mirror of
https://github.com/neovim/neovim.git
synced 2024-12-26 14:11:15 -07:00
9cc346119b
Problem: [security]: stack-buffer-overflow in option callback functions
Solution: pass size of errbuf down the call stack, use snprintf()
instead of sprintf()
We pass the error buffer down to the option callback functions, but in
some parts of the code, we simply use sprintf(buf) to write into the error
buffer, which can overflow.
So let's pass down the length of the error buffer and use sprintf(buf, size)
instead.
Reported by @henices, thanks!
b39b240c38
Co-authored-by: Christian Brabandt <cb@256bit.org>
34 lines
924 B
Lua
34 lines
924 B
Lua
local helpers = require('test.functional.helpers')(after_each)
|
|
local assert_alive = helpers.assert_alive
|
|
local clear = helpers.clear
|
|
local command = helpers.command
|
|
local feed = helpers.feed
|
|
|
|
before_each(clear)
|
|
|
|
it('no crash when ending Visual mode while editing buffer closes window', function()
|
|
command('new')
|
|
command('autocmd ModeChanged v:n ++once close')
|
|
feed('v')
|
|
command('enew')
|
|
assert_alive()
|
|
end)
|
|
|
|
it('no crash when ending Visual mode close the window to switch to', function()
|
|
command('new')
|
|
command('autocmd ModeChanged v:n ++once only')
|
|
feed('v')
|
|
command('wincmd p')
|
|
assert_alive()
|
|
end)
|
|
|
|
it('no crash when truncating overlong message', function()
|
|
pcall(command, 'source test/old/testdir/crash/vim_msg_trunc_poc')
|
|
assert_alive()
|
|
end)
|
|
|
|
it('no crash with very long option error message', function()
|
|
pcall(command, 'source test/old/testdir/crash/poc_did_set_langmap')
|
|
assert_alive()
|
|
end)
|