From: Sören Tempel <soeren+git@soeren-tempel.net>
Date: Sun, 11 Nov 2018 22:35:25 +0000 (+0100)
Subject: Fix out-of-bounds buffer access in parse_command
X-Git-Url: https://git.owens.tech/112-editable-focus.html/112-editable-focus.html/git?a=commitdiff_plain;h=84e59ff12f88fb44f5371813dbd757209a616caa;p=vimb.git

Fix out-of-bounds buffer access in parse_command

Since the cmd buffer needs to be null terminated we need to reserve
space for the null byte in the buffer.

Without this change an out-of-bounds buffer access is performed if the
first word is longer than 19 chars.

Fixes #529
---

diff --git a/src/ex.c b/src/ex.c
index 279059b..708020d 100644
--- a/src/ex.c
+++ b/src/ex.c
@@ -657,7 +657,7 @@ static gboolean parse_command_name(Client *c, const char **input, ExArg *arg)
         /* read until next whitespace or end of input to get command name for
          * error message - vim uses the whole rest of the input string - but
          * the first word seems to bee enough for the error message */
-        for (; len < LENGTH(cmd) && *input && !VB_IS_SPACE(**input); (*input)++) {
+        for (; len < (LENGTH(cmd) - 1) && *input && !VB_IS_SPACE(**input); (*input)++) {
             cmd[len++] = **input;
         }
         cmd[len] = '\0';