mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2026-06-19 02:01:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:9.2.0436: Buffer overflow when parsing overlong errorformat lines (#39578)

Browse Source 
Problem:  When an error line in a file passed to :cfile / :cgetfile is
          longer than IOSIZE, qf_parse_file_pfx() copies the tail
          into the fixed-size IObuff with STRMOVE(), overflowing the heap buffer.
          The same code path can also loop indefinitely because
          qf_parse_file_pfx() always returns QF_MULTISCAN when a
          tail is present, and qf_init_ext() unconditionally goes
          to "restofline" without bounding the tail length (Nabih).
Solution: Remove the STRMOVE() into IObuff.  In the QF_MULTISCAN
          branch, alias linebuf into the tail directly and update
          linelen, requiring strict progress (new length less than
          the previous length) before retrying; otherwise ignore
          the line.

closes: vim/vim#20126

Supported by AI

77677c33de

Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 0e69a38026)
This commit is contained in:
zeertzjq
2026-05-04 07:20:16 +08:00
committed by github-actions[bot]
parent 4f22640b86
commit f9f2596288
2 changed files with 30 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/nvim/quickfix.c
View File

@@ -1019,6 +1019,13 @@ restofline:
// global file names
status = qf_parse_file_pfx(idx, fields, qfl, tail);
if (status == QF_MULTISCAN) {
char *s = skipwhite(tail);
size_t new_linelen = strlen(s);
if (new_linelen >= linelen) {
return QF_IGNORE_LINE;
}
linebuf = s;
linelen = new_linelen;
goto restofline;
}
}
@@ -1665,7 +1672,7 @@ static int qf_parse_dir_pfx(int idx, qffields_T *fields, qf_list_T *qfl)
}
/// Parse global file name error format prefixes (%O, %P and %Q).
static int qf_parse_file_pfx(int idx, qffields_T *fields, qf_list_T *qfl, char *tail)
static int qf_parse_file_pfx(int idx, qffields_T *fields, qf_list_T *qfl, const char *tail)
{
fields->valid = false;
if (*fields->namebuf == NUL || os_path_exists(fields->namebuf)) {
@@ -1676,7 +1683,6 @@ static int qf_parse_file_pfx(int idx, qffields_T *fields, qf_list_T *qfl, char *
}
*fields->namebuf = NUL;
if (tail && *tail) {
STRMOVE(IObuff, skipwhite(tail));
qfl->qf_multiscan = true;
return QF_MULTISCAN;
}