From 1afdcb8f2b3b63e241adecc0e0d5aad98d3640ea Mon Sep 17 00:00:00 2001 From: Jan Edmund Lazo Date: Sun, 21 Dec 2025 23:59:28 -0500 Subject: [PATCH] vim-patch:9.0.1899: potential buffer overflow in PBYTE macro Problem: potential buffer overflow in PBYTE macro Solution: Check returned memline length closes: vim/vim#13083 the PBYTE macro is used to put byte c at a position lp of the returned memline. However, in case of unexpected errors ml_get_buf() may return either "???" or an empty line in which case it is quite likely that we are causing a buffer overrun. Therefore, switch the macro PBYTE (which is only used in ops.c anyhow) to a function, that verifies that we will only try to access within the given length of the buffer. Also, since the macro is only used in ops.c, move the definition from macros.h to ops.c https://github.com/vim/vim/commit/ffb13674d1af1c90beb229867ec989e4fb232df3 Co-authored-by: Christian Brabandt --- src/nvim/ops.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/nvim/ops.c b/src/nvim/ops.c index 88d98790c2..366dd662bf 100644 --- a/src/nvim/ops.c +++ b/src/nvim/ops.c @@ -1046,11 +1046,20 @@ static void mb_adjust_opend(oparg_T *oap) } } -/// Put character 'c' at position 'lp' -static inline void pbyte(pos_T lp, int c) +/// put byte 'c' at position 'lp', but +/// verify, that the position to place +/// is actually safe +static void pbyte(pos_T lp, int c) { assert(c <= UCHAR_MAX); - *(ml_get_buf_mut(curbuf, lp.lnum) + lp.col) = (char)c; + char *p = ml_get_buf_mut(curbuf, lp.lnum); + colnr_T len = curbuf->b_ml.ml_line_len; + + // safety check + if (lp.col >= len) { + lp.col = (len > 1 ? len - 2 : 0); + } + *(p + lp.col) = (char)c; if (!curbuf_splice_pending) { extmark_splice_cols(curbuf, (int)lp.lnum - 1, lp.col, 1, 1, kExtmarkUndo); }