To: vim_dev@googlegroups.com Subject: Patch 7.3.160 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 7.3.160 Problem: Unsafe string copying. Solution: Use vim_strncpy() instead of strcpy(). Use vim_strcat() instead of strcat(). Files: src/buffer.c, src/ex_docmd.c, src/hardcopy.c, src/menu.c, src/misc1.c, src/misc2.c, src/proto/misc2.pro, src/netbeans.c, src/os_unix.c, src/spell.c, src/syntax.c, src/tag.c *** ../vim-7.3.159/src/buffer.c 2011-02-15 14:24:42.000000000 +0100 --- src/buffer.c 2011-04-11 16:08:38.000000000 +0200 *************** *** 3176,3182 **** /* format: "fname + (path) (1 of 2) - VIM" */ if (curbuf->b_fname == NULL) ! STRCPY(buf, _("[No Name]")); else { p = transstr(gettail(curbuf->b_fname)); --- 3176,3182 ---- /* format: "fname + (path) (1 of 2) - VIM" */ if (curbuf->b_fname == NULL) ! vim_strncpy(buf, (char_u *)_("[No Name]"), IOSIZE - 100); else { p = transstr(gettail(curbuf->b_fname)); *************** *** 3232,3238 **** if (serverName != NULL) { STRCAT(buf, " - "); ! STRCAT(buf, serverName); } else #endif --- 3232,3238 ---- if (serverName != NULL) { STRCAT(buf, " - "); ! vim_strcat(buf, serverName, IOSIZE); } else #endif *** ../vim-7.3.159/src/ex_docmd.c 2011-03-03 15:54:45.000000000 +0100 --- src/ex_docmd.c 2011-04-11 15:43:48.000000000 +0200 *************** *** 5096,5102 **** char_u buff[IOSIZE]; if (n == 1) ! STRCPY(buff, _("1 more file to edit. Quit anyway?")); else vim_snprintf((char *)buff, IOSIZE, _("%d more files to edit. Quit anyway?"), n); --- 5096,5104 ---- char_u buff[IOSIZE]; if (n == 1) ! vim_strncpy(buff, ! (char_u *)_("1 more file to edit. Quit anyway?"), ! IOSIZE - 1); else vim_snprintf((char *)buff, IOSIZE, _("%d more files to edit. Quit anyway?"), n); *** ../vim-7.3.159/src/hardcopy.c 2010-08-15 21:57:25.000000000 +0200 --- src/hardcopy.c 2011-04-11 15:30:09.000000000 +0200 *************** *** 1761,1772 **** { char_u buffer[MAXPATHL + 1]; ! STRCPY(resource->name, name); /* Look for named resource file in runtimepath */ STRCPY(buffer, "print"); add_pathsep(buffer); ! STRCAT(buffer, name); ! STRCAT(buffer, ".ps"); resource->filename[0] = NUL; return (do_in_runtimepath(buffer, FALSE, prt_resource_name, resource->filename) --- 1761,1772 ---- { char_u buffer[MAXPATHL + 1]; ! vim_strncpy(resource->name, (char_u *)name, 63); /* Look for named resource file in runtimepath */ STRCPY(buffer, "print"); add_pathsep(buffer); ! vim_strcat(buffer, (char_u *)name, MAXPATHL); ! vim_strcat(buffer, (char_u *)".ps", MAXPATHL); resource->filename[0] = NUL; return (do_in_runtimepath(buffer, FALSE, prt_resource_name, resource->filename) *** ../vim-7.3.159/src/menu.c 2011-01-04 17:49:25.000000000 +0100 --- src/menu.c 2011-04-11 15:17:21.000000000 +0200 *************** *** 1394,1400 **** int idx; { static vimmenu_T *menu = NULL; ! static char_u tbuffer[256]; /*hack*/ char_u *str; #ifdef FEAT_MULTI_LANG static int should_advance = FALSE; --- 1394,1401 ---- int idx; { static vimmenu_T *menu = NULL; ! #define TBUFFER_LEN 256 ! static char_u tbuffer[TBUFFER_LEN]; /*hack*/ char_u *str; #ifdef FEAT_MULTI_LANG static int should_advance = FALSE; *************** *** 1428,1438 **** { #ifdef FEAT_MULTI_LANG if (should_advance) ! STRCPY(tbuffer, menu->en_dname); else { #endif ! STRCPY(tbuffer, menu->dname); #ifdef FEAT_MULTI_LANG if (menu->en_dname == NULL) should_advance = TRUE; --- 1429,1439 ---- { #ifdef FEAT_MULTI_LANG if (should_advance) ! vim_strncpy(tbuffer, menu->en_dname, TBUFFER_LEN - 2); else { #endif ! vim_strncpy(tbuffer, menu->dname, TBUFFER_LEN - 2); #ifdef FEAT_MULTI_LANG if (menu->en_dname == NULL) should_advance = TRUE; *** ../vim-7.3.159/src/misc1.c 2011-04-11 14:27:34.000000000 +0200 --- src/misc1.c 2011-04-11 16:03:22.000000000 +0200 *************** *** 3332,3350 **** if (pn == 1) { if (n > 0) ! STRCPY(msg_buf, _("1 more line")); else ! STRCPY(msg_buf, _("1 line less")); } else { if (n > 0) ! sprintf((char *)msg_buf, _("%ld more lines"), pn); else ! sprintf((char *)msg_buf, _("%ld fewer lines"), pn); } if (got_int) ! STRCAT(msg_buf, _(" (Interrupted)")); if (msg(msg_buf)) { set_keep_msg(msg_buf, 0); --- 3332,3354 ---- if (pn == 1) { if (n > 0) ! vim_strncpy(msg_buf, (char_u *)_("1 more line"), ! MSG_BUF_LEN - 1); else ! vim_strncpy(msg_buf, (char_u *)_("1 line less"), ! MSG_BUF_LEN - 1); } else { if (n > 0) ! vim_snprintf((char *)msg_buf, MSG_BUF_LEN, ! _("%ld more lines"), pn); else ! vim_snprintf((char *)msg_buf, MSG_BUF_LEN, ! _("%ld fewer lines"), pn); } if (got_int) ! vim_strcat(msg_buf, (char_u *)_(" (Interrupted)"), MSG_BUF_LEN); if (msg(msg_buf)) { set_keep_msg(msg_buf, 0); *** ../vim-7.3.159/src/misc2.c 2010-12-08 13:11:15.000000000 +0100 --- src/misc2.c 2011-04-11 15:30:20.000000000 +0200 *************** *** 1647,1652 **** --- 1647,1674 ---- } /* + * Like strcat(), but make sure the result fits in "tosize" bytes and is + * always NUL terminated. + */ + void + vim_strcat(to, from, tosize) + char_u *to; + char_u *from; + size_t tosize; + { + size_t tolen = STRLEN(to); + size_t fromlen = STRLEN(from); + + if (tolen + fromlen + 1 > tosize) + { + mch_memmove(to + tolen, from, tosize - tolen - 1); + to[tosize - 1] = NUL; + } + else + STRCPY(to + tolen, from); + } + + /* * Isolate one part of a string option where parts are separated with * "sep_chars". * The part is copied into "buf[maxlen]". *** ../vim-7.3.159/src/proto/misc2.pro 2010-08-15 21:57:28.000000000 +0200 --- src/proto/misc2.pro 2011-04-11 15:29:55.000000000 +0200 *************** *** 40,45 **** --- 40,46 ---- void copy_chars __ARGS((char_u *ptr, size_t count, int c)); void del_trailing_spaces __ARGS((char_u *ptr)); void vim_strncpy __ARGS((char_u *to, char_u *from, size_t len)); + void vim_strcat __ARGS((char_u *to, char_u *from, size_t tosize)); int copy_option_part __ARGS((char_u **option, char_u *buf, int maxlen, char *sep_chars)); void vim_free __ARGS((void *x)); int vim_stricmp __ARGS((char *s1, char *s2)); *** ../vim-7.3.159/src/netbeans.c 2011-04-01 15:33:54.000000000 +0200 --- src/netbeans.c 2011-04-11 16:02:51.000000000 +0200 *************** *** 3914,3927 **** } else { ! char_u ebuf[BUFSIZ]; ! STRCPY(ebuf, (char_u *)_("E505: ")); ! STRCAT(ebuf, IObuff); ! STRCAT(ebuf, (char_u *)_("is read-only (add ! to override)")); ! STRCPY(IObuff, ebuf); ! nbdebug((" %s\n", ebuf )); ! emsg(IObuff); } } --- 3914,3925 ---- } else { ! char_u msgbuf[IOSIZE]; ! vim_snprintf((char *)msgbuf, IOSIZE, ! _("E505: %s is read-only (add ! to override)"), IObuff); ! nbdebug((" %s\n", msgbuf)); ! emsg(msgbuf); } } *** ../vim-7.3.159/src/os_unix.c 2011-02-15 17:39:14.000000000 +0100 --- src/os_unix.c 2011-04-11 16:39:11.000000000 +0200 *************** *** 5725,5730 **** --- 5725,5731 ---- if (shell_style == STYLE_PRINT && !did_find_nul) { /* If there is a NUL, set did_find_nul, else set check_spaces */ + buffer[len] = NUL; if (len && (int)STRLEN(buffer) < (int)len - 1) did_find_nul = TRUE; else *************** *** 6594,6600 **** xterm_hints.x = 2; return TRUE; } ! if (mouse_code == NULL) { xterm_trace = 0; return FALSE; --- 6595,6601 ---- xterm_hints.x = 2; return TRUE; } ! if (mouse_code == NULL || STRLEN(mouse_code) > 45) { xterm_trace = 0; return FALSE; *** ../vim-7.3.159/src/spell.c 2011-02-01 13:59:44.000000000 +0100 --- src/spell.c 2011-04-11 15:50:40.000000000 +0200 *************** *** 6957,6963 **** if (ae->ae_add == NULL) *newword = NUL; else ! STRCPY(newword, ae->ae_add); p = word; if (ae->ae_chop != NULL) { --- 6957,6963 ---- if (ae->ae_add == NULL) *newword = NUL; else ! vim_strncpy(newword, ae->ae_add, MAXWLEN - 1); p = word; if (ae->ae_chop != NULL) { *************** *** 6978,6984 **** else { /* suffix: chop/add at the end of the word */ ! STRCPY(newword, word); if (ae->ae_chop != NULL) { /* Remove chop string. */ --- 6978,6984 ---- else { /* suffix: chop/add at the end of the word */ ! vim_strncpy(newword, word, MAXWLEN - 1); if (ae->ae_chop != NULL) { /* Remove chop string. */ *************** *** 8654,8660 **** * Write the .sug file. * Make the file name by changing ".spl" to ".sug". */ ! STRCPY(fname, wfname); len = (int)STRLEN(fname); fname[len - 2] = 'u'; fname[len - 1] = 'g'; --- 8654,8660 ---- * Write the .sug file. * Make the file name by changing ".spl" to ".sug". */ ! vim_strncpy(fname, wfname, MAXPATHL - 1); len = (int)STRLEN(fname); fname[len - 2] = 'u'; fname[len - 1] = 'g'; *************** *** 10261,10267 **** /* The suggested word may replace only part of the bad word, add * the not replaced part. */ ! STRCPY(wcopy, stp->st_word); if (sug.su_badlen > stp->st_orglen) vim_strncpy(wcopy + stp->st_wordlen, sug.su_badptr + stp->st_orglen, --- 10261,10267 ---- /* The suggested word may replace only part of the bad word, add * the not replaced part. */ ! vim_strncpy(wcopy, stp->st_word, MAXWLEN); if (sug.su_badlen > stp->st_orglen) vim_strncpy(wcopy + stp->st_wordlen, sug.su_badptr + stp->st_orglen, *************** *** 13162,13168 **** pbad = badsound2; } ! if (lendiff > 0) { /* Add part of the bad word to the good word, so that we soundfold * what replaces the bad word. */ --- 13162,13168 ---- pbad = badsound2; } ! if (lendiff > 0 && stp->st_wordlen + lendiff < MAXWLEN) { /* Add part of the bad word to the good word, so that we soundfold * what replaces the bad word. */ *************** *** 13875,13881 **** for (i = gap->ga_len - 1; i >= 0; --i) { /* Need to append what follows to check for "the the". */ ! STRCPY(longword, stp[i].st_word); len = stp[i].st_wordlen; vim_strncpy(longword + len, su->su_badptr + stp[i].st_orglen, MAXWLEN - len); --- 13875,13881 ---- for (i = gap->ga_len - 1; i >= 0; --i) { /* Need to append what follows to check for "the the". */ ! vim_strncpy(longword, stp[i].st_word, MAXWLEN); len = stp[i].st_wordlen; vim_strncpy(longword + len, su->su_badptr + stp[i].st_orglen, MAXWLEN - len); *************** *** 14221,14227 **** *t = NUL; } else ! STRCPY(word, s); smp = (salitem_T *)slang->sl_sal.ga_data; --- 14221,14227 ---- *t = NUL; } else ! vim_strncpy(word, s, MAXWLEN - 1); smp = (salitem_T *)slang->sl_sal.ga_data; *** ../vim-7.3.159/src/syntax.c 2011-04-02 15:12:45.000000000 +0200 --- src/syntax.c 2011-04-11 15:44:30.000000000 +0200 *************** *** 8576,8583 **** if (iarg & hl_attr_table[i]) { if (buf[0] != NUL) ! STRCAT(buf, ","); ! STRCAT(buf, hl_name_table[i]); iarg &= ~hl_attr_table[i]; /* don't want "inverse" */ } } --- 8576,8583 ---- if (iarg & hl_attr_table[i]) { if (buf[0] != NUL) ! vim_strcat(buf, (char_u *)",", 100); ! vim_strcat(buf, (char_u *)hl_name_table[i], 100); iarg &= ~hl_attr_table[i]; /* don't want "inverse" */ } } *** ../vim-7.3.159/src/tag.c 2011-02-25 15:13:43.000000000 +0100 --- src/tag.c 2011-04-11 15:34:59.000000000 +0200 *************** *** 806,812 **** p = tag_full_fname(&tagp); if (p == NULL) continue; ! STRCPY(fname, p); vim_free(p); /* --- 806,812 ---- p = tag_full_fname(&tagp); if (p == NULL) continue; ! vim_strncpy(fname, p, MAXPATHL); vim_free(p); /* *** ../vim-7.3.159/src/version.c 2011-04-11 14:29:13.000000000 +0200 --- src/version.c 2011-04-11 16:50:53.000000000 +0200 *************** *** 716,717 **** --- 716,719 ---- { /* Add new patch number below this line */ + /**/ + 160, /**/ -- If someone questions your market projections, simply point out that your target market is "People who are nuts" and "People who will buy any damn thing". Nobody is going to tell you there aren't enough of those people to go around. (Scott Adams - The Dilbert principle) /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///