Re: Possible buffer overflow in dosinst.c ?
- Thomas Gwae wrote:
> I just came across a possible buffer overflow in dosinst.c.I'll add a note in the todo list. If an attacker manages to set your
> ---- l 368 ----
> static void
> char *vim;
> char buf[BUFSIZE];
> FILE *fd;
> char fname[BUFSIZE];
> /* First get $VIMRUNTIME. If it's set, remove the tail. */
> vim = getenv("VIMRUNTIME");
> if (vim != NULL && *vim != 0)
> strcpy(buf, vim);
> ---- l 380 ----
> We can see that if the environment variable if longer than BUFSIZE, we are in a typical case of buffer overflow.
> We know that BUFSIZE is 512 and "the maximum size of a user-defined environment variable is 32,767 characters" (http://msdn.microsoft.com/en-us/library/windows/desktop/ms682653(v=vs.85).aspx).
> This can only be "useful" if the install process is launched "as" administrator, and the "evil" user took the time to set VIMRUNTIME in adequacy.
> I apologize, but I don't have any Windows VM, so I can't check if I'm wrong.
VIMRUNTIME environment variable it may already be too late. But we can
fix it anyway.
Yesterday, all my deadlines seemed so far away
now it looks as though it's freeze in four days
oh I believe in cvs..
[ CVS log "Beatles style" for FreeBSD ports/INDEX, Satoshi Asami ]
/// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
You received this message because you are subscribed to the Google Groups "vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
For more options, visit https://groups.google.com/groups/opt_out.