Buffer overflow in Debug build #136
Description
Nvy crashes due to heap corruption when built with MSVC as Debug build.
You can easily find the problem when you run it under ApplicationVerifier, with "heap" checking enabled. The bug is in string handling. This patch fixes it for me:
diff --git a/src/main.cpp b/src/main.cpp
index 3a51802..61f73a0 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -475,8 +475,8 @@ int WINAPI wWinMain(_In_ HINSTANCE instance, _In_opt_ HINSTANCE prev_instance, _
MessageBoxA(NULL, "ERROR: File path too long", "Nvy", MB_OK | MB_ICONERROR);
return 1;
}
- size_t tmp_len = sizeof(wchar_t) * (nvim_cmd_len + arg_len + 4);
- wchar_t *tmp = static_cast<wchar_t *>(realloc(nvim_cmd, tmp_len));
+ size_t tmp_len = nvim_cmd_len + arg_len + 4;
+ wchar_t *tmp = static_cast<wchar_t *>(realloc(nvim_cmd, sizeof(wchar_t) * tmp_len));
if (tmp) {
nvim_cmd = tmp;
nvim_cmd_len = tmp_len;
From very basic look, I assume the bug only happens in Debug build due to some wcscat_s() debug feature - e.g. it always fills the entire buffer you give it. Since you pass tmp_len as count of characters, first wscat_s into tmp buffer with tmp_len overflows the buffer.