vim-patch:8.2.5046: vim_regsub() can overwrite the destination (#18812)

Problem: vim_regsub() can overwrite the destination. Solution: Pass the destination length, give an error when it doesn't fit. 4aaf3e7f4d
2025-12-05 22:22:44 +00:00 · 2022-05-31 19:55:04 +08:00
parent 1a20aed3fb
commit 0c95028688
4 changed files with 75 additions and 37 deletions
--- a/src/nvim/eval.c
+++ b/src/nvim/eval.c
@@ -10413,7 +10413,7 @@ char *do_string_sub(char *str, char *pat, char *sub, typval_T *expr, char *flags
      // - The text up to where the match is.
      // - The substituted text.
      // - The text after the match.
-      sublen = vim_regsub(&regmatch, (char_u *)sub, expr, (char_u *)tail, false, true, false);
+      sublen = vim_regsub(&regmatch, (char_u *)sub, expr, (char_u *)tail, 0, REGSUB_MAGIC);
      ga_grow(&ga, (int)((end - tail) + sublen -
                         (regmatch.endp[0] - regmatch.startp[0])));

@@ -10421,8 +10421,9 @@ char *do_string_sub(char *str, char *pat, char *sub, typval_T *expr, char *flags
      int i = (int)(regmatch.startp[0] - (char_u *)tail);
      memmove((char_u *)ga.ga_data + ga.ga_len, tail, (size_t)i);
      // add the substituted text
-      (void)vim_regsub(&regmatch, (char_u *)sub, expr, (char_u *)ga.ga_data
-                       + ga.ga_len + i, true, true, false);
+      (void)vim_regsub(&regmatch, (char_u *)sub, expr,
+                       (char_u *)ga.ga_data + ga.ga_len + i, sublen,
+                       REGSUB_COPY | REGSUB_MAGIC);
      ga.ga_len += i + sublen - 1;
      tail = (char *)regmatch.endp[0];
      if (*tail == NUL) {