Commit: patch 9.2.0186: heap buffer overflow with long generic function name
2 views
Skip to first unread message
Christian Brabandt
Mar 17, 2026, 3:17:04 PM (14 hours ago) Mar 17
to vim...@googlegroups.com
patch 9.2.0186: heap buffer overflow with long generic function name
Commit: https://github.com/vim/vim/commit/f9bed026acb6e9222d93098f4cb96b2595fadbbe
Author: Kaixuan Li <kaixua...@gmail.com>
Date: Tue Mar 17 19:07:53 2026 +0000
patch 9.2.0186: heap buffer overflow with long generic function name
Problem: Using a long generic function name may cause a heap buffer
overflow in common_function().
Solution: Allocate memory for the full name instead of using IObuff
(Kaixuan Li).
closes: #19727
Signed-off-by: Kaixuan Li <kaixua...@gmail.com>
Signed-off-by: Yegappan Lakshmanan <yega...@yahoo.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/evalfunc.c b/src/evalfunc.c
index 6d40794c0..f790aa826 100644
--- a/src/evalfunc.c
+++ b/src/evalfunc.c
@@ -5436,9 +5436,13 @@ common_function(typval_T *argvars, typval_T *rettv, int is_funcref)
else
{
// generic function
- STRCPY(IObuff, name);
- STRCAT(IObuff, start_bracket);
- rettv->vval.v_string = vim_strsave(IObuff);
+ size_t len = STRLEN(name) + STRLEN(start_bracket);
+ rettv->vval.v_string = alloc(len + 1);
+ if (rettv->vval.v_string != NULL)
+ {
+ STRCPY(rettv->vval.v_string, name);
+ STRCAT(rettv->vval.v_string, start_bracket);
+ }
vim_free(name);
}
}
diff --git a/src/testdir/test_vimscript.vim b/src/testdir/test_vimscript.vim
index a79c68279..9248c5d6b 100644
--- a/src/testdir/test_vimscript.vim
+++ b/src/testdir/test_vimscript.vim
@@ -7689,6 +7689,19 @@ func Test_catch_pattern_trailing_chars()
bw!
endfunc
+" Test for long gerneric type name {{{1
+func Test_function_long_generic_name()
+ func TestFunc()
+ return
+ endfunc
+
+ let name = 'TestFunc<' .. repeat('T', 1100) .. '>'
+
+ call function(name)
+ call funcref(name)
+ delfunc TestFunc
+endfunc
+
"-------------------------------------------------------------------------------
" Modelines {{{1
" vim: ts=8 sw=2 sts=2 expandtab tw=80 fdm=marker
diff --git a/src/version.c b/src/version.c
index 1f2cf0ec2..05bc54c3a 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 186,
/**/
185,
/**/
Commit: https://github.com/vim/vim/commit/f9bed026acb6e9222d93098f4cb96b2595fadbbe
Author: Kaixuan Li <kaixua...@gmail.com>
Date: Tue Mar 17 19:07:53 2026 +0000
patch 9.2.0186: heap buffer overflow with long generic function name
Problem: Using a long generic function name may cause a heap buffer
overflow in common_function().
Solution: Allocate memory for the full name instead of using IObuff
(Kaixuan Li).
closes: #19727
Signed-off-by: Kaixuan Li <kaixua...@gmail.com>
Signed-off-by: Yegappan Lakshmanan <yega...@yahoo.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/evalfunc.c b/src/evalfunc.c
index 6d40794c0..f790aa826 100644
--- a/src/evalfunc.c
+++ b/src/evalfunc.c
@@ -5436,9 +5436,13 @@ common_function(typval_T *argvars, typval_T *rettv, int is_funcref)
else
{
// generic function
- STRCPY(IObuff, name);
- STRCAT(IObuff, start_bracket);
- rettv->vval.v_string = vim_strsave(IObuff);
+ size_t len = STRLEN(name) + STRLEN(start_bracket);
+ rettv->vval.v_string = alloc(len + 1);
+ if (rettv->vval.v_string != NULL)
+ {
+ STRCPY(rettv->vval.v_string, name);
+ STRCAT(rettv->vval.v_string, start_bracket);
+ }
vim_free(name);
}
}
diff --git a/src/testdir/test_vimscript.vim b/src/testdir/test_vimscript.vim
index a79c68279..9248c5d6b 100644
--- a/src/testdir/test_vimscript.vim
+++ b/src/testdir/test_vimscript.vim
@@ -7689,6 +7689,19 @@ func Test_catch_pattern_trailing_chars()
bw!
endfunc
+" Test for long gerneric type name {{{1
+func Test_function_long_generic_name()
+ func TestFunc()
+ return
+ endfunc
+
+ let name = 'TestFunc<' .. repeat('T', 1100) .. '>'
+
+ call function(name)
+ call funcref(name)
+ delfunc TestFunc
+endfunc
+
"-------------------------------------------------------------------------------
" Modelines {{{1
" vim: ts=8 sw=2 sts=2 expandtab tw=80 fdm=marker
diff --git a/src/version.c b/src/version.c
index 1f2cf0ec2..05bc54c3a 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 186,
/**/
185,
/**/
Reply all
Reply to author
Forward
0 new messages