Commit: ccfilter: uses unbounded strcat()/strcpy()

Christian Brabandt Sun, 17 May 2026 01:30:14 -0700

ccfilter: uses unbounded strcat()/strcpy()

Commit: 
https://github.com/vim/vim/commit/403ba303b997b47c79241247e0d2b5fc698e3dd0
Author: orbisai0security <[email protected]>
Date:   Sun May 17 08:19:14 2026 +0000


    ccfilter: uses unbounded strcat()/strcpy()
    
    Problem:  ccfilter.c copies compiler output into fixed-size buffers
              with strcat() and strcpy(), so very long diagnostics can
              overflow.
    Solution: replace with snprintf() bounded by LINELENGTH.
    
    Automated security fix generated by Orbis Security AI
    
    closes: #20233
    
    Signed-off-by: orbisai0security <[email protected]>
    Signed-off-by: Christian Brabandt <[email protected]>

diff --git a/runtime/tools/ccfilter.c b/runtime/tools/ccfilter.c
index ae1443e20..269e4ee66 100644
--- a/runtime/tools/ccfilter.c
+++ b/runtime/tools/ccfilter.c
@@ -249,14 +249,15 @@ int main( int argc, char *argv[] )
 
            stay = (echogets(Line2, echo) != NULL);
            while ( stay && (Line2[0] == '|') )
-             { for (p=&Line2[2]; (*p) && (isspace((unsigned char)*p)); p++);
-               strcat( Reason, ": " );
-               strcat( Reason, p );
+             { size_t n;
+               for (p=&Line2[2]; (*p) && (isspace((unsigned char)*p)); p++);
+               n = strlen(Reason);
+               snprintf( Reason + n, LINELENGTH - n, ": %s", p );
                Line2[0] = 0;
                stay = (echogets(Line2, echo) != NULL);
              }
            prefetch = 1;
-           strcpy( Line, Line2 );
+           snprintf( Line, LINELENGTH, "%s", Line2 );
            break;
          case COMPILER_IRIX:
            Col       = 1;
@@ -291,8 +292,8 @@ int main( int argc, char *argv[] )
                        prefetch = 0;
                      }
                     else
-                     { strcat( Line, "
" );
-                       strcat( Line, Line2 );
+                     { size_t n = strlen(Line);
+                       snprintf( Line + n, LINELENGTH - n, "
%s", Line2 );
                      }
                  }
              }

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/vim_dev/E1wOWst-009G5m-W8%40256bit.org.

Commit: ccfilter: uses unbounded strcat()/strcpy()

Raspunde prin e-mail lui