Commit: patch 9.1.0689: [security]: buffer-overflow in do_search() with 'rightleft'
5 views
Skip to first unread message
Christian Brabandt
Aug 22, 2024, 4:15:08 PM8/22/24
to vim...@googlegroups.com
patch 9.1.0689: [security]: buffer-overflow in do_search() with 'rightleft'
Commit: https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc4bc33eccbae3
Author: Christian Brabandt <c...@256bit.org>
Date: Thu Aug 22 21:40:14 2024 +0200
patch 9.1.0689: [security]: buffer-overflow in do_search() with 'rightleft'
Problem: buffer-overflow in do_search() with 'rightleft'
(SuyueGuo)
Solution: after reversing the text (which allocates a new buffer),
re-calculate the text length
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/search.c b/src/search.c
index 01c143f69..e5936d829 100644
--- a/src/search.c
+++ b/src/search.c
@@ -1548,6 +1548,7 @@ do_search(
{
vim_free(msgbuf);
msgbuf = r;
+ msgbuflen = STRLEN(msgbuf);
// move reversed text to beginning of buffer
while (*r != NUL && *r == ' ')
r++;
diff --git a/src/testdir/crash/reverse_text_overflow b/src/testdir/crash/reverse_text_overflow
new file mode 100644
index 0000000000000000000000000000000000000000..dfbfe2c9a611aad20c444aec335a11c9edf0ebf6
GIT binary patch
literal 314
zcmXry1p-aY9IoR33dPBssrhM)3jd2U^2_rLbqu9z|CVq9X)Xn>q(lXVCVhRb23)|N
zE3bipfq^S8FSWQNHAN**Oib*hwwRbJkS^m&Fq~h|0JJ0(WXb<}1{SV*1~CP$;>?`X
zyb{H{{G#0drFo_GIgB3FMmmNDaWN_XQ~rBYJLni10@*>;hB~?i!ayJmaxTx`NyVup
zVVNKSeSKbiAYcHRm8wvb!v!>|;lBz<1~>S~o0AIkvu0X!ba6?tE+;2vU|=9;SyC>S
iqZ`Z@Ko_Z~*g}AxN+1Ix1A~|V*fW{Ma)!JL!u0@x2~~;!
literal 0
HcmV?d00001
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index 800f3e5e6..302d3730b 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -150,6 +150,13 @@ func Test_crash1_2()
\ ' ; echo "crash 4: [OK]" >> '.. result .. "\<cr>")
call TermWait(buf, 150)
+ let file = 'crash/reverse_text_overflow'
+ let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'"
+ let args = printf(cmn_args, vim, file)
+ call term_sendkeys(buf, args ..
+ \ ' ; echo "crash 5: [OK]" >> '.. result .. "\<cr>")
+ call TermWait(buf, 150)
+
" clean up
exe buf .. "bw!"
exe "sp " .. result
@@ -158,6 +165,7 @@ func Test_crash1_2()
\ 'crash 2: [OK]',
\ 'crash 3: [OK]',
\ 'crash 4: [OK]',
+ \ 'crash 5: [OK]',
\ ]
call assert_equal(expected, getline(1, '$'))
@@ -201,6 +209,7 @@ func Test_crash1_3()
let args = printf(cmn_args, vim, file)
call term_sendkeys(buf, args)
call TermWait(buf, 150)
+ call delete('Untitled')
let file = 'crash/nullpointer'
let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
diff --git a/src/version.c b/src/version.c
index e77ef0f4c..05ae6ca2a 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 689,
/**/
688,
/**/
Commit: https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc4bc33eccbae3
Author: Christian Brabandt <c...@256bit.org>
Date: Thu Aug 22 21:40:14 2024 +0200
patch 9.1.0689: [security]: buffer-overflow in do_search() with 'rightleft'
Problem: buffer-overflow in do_search() with 'rightleft'
(SuyueGuo)
Solution: after reversing the text (which allocates a new buffer),
re-calculate the text length
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/search.c b/src/search.c
index 01c143f69..e5936d829 100644
--- a/src/search.c
+++ b/src/search.c
@@ -1548,6 +1548,7 @@ do_search(
{
vim_free(msgbuf);
msgbuf = r;
+ msgbuflen = STRLEN(msgbuf);
// move reversed text to beginning of buffer
while (*r != NUL && *r == ' ')
r++;
diff --git a/src/testdir/crash/reverse_text_overflow b/src/testdir/crash/reverse_text_overflow
new file mode 100644
index 0000000000000000000000000000000000000000..dfbfe2c9a611aad20c444aec335a11c9edf0ebf6
GIT binary patch
literal 314
zcmXry1p-aY9IoR33dPBssrhM)3jd2U^2_rLbqu9z|CVq9X)Xn>q(lXVCVhRb23)|N
zE3bipfq^S8FSWQNHAN**Oib*hwwRbJkS^m&Fq~h|0JJ0(WXb<}1{SV*1~CP$;>?`X
zyb{H{{G#0drFo_GIgB3FMmmNDaWN_XQ~rBYJLni10@*>;hB~?i!ayJmaxTx`NyVup
zVVNKSeSKbiAYcHRm8wvb!v!>|;lBz<1~>S~o0AIkvu0X!ba6?tE+;2vU|=9;SyC>S
iqZ`Z@Ko_Z~*g}AxN+1Ix1A~|V*fW{Ma)!JL!u0@x2~~;!
literal 0
HcmV?d00001
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index 800f3e5e6..302d3730b 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -150,6 +150,13 @@ func Test_crash1_2()
\ ' ; echo "crash 4: [OK]" >> '.. result .. "\<cr>")
call TermWait(buf, 150)
+ let file = 'crash/reverse_text_overflow'
+ let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'"
+ let args = printf(cmn_args, vim, file)
+ call term_sendkeys(buf, args ..
+ \ ' ; echo "crash 5: [OK]" >> '.. result .. "\<cr>")
+ call TermWait(buf, 150)
+
" clean up
exe buf .. "bw!"
exe "sp " .. result
@@ -158,6 +165,7 @@ func Test_crash1_2()
\ 'crash 2: [OK]',
\ 'crash 3: [OK]',
\ 'crash 4: [OK]',
+ \ 'crash 5: [OK]',
\ ]
call assert_equal(expected, getline(1, '$'))
@@ -201,6 +209,7 @@ func Test_crash1_3()
let args = printf(cmn_args, vim, file)
call term_sendkeys(buf, args)
call TermWait(buf, 150)
+ call delete('Untitled')
let file = 'crash/nullpointer'
let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
diff --git a/src/version.c b/src/version.c
index e77ef0f4c..05ae6ca2a 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 689,
/**/
688,
/**/
Reply all
Reply to author
Forward
0 new messages