From: Sören Tempel Date: Sun, 11 Nov 2018 22:35:25 +0000 (+0100) Subject: Fix out-of-bounds buffer access in parse_command X-Git-Url: https://git.owens.tech/projects.html/projects.html/git?a=commitdiff_plain;h=84e59ff12f88fb44f5371813dbd757209a616caa;p=vimb.git Fix out-of-bounds buffer access in parse_command Since the cmd buffer needs to be null terminated we need to reserve space for the null byte in the buffer. Without this change an out-of-bounds buffer access is performed if the first word is longer than 19 chars. Fixes #529 --- diff --git a/src/ex.c b/src/ex.c index 279059b..708020d 100644 --- a/src/ex.c +++ b/src/ex.c @@ -657,7 +657,7 @@ static gboolean parse_command_name(Client *c, const char **input, ExArg *arg) /* read until next whitespace or end of input to get command name for * error message - vim uses the whole rest of the input string - but * the first word seems to bee enough for the error message */ - for (; len < LENGTH(cmd) && *input && !VB_IS_SPACE(**input); (*input)++) { + for (; len < (LENGTH(cmd) - 1) && *input && !VB_IS_SPACE(**input); (*input)++) { cmd[len++] = **input; } cmd[len] = '\0';