- a/runtime/tools/ccfilter.c
+++ b/runtime/tools/ccfilter.c
@@ -249,14 +249,15 @@ int main( int argc, char *argv[] )
stay = (echogets(Line2, echo) != NULL);
while ( stay && (Line2[0] == '|') )
- { for (p=&Line2[2]; (*p) && (isspace((unsigned char)*p)); p++);
- strcat( Reason, ": " );
- strcat( Reason, p );
+ { size_t n;
+ for (p=&Line2[2]; (*p) && (isspace((unsigned char)*p)); p++);
+ n = strlen(Reason);
+ snprintf( Reason + n, LINELENGTH - n, ": %s", p );
Line2[0] = 0;
stay = (echogets(Line2, echo) != NULL);
}
prefetch = 1;
- strcpy( Line, Line2 );
+ snprintf( Line, LINELENGTH, "%s", Line2 );
break;
case COMPILER_IRIX:
Col = 1;
@@ -291,8 +292,8 @@ int main( int argc, char *argv[] )
prefetch = 0;
}
else
- { strcat( Line, "
" );
- strcat( Line, Line2 );
+ { size_t n = strlen(Line);
+ snprintf( Line + n, LINELENGTH - n, "
%s", Line2 );
}
}
}
Commit: https://github.com/vim/vim/commit/403ba303b997b47c79241247e0d2b5fc698e3dd0
Author: orbisai0security <mediratt...@gmail.com>
Date: Sun May 17 08:19:14 2026 +0000
ccfilter: uses unbounded strcat()/strcpy()
Problem: ccfilter.c copies compiler output into fixed-size buffers
with strcat() and strcpy(), so very long diagnostics can
overflow.
Solution: replace with snprintf() bounded by LINELENGTH.
Automated security fix generated by Orbis Security AI
closes: #20233
Signed-off-by: orbisai0security <mediratt...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/runtime/tools/ccfilter.c b/runtime/tools/ccfilter.c
index ae1443e20..269e4ee66 100644
--- a/runtime/tools/ccfilter.c
+++ b/runtime/tools/ccfilter.c
@@ -249,14 +249,15 @@ int main( int argc, char *argv[] )
stay = (echogets(Line2, echo) != NULL);
while ( stay && (Line2[0] == '|') )
- { for (p=&Line2[2]; (*p) && (isspace((unsigned char)*p)); p++);
- strcat( Reason, ": " );
- strcat( Reason, p );
+ { size_t n;
+ for (p=&Line2[2]; (*p) && (isspace((unsigned char)*p)); p++);
+ n = strlen(Reason);
+ snprintf( Reason + n, LINELENGTH - n, ": %s", p );
Line2[0] = 0;
stay = (echogets(Line2, echo) != NULL);
}
prefetch = 1;
- strcpy( Line, Line2 );
+ snprintf( Line, LINELENGTH, "%s", Line2 );
break;
case COMPILER_IRIX:
Col = 1;
@@ -291,8 +292,8 @@ int main( int argc, char *argv[] )
prefetch = 0;
}
else
- { strcat( Line, "
" );
- strcat( Line, Line2 );
+ { size_t n = strlen(Line);
+ snprintf( Line + n, LINELENGTH - n, "
%s", Line2 );
}
}
}
Reply all
Reply to author
Forward
0 new messages