diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2026-04-23 13:41:43 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-04-23 05:41:43 +0000 |
| commit | a4ad469fb1f935aed6f84cfa9e663ab4f7ca1e02 (patch) | |
| tree | 28311a01f3d5759667f4879d5cf3bb60f8c6d95c /runtime/lua/vim/_core/stringbuffer.lua | |
| parent | db2f6a8a918f33abf10959949fb9e2a2f82dae4f (diff) | |
vim-patch:partial:9.2.0315: missing bound-checks (#39334)
Problem: missing bound-checks
Solution: Add defensive guards against potential buffer overflow
(Yasuhiro Matsumoto)
Add bounds checking and integer overflow guards across multiple files
as a defensive measure. While these code paths are unlikely to be
exploitable in practice, the guards prevent undefined behavior in
edge cases.
- libvterm/vterm.c: use heap tmpbuffer instead of stack buffer in
vsprintf() fallback path
- channel.c: validate len in channel_consume() before mch_memmove()
- spell.c: use long instead of int for addlen to avoid signed overflow
in size_t subtraction
- alloc.c: add SIZE_MAX overflow check in ga_grow_inner() before
itemsize multiplication
- list.c: add overflow check before count * sizeof(listitem_T)
- popupwin.c: add overflow check before width * height allocation
- insexpand.c: add overflow check before compl_num_bests multiplication
- regexp_bt.c: replace sprintf() with vim_snprintf() in regprop()
- spellfile.c: use SIZE_MAX instead of LONG_MAX for allocation overflow
check
closes: vim/vim#19904
https://github.com/vim/vim/commit/8d23fcb603d8f8938ce0023086326a5db6780ea2
Co-authored-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Diffstat (limited to 'runtime/lua/vim/_core/stringbuffer.lua')
0 files changed, 0 insertions, 0 deletions
