Commit: patch 9.1.1443: potential buffer underflow in insertchar()
2 views
Skip to first unread message
Christian Brabandt
Jun 9, 2025, 2:45:13 PM6/9/25
to vim...@googlegroups.com
patch 9.1.1443: potential buffer underflow in insertchar()
Commit: https://github.com/vim/vim/commit/82a96e3dc0ee8f45bb0c1fe17a0cec1db7582e8f
Author: jinyaoguo <guo...@purdue.edu>
Date: Mon Jun 9 20:31:17 2025 +0200
patch 9.1.1443: potential buffer underflow in insertchar()
Problem: potential buffer underflow in insertchar()
Solution: verify that end_len is larger than zero
(jinyaoguo)
When parsing the end-comment leader, end_len can be zero if
copy_option_part() writes no characters. The existing check
unconditionally accessed lead_end[end_len-1], causing potential
underflow when end_len == 0.
This change adds an end_len > 0 guard to ensure we only index lead_end
if there is at least one character.
closes: #17476
Signed-off-by: jinyaoguo <guo...@purdue.edu>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/edit.c b/src/edit.c
index b4e6767f2..9cc55ef3d 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -2197,7 +2197,7 @@ insertchar(
i -= middle_len;
// Check some expected things before we go on
- if (i >= 0 && lead_end[end_len - 1] == end_comment_pending)
+ if (i >= 0 && end_len > 0 && lead_end[end_len - 1] == end_comment_pending)
{
// Backspace over all the stuff we want to replace
backspace_until_column(i);
diff --git a/src/version.c b/src/version.c
index 6e0081e9b..491b51690 100644
--- a/src/version.c
+++ b/src/version.c
@@ -709,6 +709,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1443,
/**/
1442,
/**/
Commit: https://github.com/vim/vim/commit/82a96e3dc0ee8f45bb0c1fe17a0cec1db7582e8f
Author: jinyaoguo <guo...@purdue.edu>
Date: Mon Jun 9 20:31:17 2025 +0200
patch 9.1.1443: potential buffer underflow in insertchar()
Problem: potential buffer underflow in insertchar()
Solution: verify that end_len is larger than zero
(jinyaoguo)
When parsing the end-comment leader, end_len can be zero if
copy_option_part() writes no characters. The existing check
unconditionally accessed lead_end[end_len-1], causing potential
underflow when end_len == 0.
This change adds an end_len > 0 guard to ensure we only index lead_end
if there is at least one character.
closes: #17476
Signed-off-by: jinyaoguo <guo...@purdue.edu>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/edit.c b/src/edit.c
index b4e6767f2..9cc55ef3d 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -2197,7 +2197,7 @@ insertchar(
i -= middle_len;
// Check some expected things before we go on
- if (i >= 0 && lead_end[end_len - 1] == end_comment_pending)
+ if (i >= 0 && end_len > 0 && lead_end[end_len - 1] == end_comment_pending)
{
// Backspace over all the stuff we want to replace
backspace_until_column(i);
diff --git a/src/version.c b/src/version.c
index 6e0081e9b..491b51690 100644
--- a/src/version.c
+++ b/src/version.c
@@ -709,6 +709,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1443,
/**/
1442,
/**/
Reply all
Reply to author
Forward
0 new messages