To: vim_dev@googlegroups.com Subject: Patch 8.1.0976 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.1.0976 Problem: Dosinstall still has buffer overflow problems. Solution: Adjust buffer sizes. (Yasuhiro Matsumoto, closes #4002) Files: src/dosinst.c, src/dosinst.h, src/uninstal.c *** ../vim-8.1.0975/src/dosinst.c 2019-02-18 22:19:29.124186022 +0100 --- src/dosinst.c 2019-02-22 19:37:38.442404717 +0100 *************** *** 388,394 **** /* First get $VIMRUNTIME. If it's set, remove the tail. */ vim = getenv("VIMRUNTIME"); ! if (vim != NULL && *vim != 0 && strlen(vim) < BUFSIZE) { strcpy(buf, vim); remove_tail(buf); --- 388,394 ---- /* First get $VIMRUNTIME. If it's set, remove the tail. */ vim = getenv("VIMRUNTIME"); ! if (vim != NULL && *vim != 0 && strlen(vim) < sizeof(buf)) { strcpy(buf, vim); remove_tail(buf); *************** *** 411,417 **** /* NSIS also uses GetTempPath(), thus we should get the same directory * name as where NSIS will look for vimini.ini. */ ! GetTempPath(BUFSIZE, fname); add_pathsep(fname); strcat(fname, "vimini.ini"); --- 411,417 ---- /* NSIS also uses GetTempPath(), thus we should get the same directory * name as where NSIS will look for vimini.ini. */ ! GetTempPath(sizeof(fname) - 12, fname); add_pathsep(fname); strcat(fname, "vimini.ini"); *************** *** 456,462 **** static int run_silent_uninstall(char *uninst_exe) { ! char vimrt_dir[MAX_PATH]; char temp_uninst[BUFSIZE]; char temp_dir[MAX_PATH]; char buf[BUFSIZE * 2 + 10]; --- 456,462 ---- static int run_silent_uninstall(char *uninst_exe) { ! char vimrt_dir[BUFSIZE]; char temp_uninst[BUFSIZE]; char temp_dir[MAX_PATH]; char buf[BUFSIZE * 2 + 10]; *************** *** 506,512 **** char *uninstall_key = "software\\Microsoft\\Windows\\CurrentVersion\\Uninstall"; char subkey_name_buff[BUFSIZE]; char temp_string_buffer[BUFSIZE-2]; ! DWORD local_bufsize = BUFSIZE; FILETIME temp_pfiletime; DWORD key_index; char input; --- 506,512 ---- char *uninstall_key = "software\\Microsoft\\Windows\\CurrentVersion\\Uninstall"; char subkey_name_buff[BUFSIZE]; char temp_string_buffer[BUFSIZE-2]; ! DWORD local_bufsize; FILETIME temp_pfiletime; DWORD key_index; char input; *************** *** 521,532 **** KEY_WOW64_64KEY | KEY_READ, &key_handle); CHECK_REG_ERROR(code); ! for (key_index = 0; ! RegEnumKeyEx(key_handle, key_index, subkey_name_buff, &local_bufsize, ! NULL, NULL, NULL, &temp_pfiletime) != ERROR_NO_MORE_ITEMS; ! key_index++) { ! local_bufsize = BUFSIZE; if (strncmp("Vim", subkey_name_buff, 3) == 0) { /* Open the key named Vim* */ --- 521,534 ---- KEY_WOW64_64KEY | KEY_READ, &key_handle); CHECK_REG_ERROR(code); ! key_index = 0; ! while (TRUE) { ! local_bufsize = sizeof(subkey_name_buff); ! if (RegEnumKeyEx(key_handle, key_index, subkey_name_buff, &local_bufsize, ! NULL, NULL, NULL, &temp_pfiletime) == ERROR_NO_MORE_ITEMS) ! break; ! if (strncmp("Vim", subkey_name_buff, 3) == 0) { /* Open the key named Vim* */ *************** *** 535,544 **** CHECK_REG_ERROR(code); /* get the DisplayName out of it to show the user */ code = RegQueryValueEx(uninstall_key_handle, "displayname", 0, &value_type, (LPBYTE)temp_string_buffer, &local_bufsize); - local_bufsize = BUFSIZE; CHECK_REG_ERROR(code); allow_silent = 0; --- 537,546 ---- CHECK_REG_ERROR(code); /* get the DisplayName out of it to show the user */ + local_bufsize = sizeof(temp_string_buffer); code = RegQueryValueEx(uninstall_key_handle, "displayname", 0, &value_type, (LPBYTE)temp_string_buffer, &local_bufsize); CHECK_REG_ERROR(code); allow_silent = 0; *************** *** 568,576 **** fflush(stdout); /* get the UninstallString */ code = RegQueryValueEx(uninstall_key_handle, "uninstallstring", 0, &value_type, (LPBYTE)temp_string_buffer, &local_bufsize); - local_bufsize = BUFSIZE; CHECK_REG_ERROR(code); /* Remember the directory, it is used as the default for NSIS. */ --- 570,578 ---- fflush(stdout); /* get the UninstallString */ + local_bufsize = sizeof(temp_string_buffer); code = RegQueryValueEx(uninstall_key_handle, "uninstallstring", 0, &value_type, (LPBYTE)temp_string_buffer, &local_bufsize); CHECK_REG_ERROR(code); /* Remember the directory, it is used as the default for NSIS. */ *************** *** 683,688 **** --- 685,692 ---- RegCloseKey(uninstall_key_handle); } + + key_index++; } RegCloseKey(key_handle); *************** *** 1826,1832 **** /* translate the (possibly) multibyte shortcut filename to windows * Unicode so it can be used as a file name. */ ! MultiByteToWideChar(CP_ACP, 0, shortcut_name, -1, wsz, BUFSIZE); /* set the attributes */ shelllink_ptr->lpVtbl->SetPath(shelllink_ptr, shortcut_target); --- 1830,1836 ---- /* translate the (possibly) multibyte shortcut filename to windows * Unicode so it can be used as a file name. */ ! MultiByteToWideChar(CP_ACP, 0, shortcut_name, -1, wsz, sizeof(wsz)/sizeof(wsz[0])); /* set the attributes */ shelllink_ptr->lpVtbl->SetPath(shelllink_ptr, shortcut_target); *************** *** 2135,2141 **** * result in "to[]". */ static void ! dir_remove_last(const char *path, char to[BUFSIZE]) { char c; long last_char_to_copy; --- 2139,2145 ---- * result in "to[]". */ static void ! dir_remove_last(const char *path, char to[MAX_PATH]) { char c; long last_char_to_copy; *************** *** 2206,2212 **** if (homepath == NULL || *homepath == NUL) homepath = "\\"; if (homedrive != NULL ! && strlen(homedrive) + strlen(homepath) < MAX_PATH) { sprintf(buf, "%s%s", homedrive, homepath); if (buf[0] != NUL) --- 2210,2216 ---- if (homepath == NULL || *homepath == NUL) homepath = "\\"; if (homedrive != NULL ! && strlen(homedrive) + strlen(homepath) < sizeof(buf)) { sprintf(buf, "%s%s", homedrive, homepath); if (buf[0] != NUL) *************** *** 2234,2243 **** buf[p - (var + 1)] = NUL; exp = getenv(buf); if (exp != NULL && *exp != NUL ! && strlen(exp) + strlen(p) < MAX_PATH) { ! _snprintf(buf, MAX_PATH, "%s%s", exp, p + 1); ! buf[MAX_PATH - 1] = NUL; var = buf; } } --- 2238,2246 ---- buf[p - (var + 1)] = NUL; exp = getenv(buf); if (exp != NULL && *exp != NUL ! && strlen(exp) + strlen(p) < sizeof(buf)) { ! sprintf(buf, "%s%s", exp, p + 1); var = buf; } } *************** *** 2351,2360 **** // Check if the "compiler" directory already exists. That's a good // indication that the plugin directories were already created. ! if (getenv("HOME") != NULL) { vimfiles_dir_choice = (int)vimfiles_dir_home; ! sprintf(tmp_dirname, "%s\\vimfiles\\compiler", getenv("HOME")); if (stat(tmp_dirname, &st) == 0) vimfiles_dir_choice = (int)vimfiles_dir_none; } --- 2354,2364 ---- // Check if the "compiler" directory already exists. That's a good // indication that the plugin directories were already created. ! p = getenv("HOME"); ! if (p != NULL) { vimfiles_dir_choice = (int)vimfiles_dir_home; ! sprintf(tmp_dirname, "%s\\vimfiles\\compiler", p); if (stat(tmp_dirname, &st) == 0) vimfiles_dir_choice = (int)vimfiles_dir_none; } *** ../vim-8.1.0975/src/dosinst.h 2019-02-18 22:19:29.124186022 +0100 --- src/dosinst.h 2019-02-22 19:33:42.519738742 +0100 *************** *** 59,65 **** /* ---------------------------------------- */ ! #define BUFSIZE 512 /* long enough to hold a file name path */ #define NUL 0 #define FAIL 0 --- 59,65 ---- /* ---------------------------------------- */ ! #define BUFSIZE (MAX_PATH*2) /* long enough to hold a file name path */ #define NUL 0 #define FAIL 0 *************** *** 93,107 **** static void * alloc(int len) { ! char *s; ! s = malloc(len); ! if (s == NULL) { printf("ERROR: out of memory\n"); exit(1); } ! return (void *)s; } /* --- 93,107 ---- static void * alloc(int len) { ! void *p; ! p = malloc(len); ! if (p == NULL) { printf("ERROR: out of memory\n"); exit(1); } ! return p; } /* *************** *** 512,518 **** do_inits(char **argv) { /* Find out the full path of our executable. */ ! if (my_fullpath(installdir, argv[0], BUFSIZE) == NULL) { printf("ERROR: Cannot get name of executable\n"); myexit(1); --- 512,518 ---- do_inits(char **argv) { /* Find out the full path of our executable. */ ! if (my_fullpath(installdir, argv[0], sizeof(installdir)) == NULL) { printf("ERROR: Cannot get name of executable\n"); myexit(1); *** ../vim-8.1.0975/src/uninstal.c 2019-02-18 22:19:29.124186022 +0100 --- src/uninstal.c 2019-02-22 19:33:42.519738742 +0100 *************** *** 60,70 **** * Returns non-zero when it's found. */ static int ! popup_gvim_path(char *buf) { HKEY key_handle; DWORD value_type; - DWORD bufsize = BUFSIZE; int r; /* Open the key where the path to gvim.exe is stored. */ --- 60,69 ---- * Returns non-zero when it's found. */ static int ! popup_gvim_path(char *buf, DWORD bufsize) { HKEY key_handle; DWORD value_type; int r; /* Open the key where the path to gvim.exe is stored. */ *************** *** 87,97 **** * Returns non-zero when it's found. */ static int ! openwith_gvim_path(char *buf) { HKEY key_handle; DWORD value_type; - DWORD bufsize = BUFSIZE; int r; /* Open the key where the path to gvim.exe is stored. */ --- 86,95 ---- * Returns non-zero when it's found. */ static int ! openwith_gvim_path(char *buf, DWORD bufsize) { HKEY key_handle; DWORD value_type; int r; /* Open the key where the path to gvim.exe is stored. */ *************** *** 209,215 **** fd = fopen(path, "r"); if (fd != NULL) { ! while (fgets(line, BUFSIZE, fd) != NULL) { for (p = line; *p != 0; ++p) /* don't accept "vim60an" when looking for "vim60". */ --- 207,213 ---- fd = fopen(path, "r"); if (fd != NULL) { ! while (fgets(line, sizeof(line), fd) != NULL) { for (p = line; *p != 0; ++p) /* don't accept "vim60an" when looking for "vim60". */ *************** *** 335,341 **** printf("This program will remove the following items:\n"); ! if (popup_gvim_path(popup_path)) { printf(" - the \"Edit with Vim\" entry in the popup menu\n"); printf(" which uses \"%s\"\n", popup_path); --- 333,339 ---- printf("This program will remove the following items:\n"); ! if (popup_gvim_path(popup_path, sizeof(popup_path))) { printf(" - the \"Edit with Vim\" entry in the popup menu\n"); printf(" which uses \"%s\"\n", popup_path); *************** *** 349,355 **** remove_openwith(); } } ! else if (openwith_gvim_path(popup_path)) { printf(" - the Vim \"Open With...\" entry in the popup menu\n"); printf(" which uses \"%s\"\n", popup_path); --- 347,353 ---- remove_openwith(); } } ! else if (openwith_gvim_path(popup_path, sizeof(popup_path))) { printf(" - the Vim \"Open With...\" entry in the popup menu\n"); printf(" which uses \"%s\"\n", popup_path); *** ../vim-8.1.0975/src/version.c 2019-02-22 19:14:46.774074872 +0100 --- src/version.c 2019-02-22 19:34:21.703520330 +0100 *************** *** 781,782 **** --- 781,784 ---- { /* Add new patch number below this line */ + /**/ + 976, /**/ -- When a fly lands on the ceiling, does it do a half roll or a half loop? /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///