Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(fileio): fix off-by-one in rename_with_tmp #27780

Merged
merged 1 commit into from Mar 8, 2024
Merged

fix(fileio): fix off-by-one in rename_with_tmp #27780

merged 1 commit into from Mar 8, 2024

Conversation

cjwatson
Copy link
Contributor

@cjwatson cjwatson commented Mar 8, 2024

_FORTIFY_SOURCE on Ubuntu caught this, resulting in:

[OLDTEST] Running test_rename
Failed: test_rename :: Nvim exited with non-zero code
Job exited with code 134
Screen (23 lines)
================================================================================
"test_rename.vim" "test_rename.vim" 120L, 3623B
Executing Test_rename_copy()
Executing Test_rename_dir_to_dir()
Executing Test_rename_fails()
Error detected while processing command line..script /<<BUILDDIR>>/neovim-0.9.5/test/old/testdir/runtest.vim[437]..function RunTheTest[44]..Test_rename_fails:
line   17:
E730: using List as a String
line   18:
E976: using Blob as a String
Executing Test_rename_file_ignore_case()*** buffer overflow detected ***: terminated

snprintf's second parameter should be no greater than the number of remaining bytes in the allocated object. We can see that this was off by one, because in the simple case where tail == tempname (for a file in the current directory), rename_with_tmp was passing MAXPATHL + 2 for an object allocated with a size of only MAXPATHL + 1.

Introduced in 5f1a153.

@cjwatson cjwatson changed the title fix(fileio): Fix off-by-one in rename_with_tmp fix(fileio): fix off-by-one in rename_with_tmp Mar 8, 2024
@cjwatson
fix(fileio): fix off-by-one in rename_with_tmp
1ef1b5c 
`_FORTIFY_SOURCE` on Ubuntu caught this, resulting in:

    [OLDTEST] Running test_rename
    Failed: test_rename :: Nvim exited with non-zero code
    Job exited with code 134
    Screen (23 lines)
    ================================================================================
    "test_rename.vim" "test_rename.vim" 120L, 3623B
    Executing Test_rename_copy()
    Executing Test_rename_dir_to_dir()
    Executing Test_rename_fails()
    Error detected while processing command line..script /<<BUILDDIR>>/neovim-0.9.5/test/old/testdir/runtest.vim[437]..function RunTheTest[44]..Test_rename_fails:
    line   17:
    E730: using List as a String
    line   18:
    E976: using Blob as a String
    Executing Test_rename_file_ignore_case()*** buffer overflow detected ***: terminated

`snprintf`'s second parameter should be no greater than the number of
remaining bytes in the allocated object.  We can see that this was off
by one, because in the simple case where `tail == tempname` (for a file
in the current directory), `rename_with_tmp` was passing `MAXPATHL + 2`
for an object allocated with a size of only `MAXPATHL + 1`.

Introduced in 5f1a153.
@cjwatson
Copy link
Contributor Author

cjwatson commented Mar 8, 2024
edited

I'm not sure what the macos-12 functional test failure is was about, but it appears to be unrelated to my change.

@zeertzjq zeertzjq merged commit a69c720 into neovim:master Mar 8, 2024
26 checks passed
@cjwatson cjwatson deleted the rename-with-tmp-overflow branch March 20, 2024 12:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zeertzjq zeertzjq zeertzjq approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@cjwatson @zeertzjq