From bd93afc7c7ea57075ea66a321ebf7e5c887e57b5 Mon Sep 17 00:00:00 2001
From: Nicolas <nicolas.ogoshi@gmail.com>
Date: Mon, 2 Mar 2026 04:09:35 +0900
Subject: [PATCH] Fix heap-buffer-overflow in keyword highlighting

editorUpdateSyntax() uses memcmp(p, keywords[j], klen) to match
keywords against the current position in the rendered line, but
does not check that at least klen bytes remain from p to the end
of the line. When a short line ends with a prefix that partially
matches a keyword, memcmp reads past the allocated buffer.

Add a bounds check (klen <= row->rsize - i) before the memcmp
call to ensure we only compare within the allocated line buffer.

Verified with AddressSanitizer: the overflow no longer triggers.

Fixes #36
---
 .gitignore | 2 ++
 kilo.c     | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 06279959..d08d4230 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,3 @@
 kilo
+kilo_asan
+*.dSYM
diff --git a/kilo.c b/kilo.c
index 0d8aef4e..dfdb54e2 100644
--- a/kilo.c
+++ b/kilo.c
@@ -486,7 +486,8 @@ void editorUpdateSyntax(erow *row) {
                 int kw2 = keywords[j][klen-1] == '|';
                 if (kw2) klen--;
 
-                if (!memcmp(p,keywords[j],klen) &&
+                if (klen <= row->rsize-i &&
+                    !memcmp(p,keywords[j],klen) &&
                     is_separator(*(p+klen)))
                 {
                     /* Keyword */