From 15298e79269e95899b9812c78af19f954b3bcba6 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Sun, 3 Sep 2023 09:14:45 +0800 Subject: [PATCH] vim-patch:9.0.1847: [security] potential oob write in do_addsub() Problem: potential oob write in do_addsub() Solution: don't overflow buf2, check size in for loop() https://github.com/vim/vim/commit/889f6af37164775192e33b233a90e86fd3df0f57 Co-authored-by: Christian Brabandt --- src/nvim/ops.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nvim/ops.c b/src/nvim/ops.c index 8270641256..96deae228f 100644 --- a/src/nvim/ops.c +++ b/src/nvim/ops.c @@ -4770,7 +4770,7 @@ int do_addsub(int op_type, pos_T *pos, int length, linenr_T Prenum1) } } - while (bits > 0) { + while (bits > 0 && i < NUMBUFLEN - 1) { buf2[i++] = ((n >> --bits) & 0x1) ? '1' : '0'; }