mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-09-06 03:18:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(userfunc): fix possible out of bound access

Browse Source 
In file included from /usr/include/string.h:535,
                 from gsrc/nvim/eval/userfunc.c:11:
In function ‘strcpy’,
    inlined from ‘cat_func_name’ at gsrc/nvim/eval/userfunc.c:662:5,
    inlined from ‘get_user_func_name’ at gsrc/nvim/eval/userfunc.c:2854:5:
/usr/include/bits/string_fortified.h:79:10: warning: ‘__builtin___strcpy_chk’ offset 0 from the object at ‘<unknown>’ is out of the bounds of referenced subobject ‘uf_name’ with ty
pe ‘char[]’ at offset 0 [-Warray-bounds=]
   79 |   return __builtin___strcpy_chk (__dest, __src, __glibc_objsize (__dest));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from gsrc/nvim/eval/typval.h:10,
                 from gsrc/nvim/buffer_defs.h:20,
                 from gsrc/nvim/autocmd.h:8,
                 from gsrc/nvim/eval/userfunc.c:15:
gsrc/nvim/eval/typval_defs.h: In function ‘get_user_func_name’:
gsrc/nvim/eval/typval_defs.h:342:8: note: subobject ‘uf_name’ declared here
  342 |   char uf_name[];    ///< Name of function (actual size equals name);
      |        ^~~~~~~

(cherry picked from commit 9802de9334)
This commit is contained in:
Andreas Schneider
2023-04-21 11:07:56 +02:00
committed by github-actions[bot]
parent 6bd73ed2d9
commit 6ba14ff182
1 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/nvim/eval/userfunc.c
View File

@@ -594,14 +594,20 @@ ufunc_T *find_func(const char *name)
/// Copy the function name of "fp" to buffer "buf". /// Copy the function name of "fp" to buffer "buf".
/// "buf" must be able to hold the function name plus three bytes. /// "buf" must be able to hold the function name plus three bytes.
/// Takes care of script-local function names. /// Takes care of script-local function names.
static void cat_func_name(char *buf, ufunc_T *fp) static void cat_func_name(char *buf, size_t buflen, ufunc_T *fp)
{ {
if ((uint8_t)fp->uf_name[0] == K_SPECIAL) { int len = -1;
STRCPY(buf, "<SNR>"); size_t uflen = strlen(fp->uf_name);
STRCAT(buf, fp->uf_name + 3); assert(uflen > 0);
if ((uint8_t)fp->uf_name[0] == K_SPECIAL && uflen > 3) {
len = snprintf(buf, buflen, "<SNR>%s", fp->uf_name + 3);
} else { } else {
STRCPY(buf, fp->uf_name); len = snprintf(buf, buflen, "%s", fp->uf_name);
} }
(void)len; // Avoid unused warning on release builds
assert(len > 0);
} }
/// Add a number variable "name" to dict "dp" with value "nr". /// Add a number variable "name" to dict "dp" with value "nr".
@@ -2746,7 +2752,7 @@ char *get_user_func_name(expand_T *xp, int idx)
return fp->uf_name; // Prevent overflow. return fp->uf_name; // Prevent overflow.
} }
cat_func_name(IObuff, fp); cat_func_name(IObuff, IOSIZE, fp);
if (xp->xp_context != EXPAND_USER_FUNC) { if (xp->xp_context != EXPAND_USER_FUNC) {
STRCAT(IObuff, "("); STRCAT(IObuff, "(");
if (!fp->uf_varargs && GA_EMPTY(&fp->uf_args)) { if (!fp->uf_varargs && GA_EMPTY(&fp->uf_args)) {