patch 8.0.1047: buffer overflow in Ruby

brammool · brammool · commit 00ccf54630dc · 2017-09-03T15:17:48.000+02:00
Problem:    Buffer overflow in Ruby.
Solution:   Allocate one more byte. (Dominique Pelle)
diff --git a/src/if_ruby.c b/src/if_ruby.c
@@ -984,7 +984,7 @@ static VALUE vim_message(VALUE self UNUSED, VALUE str)
     if (RSTRING_LEN(str) > 0)
     {
 	/* Only do this when the string isn't empty, alloc(0) causes trouble. */
-	buff = ALLOCA_N(char, RSTRING_LEN(str));
+	buff = ALLOCA_N(char, RSTRING_LEN(str) + 1);
 	strcpy(buff, RSTRING_PTR(str));
 	p = strchr(buff, '\n');
 	if (p) *p = '\0';
diff --git a/src/version.c b/src/version.c
@@ -769,6 +769,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1047,
 /**/
     1046,
 /**/

Original file line number	Diff line number	Diff line change
`@@ -984,7 +984,7 @@ static VALUE vim_message(VALUE self UNUSED, VALUE str)`
`984`	`984`	`if (RSTRING_LEN(str) > 0)`
`985`	`985`	`{`
`986`	`986`	`/* Only do this when the string isn't empty, alloc(0) causes trouble. */`
`987`		`- buff = ALLOCA_N(char, RSTRING_LEN(str));`
	`987`	`+ buff = ALLOCA_N(char, RSTRING_LEN(str) + 1);`
`988`	`988`	`strcpy(buff, RSTRING_PTR(str));`
`989`	`989`	`p = strchr(buff, '\n');`
`990`	`990`	`if (p) *p = '\0';`