kevin/neovim
1
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2024-12-19 18:55:14 -07:00
Code Issues Packages Projects Releases Wiki Activity

fix(coverity/497355): shada_read_when_writing out of bounds read #30665

Browse Source 
Problem:
There appears to be an intentional array out of bounds read when
indexing global and numbered marks since they are adjacent in the struct
that holds them.

Solution:
Explicitly index numeric marks array to avoid reading out of bounds from
global marks array.
This commit is contained in:
Devon Gardner 2024-10-05 14:18:00 +00:00 committed by GitHub
parent 988482d942
commit ff7832ad3f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/nvim/shada.c
View File

@ -1886,13 +1886,18 @@ static inline ShaDaWriteResult shada_read_when_writing(FileDescriptor *const sd_
shada_free_shada_entry(&entry); shada_free_shada_entry(&entry);
break; break;
} }
if (wms->global_marks[idx].data.type == kSDItemMissing) {
// Global or numbered mark.
PossiblyFreedShadaEntry *mark
= idx < 26 ? &wms->global_marks[idx] : &wms->numbered_marks[idx];
if (mark->data.type == kSDItemMissing) {
if (namedfm[idx].fmark.timestamp >= entry.timestamp) { if (namedfm[idx].fmark.timestamp >= entry.timestamp) {
shada_free_shada_entry(&entry); shada_free_shada_entry(&entry);
break; break;
} }
} }
COMPARE_WITH_ENTRY(&wms->global_marks[idx], entry); COMPARE_WITH_ENTRY(mark, entry);
} }
break; break;
case kSDItemChange: case kSDItemChange: