To: Mike Steed <mrsteed@usa.net>
Cc: vim-dev@vim.org
In-Reply-To: <19990722161430.20086.qmail@www0n.netaddress.usa.net>
Subject: patch 5.4p.12 (was: 5.4p Win32 crash)
Fcc: outbox
From: Bram Moolenaar <Bram@moolenaar.net>
------------

Mike -

> Type :e zzzz... (about 256 z's), then hit 'wildchar', and Vim will crash.  A
> silly thing to do, I know, but still, Vim shouldn't crash.

I have to use a longer zzzzz..., but it indeed crashes.

> I think the problem is that in win32_expandpath(), memory is being written
> beyond the end of buf[].

Yes, looks like it.  The code assumes that the path is valid, and thus isn't
longer than _MAX_PATH.  That isn't always true.

> I took a quick look at the code but wasn't sure of the best way to fix it.

dos_expandpath() allocates buf[].  That's a solution.  Also makes it more
similar to the other xxx_expandpath() functions.

> And this may be something that gets put on the todo list until after 5.4 is
> out.

I could still do that.  After all, it does solve a crash.  But I better make
sure that it really fixes the problem, and not cause a new one...  OK, it does
fix the problem for me.  And it's a simple change, since similar code is
already used for MS-DOS.


Patch 5.4p.12
Problem:    Win32: Trying to expand a string that is longer than 256
	    characters could cause a crash. (Steed)
Solution:   For the buffer in win32_expandpath() don't use a fixed size array,
	    allocate it.
Files:	    src/os_win32.c


*** ../vim-5.4p/src/os_win32.c	Mon Jul 19 11:09:14 1999
--- src/os_win32.c	Thu Jul 22 22:22:24 1999
***************
*** 2603,2609 ****
      char_u		*wildc,
      int			flags)
  {
!     char		buf[_MAX_PATH+1];
      char		*p, *s, *e;
      int			start_len, c = 1;
      WIN32_FIND_DATA	fb;
--- 2603,2609 ----
      char_u		*wildc,
      int			flags)
  {
!     char		*buf;
      char		*p, *s, *e;
      int			start_len, c = 1;
      WIN32_FIND_DATA	fb;
***************
*** 2613,2618 ****
--- 2613,2622 ----
      int			len;
  
      start_len = gap->ga_len;
+     /* make room for file name */
+     buf = (char *)alloc(STRLEN(path) + BASENAMELEN + 5);
+     if (buf == NULL)
+ 	return 0;
  
      /*
       * Find the first part in the path name that contains a wildcard.
***************
*** 2700,2705 ****
--- 2704,2710 ----
  	    c = FindNextFile(hFind, &fb);
  	}
      FindClose(hFind);
+     vim_free(buf);
  
      matches = gap->ga_len - start_len;
      if (matches)

--
hundred-and-one symptoms of being an internet addict:
224. You set up your own Web page. You set up a Web page for each
     of your kids... and your pets.

--/-/---- Bram Moolenaar ---- Bram@moolenaar.net ---- Bram@vim.org ---\-\--
  \ \    www.vim.org/iccf      www.moolenaar.net       www.vim.org    / /