Commit: patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
4 views
Skip to first unread message
Christian Brabandt
Sep 5, 2023, 2:30:10 PM9/5/23
to vim...@googlegroups.com
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Commit: https://github.com/vim/vim/commit/f6d28fe2c95c678cc3202cc5dc825a3fcc709e93
Author: Christian Brabandt <c...@256bit.org>
Date: Tue Sep 5 20:18:06 2023 +0200
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Problem: heap-buffer-overflow in vim_regsub_both
Solution: Disallow exchanging windows when textlock is active
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index 4f1d93244..566ed7dad 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4519,6 +4519,9 @@ ex_substitute(exarg_T *eap)
{
nmatch = curbuf->b_ml.ml_line_count - sub_firstlnum + 1;
skip_match = TRUE;
+ // safety check
+ if (nmatch < 0)
+ goto skip;
}
// Need room for:
diff --git a/src/testdir/crash/vim_regsub_both_poc b/src/testdir/crash/vim_regsub_both_poc
new file mode 100644
index 0000000000000000000000000000000000000000..19a57114be60c39dfb8b97ab95118caad7105322
GIT binary patch
literal 244
zcmYL@u?oU45QgJ=E>7wo7(ub^V#X>I9DITfBATT%DHd#_Jq=oiK7nuKlexsSir#Yn
zfA{m<B^MexE?{~X<*LZKtPFbnHppBg5J!ja@-H<t70C%{5kLtz<CCd7<AG(oh#jS6
zO@V0{?(hgFNikapux!?xfJQ6-<Lan~ZFR~b#rf8lhvA%bK&ROpJr1ghAXki*!Rk65
v$T~i_-E3>H8rf3+3Z>%?=~|?P^W2;zo`V?09hL8cMqn5hX5S&gzO3L4CoE1h
literal 0
HcmV?d00001
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index e0884e5a0..f7b528c3e 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -46,6 +46,7 @@ func Test_crash1()
let file = 'crash/poc_tagfunc.vim'
let args = printf(cmn_args, vim, file)
+ " using || because this poc causes vim to exit with exitstatus != 0
call term_sendkeys(buf, args ..
\ ' || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\<cr>")
@@ -59,6 +60,13 @@ func Test_crash1()
call delete('X')
call TermWait(buf, 3000)
+ let file = 'crash/vim_regsub_both_poc'
+ let args = printf(cmn_args, vim, file)
+ " using || because this poc causes vim to exit with exitstatus != 0
+ call term_sendkeys(buf, args ..
+ \ ' && echo "crash 7: [OK]" >> X_crash1_result.txt' .. "\<cr>")
+ call TermWait(buf, 1000)
+
" clean up
exe buf .. "bw!"
@@ -71,6 +79,7 @@ func Test_crash1()
\ 'crash 4: [OK]',
\ 'crash 5: [OK]',
\ 'crash 6: [OK]',
+ \ 'crash 7: [OK]',
\ ]
call assert_equal(expected, getline(1, '$'))
diff --git a/src/version.c b/src/version.c
index a5e570e93..2faa9e668 100644
--- a/src/version.c
+++ b/src/version.c
@@ -699,6 +699,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1873,
/**/
1872,
/**/
diff --git a/src/window.c b/src/window.c
index 1af2395df..f77ede330 100644
--- a/src/window.c
+++ b/src/window.c
@@ -1733,6 +1733,11 @@ win_exchange(long Prenum)
beep_flush();
return;
}
+ if (text_or_buf_locked())
+ {
+ beep_flush();
+ return;
+ }
#ifdef FEAT_GUI
need_mouse_correct = TRUE;
Commit: https://github.com/vim/vim/commit/f6d28fe2c95c678cc3202cc5dc825a3fcc709e93
Author: Christian Brabandt <c...@256bit.org>
Date: Tue Sep 5 20:18:06 2023 +0200
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Problem: heap-buffer-overflow in vim_regsub_both
Solution: Disallow exchanging windows when textlock is active
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index 4f1d93244..566ed7dad 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4519,6 +4519,9 @@ ex_substitute(exarg_T *eap)
{
nmatch = curbuf->b_ml.ml_line_count - sub_firstlnum + 1;
skip_match = TRUE;
+ // safety check
+ if (nmatch < 0)
+ goto skip;
}
// Need room for:
diff --git a/src/testdir/crash/vim_regsub_both_poc b/src/testdir/crash/vim_regsub_both_poc
new file mode 100644
index 0000000000000000000000000000000000000000..19a57114be60c39dfb8b97ab95118caad7105322
GIT binary patch
literal 244
zcmYL@u?oU45QgJ=E>7wo7(ub^V#X>I9DITfBATT%DHd#_Jq=oiK7nuKlexsSir#Yn
zfA{m<B^MexE?{~X<*LZKtPFbnHppBg5J!ja@-H<t70C%{5kLtz<CCd7<AG(oh#jS6
zO@V0{?(hgFNikapux!?xfJQ6-<Lan~ZFR~b#rf8lhvA%bK&ROpJr1ghAXki*!Rk65
v$T~i_-E3>H8rf3+3Z>%?=~|?P^W2;zo`V?09hL8cMqn5hX5S&gzO3L4CoE1h
literal 0
HcmV?d00001
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index e0884e5a0..f7b528c3e 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -46,6 +46,7 @@ func Test_crash1()
let file = 'crash/poc_tagfunc.vim'
let args = printf(cmn_args, vim, file)
+ " using || because this poc causes vim to exit with exitstatus != 0
call term_sendkeys(buf, args ..
\ ' || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\<cr>")
@@ -59,6 +60,13 @@ func Test_crash1()
call delete('X')
call TermWait(buf, 3000)
+ let file = 'crash/vim_regsub_both_poc'
+ let args = printf(cmn_args, vim, file)
+ " using || because this poc causes vim to exit with exitstatus != 0
+ call term_sendkeys(buf, args ..
+ \ ' && echo "crash 7: [OK]" >> X_crash1_result.txt' .. "\<cr>")
+ call TermWait(buf, 1000)
+
" clean up
exe buf .. "bw!"
@@ -71,6 +79,7 @@ func Test_crash1()
\ 'crash 4: [OK]',
\ 'crash 5: [OK]',
\ 'crash 6: [OK]',
+ \ 'crash 7: [OK]',
\ ]
call assert_equal(expected, getline(1, '$'))
diff --git a/src/version.c b/src/version.c
index a5e570e93..2faa9e668 100644
--- a/src/version.c
+++ b/src/version.c
@@ -699,6 +699,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1873,
/**/
1872,
/**/
diff --git a/src/window.c b/src/window.c
index 1af2395df..f77ede330 100644
--- a/src/window.c
+++ b/src/window.c
@@ -1733,6 +1733,11 @@ win_exchange(long Prenum)
beep_flush();
return;
}
+ if (text_or_buf_locked())
+ {
+ beep_flush();
+ return;
+ }
#ifdef FEAT_GUI
need_mouse_correct = TRUE;
Reply all
Reply to author
Forward
0 new messages