To: Mike Steed <[email protected]>
Cc: [email protected]
In-Reply-To: <[email protected]>
Subject: patch 5.4p.12 (was: 5.4p Win32 crash)
Fcc: outbox
From: Bram Moolenaar <[email protected]>
------------

Mike -

> Type :e zzzz... (about 256 z's), then hit 'wildchar', and Vim will crash.  A
> silly thing to do, I know, but still, Vim shouldn't crash.

I have to use a longer zzzzz..., but it indeed crashes.

> I think the problem is that in win32_expandpath(), memory is being written
> beyond the end of buf[].

Yes, looks like it.  The code assumes that the path is valid, and thus isn't
longer than _MAX_PATH.  That isn't always true.

> I took a quick look at the code but wasn't sure of the best way to fix it.

dos_expandpath() allocates buf[].  That's a solution.  Also makes it more
similar to the other xxx_expandpath() functions.

> And this may be something that gets put on the todo list until after 5.4 is
> out.

I could still do that.  After all, it does solve a crash.  But I better make
sure that it really fixes the problem, and not cause a new one...  OK, it does
fix the problem for me.  And it's a simple change, since similar code is
already used for MS-DOS.


Patch 5.4p.12
Problem:    Win32: Trying to expand a string that is longer than 256
           characters could cause a crash. (Steed)
Solution:   For the buffer in win32_expandpath() don't use a fixed size array,
           allocate it.
Files:      src/os_win32.c


*** ../vim-5.4p/src/os_win32.c  Mon Jul 19 11:09:14 1999
--- src/os_win32.c      Thu Jul 22 22:22:24 1999
***************
*** 2603,2609 ****
     char_u            *wildc,
     int                       flags)
 {
!     char              buf[_MAX_PATH+1];
     char              *p, *s, *e;
     int                       start_len, c = 1;
     WIN32_FIND_DATA   fb;
--- 2603,2609 ----
     char_u            *wildc,
     int                       flags)
 {
!     char              *buf;
     char              *p, *s, *e;
     int                       start_len, c = 1;
     WIN32_FIND_DATA   fb;
***************
*** 2613,2618 ****
--- 2613,2622 ----
     int                       len;

     start_len = gap->ga_len;
+     /* make room for file name */
+     buf = (char *)alloc(STRLEN(path) + BASENAMELEN + 5);
+     if (buf == NULL)
+       return 0;

     /*
      * Find the first part in the path name that contains a wildcard.
***************
*** 2700,2705 ****
--- 2704,2710 ----
           c = FindNextFile(hFind, &fb);
       }
     FindClose(hFind);
+     vim_free(buf);

     matches = gap->ga_len - start_len;
     if (matches)

--
hundred-and-one symptoms of being an internet addict:
224. You set up your own Web page. You set up a Web page for each
    of your kids... and your pets.

--/-/---- Bram Moolenaar ---- [email protected] ---- [email protected] ---\-\--
 \ \    www.vim.org/iccf      www.moolenaar.net       www.vim.org    / /

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.