mirror of
				https://github.com/neovim/neovim.git
				synced 2025-10-26 04:17:01 +00:00 
			
		
		
		
	fix(userfunc): fix possible out of bound access
In file included from /usr/include/string.h:535,
                 from gsrc/nvim/eval/userfunc.c:11:
In function ‘strcpy’,
    inlined from ‘cat_func_name’ at gsrc/nvim/eval/userfunc.c:662:5,
    inlined from ‘get_user_func_name’ at gsrc/nvim/eval/userfunc.c:2854:5:
/usr/include/bits/string_fortified.h:79:10: warning: ‘__builtin___strcpy_chk’ offset 0 from the object at ‘<unknown>’ is out of the bounds of referenced subobject ‘uf_name’ with ty
pe ‘char[]’ at offset 0 [-Warray-bounds=]
   79 |   return __builtin___strcpy_chk (__dest, __src, __glibc_objsize (__dest));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from gsrc/nvim/eval/typval.h:10,
                 from gsrc/nvim/buffer_defs.h:20,
                 from gsrc/nvim/autocmd.h:8,
                 from gsrc/nvim/eval/userfunc.c:15:
gsrc/nvim/eval/typval_defs.h: In function ‘get_user_func_name’:
gsrc/nvim/eval/typval_defs.h:342:8: note: subobject ‘uf_name’ declared here
  342 |   char uf_name[];    ///< Name of function (actual size equals name);
      |        ^~~~~~~
			
			
This commit is contained in:
		| @@ -653,14 +653,20 @@ ufunc_T *find_func(const char *name) | |||||||
| /// Copy the function name of "fp" to buffer "buf". | /// Copy the function name of "fp" to buffer "buf". | ||||||
| /// "buf" must be able to hold the function name plus three bytes. | /// "buf" must be able to hold the function name plus three bytes. | ||||||
| /// Takes care of script-local function names. | /// Takes care of script-local function names. | ||||||
| static void cat_func_name(char *buf, ufunc_T *fp) | static void cat_func_name(char *buf, size_t buflen, ufunc_T *fp) | ||||||
| { | { | ||||||
|   if ((uint8_t)fp->uf_name[0] == K_SPECIAL) { |   int len = -1; | ||||||
|     STRCPY(buf, "<SNR>"); |   size_t uflen = strlen(fp->uf_name); | ||||||
|     STRCAT(buf, fp->uf_name + 3); |   assert(uflen > 0); | ||||||
|  |  | ||||||
|  |   if ((uint8_t)fp->uf_name[0] == K_SPECIAL && uflen > 3) { | ||||||
|  |     len = snprintf(buf, buflen, "<SNR>%s", fp->uf_name + 3); | ||||||
|   } else { |   } else { | ||||||
|     STRCPY(buf, fp->uf_name); |     len = snprintf(buf, buflen, "%s", fp->uf_name); | ||||||
|   } |   } | ||||||
|  |  | ||||||
|  |   (void)len;  // Avoid unused warning on release builds | ||||||
|  |   assert(len > 0); | ||||||
| } | } | ||||||
|  |  | ||||||
| /// Add a number variable "name" to dict "dp" with value "nr". | /// Add a number variable "name" to dict "dp" with value "nr". | ||||||
| @@ -2851,7 +2857,7 @@ char *get_user_func_name(expand_T *xp, int idx) | |||||||
|       return fp->uf_name;  // Prevent overflow. |       return fp->uf_name;  // Prevent overflow. | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     cat_func_name(IObuff, fp); |     cat_func_name(IObuff, IOSIZE, fp); | ||||||
|     if (xp->xp_context != EXPAND_USER_FUNC) { |     if (xp->xp_context != EXPAND_USER_FUNC) { | ||||||
|       STRCAT(IObuff, "("); |       STRCAT(IObuff, "("); | ||||||
|       if (!fp->uf_varargs && GA_EMPTY(&fp->uf_args)) { |       if (!fp->uf_varargs && GA_EMPTY(&fp->uf_args)) { | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Andreas Schneider
					Andreas Schneider