Commit: patch 9.1.0254: [security]: Heap buffer overflow when calling complete_add() in 'cfu'
7 views
Skip to first unread message
Christian Brabandt
Apr 2, 2024, 1:15:12 PM4/2/24
to vim...@googlegroups.com
patch 9.1.0254: [security]: Heap buffer overflow when calling complete_add() in 'cfu'
Commit: https://github.com/vim/vim/commit/0a419e07a705675ac159218f42c1daa151d2ceea
Author: zeertzjq <zeer...@outlook.com>
Date: Tue Apr 2 19:01:14 2024 +0200
patch 9.1.0254: [security]: Heap buffer overflow when calling complete_add() in 'cfu'
Problem: [security]: Heap buffer overflow when calling complete_add()
in the first call of 'completefunc'
Solution: Call check_cursor() after calling 'completefunc' (zeertzjq)
closes: #14391
Signed-off-by: zeertzjq <zeer...@outlook.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/insexpand.c b/src/insexpand.c
index 9b5e5de64..93a56a8bd 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -2741,6 +2741,7 @@ expand_by_function(int type, char_u *base)
--textlock;
curwin->w_cursor = pos; // restore the cursor position
+ check_cursor(); // make sure cursor position is valid, just in case
validate_cursor();
if (!EQUAL_POS(curwin->w_cursor, pos))
{
@@ -4606,6 +4607,7 @@ get_userdefined_compl_info(colnr_T curs_col UNUSED)
State = save_State;
curwin->w_cursor = pos; // restore the cursor position
+ check_cursor(); // make sure cursor position is valid, just in case
validate_cursor();
if (!EQUAL_POS(curwin->w_cursor, pos))
{
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 376d82ff5..eb89a15c5 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -2429,4 +2429,26 @@ func Test_complete_changed_complete_info()
call StopVimInTerminal(buf)
endfunc
+func Test_completefunc_first_call_complete_add()
+ new
+
+ func Complete(findstart, base) abort
+ if a:findstart
+ let col = col('.')
+ call complete_add('#')
+ return col - 1
+ else
+ return []
+ endif
+ endfunc
+
+ set completeopt=longest completefunc=Complete
+ " This used to cause heap-buffer-overflow
+ call assert_fails('call feedkeys("ifoo#\<C-X>\<C-U>", "xt")', 'E840:')
+
+ delfunc Complete
+ set completeopt& completefunc&
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab nofoldenable
diff --git a/src/version.c b/src/version.c
index 4c7ab8436..abb028b6d 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 254,
/**/
253,
/**/
Commit: https://github.com/vim/vim/commit/0a419e07a705675ac159218f42c1daa151d2ceea
Author: zeertzjq <zeer...@outlook.com>
Date: Tue Apr 2 19:01:14 2024 +0200
patch 9.1.0254: [security]: Heap buffer overflow when calling complete_add() in 'cfu'
Problem: [security]: Heap buffer overflow when calling complete_add()
in the first call of 'completefunc'
Solution: Call check_cursor() after calling 'completefunc' (zeertzjq)
closes: #14391
Signed-off-by: zeertzjq <zeer...@outlook.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/insexpand.c b/src/insexpand.c
index 9b5e5de64..93a56a8bd 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -2741,6 +2741,7 @@ expand_by_function(int type, char_u *base)
--textlock;
curwin->w_cursor = pos; // restore the cursor position
+ check_cursor(); // make sure cursor position is valid, just in case
validate_cursor();
if (!EQUAL_POS(curwin->w_cursor, pos))
{
@@ -4606,6 +4607,7 @@ get_userdefined_compl_info(colnr_T curs_col UNUSED)
State = save_State;
curwin->w_cursor = pos; // restore the cursor position
+ check_cursor(); // make sure cursor position is valid, just in case
validate_cursor();
if (!EQUAL_POS(curwin->w_cursor, pos))
{
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 376d82ff5..eb89a15c5 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -2429,4 +2429,26 @@ func Test_complete_changed_complete_info()
call StopVimInTerminal(buf)
endfunc
+func Test_completefunc_first_call_complete_add()
+ new
+
+ func Complete(findstart, base) abort
+ if a:findstart
+ let col = col('.')
+ call complete_add('#')
+ return col - 1
+ else
+ return []
+ endif
+ endfunc
+
+ set completeopt=longest completefunc=Complete
+ " This used to cause heap-buffer-overflow
+ call assert_fails('call feedkeys("ifoo#\<C-X>\<C-U>", "xt")', 'E840:')
+
+ delfunc Complete
+ set completeopt& completefunc&
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab nofoldenable
diff --git a/src/version.c b/src/version.c
index 4c7ab8436..abb028b6d 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 254,
/**/
253,
/**/
Reply all
Reply to author
Forward
0 new messages