diff options
| author | Christian Brabandt <cb@256bit.org> | 2026-04-01 15:03:58 +0000 |
|---|---|---|
| committer | Christian Brabandt <cb@256bit.org> | 2026-04-01 15:06:21 +0000 |
| commit | b2e55ed1d6c9d9af0e1afa6deedf0fec7a49c8c8 (patch) | |
| tree | ae8f5e79bce999a5928f4c2d71e3bfb6b07713cb /src/viminfo.c | |
| parent | 3e60f03d942d6bb0f7eac61b149e83615518cec0 (diff) | |
| download | Project-Tick-b2e55ed1d6c9d9af0e1afa6deedf0fec7a49c8c8.tar.gz Project-Tick-b2e55ed1d6c9d9af0e1afa6deedf0fec7a49c8c8.zip | |
patch 9.2.0278: viminfo: heap buffer overflow when reading viminfo file
Problem: Reading a crafted viminfo file can cause a heap buffer
overflow because the length value from getdigits() is cast to
int, truncating large size_t values
Solution: Remove the (int) cast when calling alloc() (sentinel404)
Signed-off-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src/viminfo.c')
| -rw-r--r-- | src/viminfo.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/viminfo.c b/src/viminfo.c index 9b60ec5945..8b6aa3e70a 100644 --- a/src/viminfo.c +++ b/src/viminfo.c @@ -1054,7 +1054,7 @@ barline_parse(vir_T *virp, char_u *text, garray_T *values) // Length includes the quotes. ++p; len = getdigits(&p); - buf = alloc((int)(len + 1)); + buf = alloc(len + 1); if (buf == NULL) return TRUE; p = buf; |