Commits

Bram Moolenaar  committed c5e47b7

updated for version 7.3.160
Problem: Unsafe string copying.
Solution: Use vim_strncpy() instead of strcpy(). Use vim_strcat() instead
of strcat().

  • Participants
  • Parent commits 9d6d058
  • Tags v7-3-160

Comments (0)

Files changed (13)

File src/buffer.c

 	    /* format: "fname + (path) (1 of 2) - VIM" */
 
 	    if (curbuf->b_fname == NULL)
-		STRCPY(buf, _("[No Name]"));
+		vim_strncpy(buf, (char_u *)_("[No Name]"), IOSIZE - 100);
 	    else
 	    {
 		p = transstr(gettail(curbuf->b_fname));
 	    if (serverName != NULL)
 	    {
 		STRCAT(buf, " - ");
-		STRCAT(buf, serverName);
+		vim_strcat(buf, serverName, IOSIZE);
 	    }
 	    else
 #endif

File src/ex_docmd.c

 		char_u	buff[IOSIZE];
 
 		if (n == 1)
-		    STRCPY(buff, _("1 more file to edit.  Quit anyway?"));
+		    vim_strncpy(buff,
+			    (char_u *)_("1 more file to edit.  Quit anyway?"),
+								  IOSIZE - 1);
 		else
 		    vim_snprintf((char *)buff, IOSIZE,
 			      _("%d more files to edit.  Quit anyway?"), n);

File src/hardcopy.c

 {
     char_u	buffer[MAXPATHL + 1];
 
-    STRCPY(resource->name, name);
+    vim_strncpy(resource->name, (char_u *)name, 63);
     /* Look for named resource file in runtimepath */
     STRCPY(buffer, "print");
     add_pathsep(buffer);
-    STRCAT(buffer, name);
-    STRCAT(buffer, ".ps");
+    vim_strcat(buffer, (char_u *)name, MAXPATHL);
+    vim_strcat(buffer, (char_u *)".ps", MAXPATHL);
     resource->filename[0] = NUL;
     return (do_in_runtimepath(buffer, FALSE, prt_resource_name,
 							   resource->filename)
     int		idx;
 {
     static vimmenu_T	*menu = NULL;
-    static char_u	tbuffer[256]; /*hack*/
+#define TBUFFER_LEN 256
+    static char_u	tbuffer[TBUFFER_LEN]; /*hack*/
     char_u		*str;
 #ifdef FEAT_MULTI_LANG
     static  int		should_advance = FALSE;
 	{
 #ifdef FEAT_MULTI_LANG
 	    if (should_advance)
-		STRCPY(tbuffer, menu->en_dname);
+		vim_strncpy(tbuffer, menu->en_dname, TBUFFER_LEN - 2);
 	    else
 	    {
 #endif
-		STRCPY(tbuffer, menu->dname);
+		vim_strncpy(tbuffer, menu->dname,  TBUFFER_LEN - 2);
 #ifdef FEAT_MULTI_LANG
 		if (menu->en_dname == NULL)
 		    should_advance = TRUE;
 	if (pn == 1)
 	{
 	    if (n > 0)
-		STRCPY(msg_buf, _("1 more line"));
+		vim_strncpy(msg_buf, (char_u *)_("1 more line"),
+							     MSG_BUF_LEN - 1);
 	    else
-		STRCPY(msg_buf, _("1 line less"));
+		vim_strncpy(msg_buf, (char_u *)_("1 line less"),
+							     MSG_BUF_LEN - 1);
 	}
 	else
 	{
 	    if (n > 0)
-		sprintf((char *)msg_buf, _("%ld more lines"), pn);
+		vim_snprintf((char *)msg_buf, MSG_BUF_LEN,
+						     _("%ld more lines"), pn);
 	    else
-		sprintf((char *)msg_buf, _("%ld fewer lines"), pn);
+		vim_snprintf((char *)msg_buf, MSG_BUF_LEN,
+						    _("%ld fewer lines"), pn);
 	}
 	if (got_int)
-	    STRCAT(msg_buf, _(" (Interrupted)"));
+	    vim_strcat(msg_buf, (char_u *)_(" (Interrupted)"), MSG_BUF_LEN);
 	if (msg(msg_buf))
 	{
 	    set_keep_msg(msg_buf, 0);
 }
 
 /*
+ * Like strcat(), but make sure the result fits in "tosize" bytes and is
+ * always NUL terminated.
+ */
+    void
+vim_strcat(to, from, tosize)
+    char_u	*to;
+    char_u	*from;
+    size_t	tosize;
+{
+    size_t tolen = STRLEN(to);
+    size_t fromlen = STRLEN(from);
+
+    if (tolen + fromlen + 1 > tosize)
+    {
+	mch_memmove(to + tolen, from, tosize - tolen - 1);
+	to[tosize - 1] = NUL;
+    }
+    else
+	STRCPY(to + tolen, from);
+}
+
+/*
  * Isolate one part of a string option where parts are separated with
  * "sep_chars".
  * The part is copied into "buf[maxlen]".

File src/netbeans.c

     }
     else
     {
-	char_u ebuf[BUFSIZ];
-
-	STRCPY(ebuf, (char_u *)_("E505: "));
-	STRCAT(ebuf, IObuff);
-	STRCAT(ebuf, (char_u *)_("is read-only (add ! to override)"));
-	STRCPY(IObuff, ebuf);
-	nbdebug(("    %s\n", ebuf ));
-	emsg(IObuff);
+	char_u msgbuf[IOSIZE];
+
+	vim_snprintf((char *)msgbuf, IOSIZE,
+		_("E505: %s is read-only (add ! to override)"), IObuff);
+	nbdebug(("    %s\n", msgbuf));
+	emsg(msgbuf);
     }
 }
 

File src/os_unix.c

 	if (shell_style == STYLE_PRINT && !did_find_nul)
 	{
 	    /* If there is a NUL, set did_find_nul, else set check_spaces */
+	    buffer[len] = NUL;
 	    if (len && (int)STRLEN(buffer) < (int)len - 1)
 		did_find_nul = TRUE;
 	    else
 	    xterm_hints.x = 2;
 	return TRUE;
     }
-    if (mouse_code == NULL)
+    if (mouse_code == NULL || STRLEN(mouse_code) > 45)
     {
 	xterm_trace = 0;
 	return FALSE;

File src/proto/misc2.pro

 void copy_chars __ARGS((char_u *ptr, size_t count, int c));
 void del_trailing_spaces __ARGS((char_u *ptr));
 void vim_strncpy __ARGS((char_u *to, char_u *from, size_t len));
+void vim_strcat __ARGS((char_u *to, char_u *from, size_t tosize));
 int copy_option_part __ARGS((char_u **option, char_u *buf, int maxlen, char *sep_chars));
 void vim_free __ARGS((void *x));
 int vim_stricmp __ARGS((char *s1, char *s2));
 			    if (ae->ae_add == NULL)
 				*newword = NUL;
 			    else
-				STRCPY(newword, ae->ae_add);
+				vim_strncpy(newword, ae->ae_add, MAXWLEN - 1);
 			    p = word;
 			    if (ae->ae_chop != NULL)
 			    {
 			else
 			{
 			    /* suffix: chop/add at the end of the word */
-			    STRCPY(newword, word);
+			    vim_strncpy(newword, word, MAXWLEN - 1);
 			    if (ae->ae_chop != NULL)
 			    {
 				/* Remove chop string. */
      * Write the .sug file.
      * Make the file name by changing ".spl" to ".sug".
      */
-    STRCPY(fname, wfname);
+    vim_strncpy(fname, wfname, MAXPATHL - 1);
     len = (int)STRLEN(fname);
     fname[len - 2] = 'u';
     fname[len - 1] = 'g';
 
 	    /* The suggested word may replace only part of the bad word, add
 	     * the not replaced part. */
-	    STRCPY(wcopy, stp->st_word);
+	    vim_strncpy(wcopy, stp->st_word, MAXWLEN);
 	    if (sug.su_badlen > stp->st_orglen)
 		vim_strncpy(wcopy + stp->st_wordlen,
 					       sug.su_badptr + stp->st_orglen,
 	pbad = badsound2;
     }
 
-    if (lendiff > 0)
+    if (lendiff > 0 && stp->st_wordlen + lendiff < MAXWLEN)
     {
 	/* Add part of the bad word to the good word, so that we soundfold
 	 * what replaces the bad word. */
     for (i = gap->ga_len - 1; i >= 0; --i)
     {
 	/* Need to append what follows to check for "the the". */
-	STRCPY(longword, stp[i].st_word);
+	vim_strncpy(longword, stp[i].st_word, MAXWLEN);
 	len = stp[i].st_wordlen;
 	vim_strncpy(longword + len, su->su_badptr + stp[i].st_orglen,
 							       MAXWLEN - len);
 	*t = NUL;
     }
     else
-	STRCPY(word, s);
+	vim_strncpy(word, s, MAXWLEN - 1);
 
     smp = (salitem_T *)slang->sl_sal.ga_data;
 

File src/syntax.c

 		if (iarg & hl_attr_table[i])
 		{
 		    if (buf[0] != NUL)
-			STRCAT(buf, ",");
-		    STRCAT(buf, hl_name_table[i]);
+			vim_strcat(buf, (char_u *)",", 100);
+		    vim_strcat(buf, (char_u *)hl_name_table[i], 100);
 		    iarg &= ~hl_attr_table[i];	    /* don't want "inverse" */
 		}
 	    }
 		    p = tag_full_fname(&tagp);
 		    if (p == NULL)
 			continue;
-		    STRCPY(fname, p);
+		    vim_strncpy(fname, p, MAXPATHL);
 		    vim_free(p);
 
 		    /*

File src/version.c

 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    160,
+/**/
     159,
 /**/
     158,