mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-09-06 03:18:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: invalid buffer size argument to snprintf #22729

Browse Source 
Problem:
Crash in findtags_add_match with FORTIFY_SOURCE=3.
Note: Fedora 38 packages are now built with -D_FORTIFY_SOURCE=3 by default.
1. Compile with overflow protection.
2. nvim --clean
3. :h <Space> <Tab>
4. `*** overflow detected ***: terminated`

The additional checks for the stated buffer size and the actual bounds
of the buffer do not match. See `___snprintf_chk` in the glibc sources:
https://sourceware.org/git/?p=glibc.git;a=blob;f=debug/snprintf_chk.c;h=59577de076c570b81307dd31c8c73e265808cf4c;hb=HEAD#l28

Solution:
Fix arithmetic error: The length of the previously written data is now
subtracted from the total size of the buffer, instead of added on top.

close #22718
This commit is contained in:
koeleck
2023-03-19 22:32:37 +01:00
committed by GitHub
parent ecc4d0e435
commit 84027f7515
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/nvim/tag.c
View File

@@ -1947,6 +1947,7 @@ static void findtags_add_match(findtags_state_T *st, tagptrs_T *tagpp, findtags_
const bool name_only = (st->flags & TAG_NAMES); const bool name_only = (st->flags & TAG_NAMES);
int mtt; int mtt;
size_t len = 0; size_t len = 0;
size_t mfp_size = 0;
bool is_current; // file name matches bool is_current; // file name matches
bool is_static; // current tag line is static bool is_static; // current tag line is static
char *mfp; char *mfp;
@@ -1990,13 +1991,14 @@ static void findtags_add_match(findtags_state_T *st, tagptrs_T *tagpp, findtags_
// The format is {tagname}@{lang}NUL{heuristic}NUL // The format is {tagname}@{lang}NUL{heuristic}NUL
*tagpp->tagname_end = NUL; *tagpp->tagname_end = NUL;
len = (size_t)(tagpp->tagname_end - tagpp->tagname); len = (size_t)(tagpp->tagname_end - tagpp->tagname);
mfp = xmalloc(sizeof(char) + len + 10 + ML_EXTRA + 1); mfp_size = sizeof(char) + len + 10 + ML_EXTRA + 1;
mfp = xmalloc(mfp_size);
p = mfp; p = mfp;
STRCPY(p, tagpp->tagname); STRCPY(p, tagpp->tagname);
p[len] = '@'; p[len] = '@';
STRCPY(p + len + 1, st->help_lang); STRCPY(p + len + 1, st->help_lang);
snprintf(p + len + 1 + ML_EXTRA, strlen(p) + len + 1 + ML_EXTRA, "%06d", snprintf(p + len + 1 + ML_EXTRA, mfp_size - (len + 1 + ML_EXTRA), "%06d",
help_heuristic(tagpp->tagname, help_heuristic(tagpp->tagname,
margs->match_re ? margs->matchoff : 0, margs->match_re ? margs->matchoff : 0,
!margs->match_no_ic) + st->help_pri); !margs->match_no_ic) + st->help_pri);