patch 8.2.3669: buffer overflow with long help argument

Problem:    Buffer overflow with long help argument.
Solution:   Use snprintf().

diff --git a/src/help.c b/src/help.c
index 28d914c82333c3d27a283d65fb3341626d975b41..d67f78b08ecb6f31d128cf0f8991b733c89b593a 100644 (file)
--- a/src/help.c
+++ b/src/help.c
@@ -422,8 +422,7 @@ find_help_tags(
                    || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL
                                                           && arg[2] != NUL)))
        {
-           STRCPY(d, "/\\\\");
-           STRCPY(d + 3, arg + 1);
+           vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1);
            // Check for "/\\_$", should be "/\\_\$"
            if (d[3] == '_' && d[4] == '$')
                STRCPY(d + 4, "\\$");

diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim
index 15cc642d1734d9a163e3a16fcbf42c87001eaddc..6e32edd368e59af6aaee5e52b05d6570c85c35d2 100644 (file)
--- a/src/testdir/test_help.vim
+++ b/src/testdir/test_help.vim
@@ -134,4 +134,13 @@ func Test_help_window_height()
   close
 endfunc
 
+func Test_help_long_argument()
+  try
+    exe 'help \%' .. repeat('0', 1021)
+  catch
+    call assert_match("E149:", v:exception)
+  endtry
+endfunc
+
+
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index a225e182f2c78c36cb80d9174b6775a48ef2d91a..da5871e32f83d301a0f0ab6cd56891492d64f049 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -757,6 +757,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    3669,
 /**/
     3668,
 /**/