vim-patch:9.0.1899: potential buffer overflow in PBYTE macro

Problem: potential buffer overflow in PBYTE macro Solution: Check returned memline length closes: vim/vim#13083 the PBYTE macro is used to put byte c at a position lp of the returned memline. However, in case of unexpected errors ml_get_buf() may return either "???" or an empty line in which case it is quite likely that we are causing a buffer overrun. Therefore, switch the macro PBYTE (which is only used in ops.c anyhow) to a function, that verifies that we will only try to access within the given length of the buffer. Also, since the macro is only used in ops.c, move the definition from macros.h to ops.c ffb13674d1 Co-authored-by: Christian Brabandt <cb@256bit.org>
2026-01-06 11:27:26 +10:00 · 2025-12-21 23:59:28 -05:00
parent efacb10709
commit 1afdcb8f2b
1 changed files with 12 additions and 3 deletions
--- a/src/nvim/ops.c
+++ b/src/nvim/ops.c
@@ -1046,11 +1046,20 @@ static void mb_adjust_opend(oparg_T *oap)
  }
 }

-/// Put character 'c' at position 'lp'
-static inline void pbyte(pos_T lp, int c)
+/// put byte 'c' at position 'lp', but
+/// verify, that the position to place
+/// is actually safe
+static void pbyte(pos_T lp, int c)
 {
  assert(c <= UCHAR_MAX);
-  *(ml_get_buf_mut(curbuf, lp.lnum) + lp.col) = (char)c;
+  char *p = ml_get_buf_mut(curbuf, lp.lnum);
+  colnr_T len = curbuf->b_ml.ml_line_len;
+
+  // safety check
+  if (lp.col >= len) {
+    lp.col = (len > 1 ? len - 2 : 0);
+  }
+  *(p + lp.col) = (char)c;
  if (!curbuf_splice_pending) {
    extmark_splice_cols(curbuf, (int)lp.lnum - 1, lp.col, 1, 1, kExtmarkUndo);
  }