Commit: patch 9.2.0671: [security]: possible out-of-bounds read with sodium encrypted files
1 view
Skip to first unread message
Christian Brabandt
Jun 18, 2026, 3:00:14 PM (10 hours ago) Jun 18
to vim...@googlegroups.com
patch 9.2.0671: [security]: possible out-of-bounds read with sodium encrypted files
Commit: https://github.com/vim/vim/commit/c8777cec25dcfae89c42e9aff51af61f71c5745f
Author: Christian Brabandt <c...@256bit.org>
Date: Thu Jun 18 18:41:16 2026 +0000
patch 9.2.0671: [security]: possible out-of-bounds read with sodium encrypted files
Problem: [security]: possible out-of-bounds read with sodium encrypted
files (cipher-creator)
Solution: Verify that there is enough space before calling
crypto_secretstream_xchacha20poly1305_init_pull()
Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-c4j9-wr9j-4486
Supported by AI
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/crypt.c b/src/crypt.c
index 2fade5db9..879ecbf6c 100644
--- a/src/crypt.c
+++ b/src/crypt.c
@@ -1262,7 +1262,8 @@ crypt_sodium_buffer_decode(
if (sod_st->count == 0)
{
- if (crypto_secretstream_xchacha20poly1305_init_pull(&sod_st->state,
+ if (len < crypto_secretstream_xchacha20poly1305_HEADERBYTES ||
+ crypto_secretstream_xchacha20poly1305_init_pull(&sod_st->state,
from, sod_st->key) != 0)
{
emsg(_(e_libsodium_decryption_failed_header_incomplete));
diff --git a/src/testdir/test_crypt.vim b/src/testdir/test_crypt.vim
index d540fbbd6..5c9dfe3ba 100644
--- a/src/testdir/test_crypt.vim
+++ b/src/testdir/test_crypt.vim
@@ -491,4 +491,28 @@ func Test_crypt_off_by_one()
bwipe!
endfunc
+func Test_crypt_sodium_short_body()
+ CheckFeature sodium
+ " A VimCrypt~04! file with a complete 36-byte header (12 magic + 16 salt +
+ " 8 seed) but a body shorter than one secretstream header (24 bytes) used to
+ " underflow the body length and crash with a wild out-of-bounds read in
+ " crypto_secretstream_xchacha20poly1305_pull(). It must now fail cleanly.
+ " Bytes: "VimCrypt~04!" + 16 salt + 8 seed + 8-byte body = 44 bytes.
+ call writefile(0z56696D43727970747E303421
+ \ + 0zA0A1A2A3A4A5A6A7A8A9AAABACADAEAF
+ \ + 0zB0B1B2B3B4B5B6B7
+ \ + 0z0000000000000000, 'Xtest_sodium_short')
+
+ let v:errmsg = ''
+ try
+ call feedkeys(":split Xtest_sodium_short\<CR>foobar\<CR>", "xt")
+ catch /^Vim\%((\S\+)\)\=:E1198:/
+ " no-op
+ endtry
+
+ bwipe!
+ call delete('Xtest_sodium_short')
+ set key=
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 7d1c8885b..ba2f392d1 100644
--- a/src/version.c
+++ b/src/version.c
@@ -759,6 +759,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 671,
/**/
670,
/**/
Commit: https://github.com/vim/vim/commit/c8777cec25dcfae89c42e9aff51af61f71c5745f
Author: Christian Brabandt <c...@256bit.org>
Date: Thu Jun 18 18:41:16 2026 +0000
patch 9.2.0671: [security]: possible out-of-bounds read with sodium encrypted files
Problem: [security]: possible out-of-bounds read with sodium encrypted
files (cipher-creator)
Solution: Verify that there is enough space before calling
crypto_secretstream_xchacha20poly1305_init_pull()
Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-c4j9-wr9j-4486
Supported by AI
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/crypt.c b/src/crypt.c
index 2fade5db9..879ecbf6c 100644
--- a/src/crypt.c
+++ b/src/crypt.c
@@ -1262,7 +1262,8 @@ crypt_sodium_buffer_decode(
if (sod_st->count == 0)
{
- if (crypto_secretstream_xchacha20poly1305_init_pull(&sod_st->state,
+ if (len < crypto_secretstream_xchacha20poly1305_HEADERBYTES ||
+ crypto_secretstream_xchacha20poly1305_init_pull(&sod_st->state,
from, sod_st->key) != 0)
{
emsg(_(e_libsodium_decryption_failed_header_incomplete));
diff --git a/src/testdir/test_crypt.vim b/src/testdir/test_crypt.vim
index d540fbbd6..5c9dfe3ba 100644
--- a/src/testdir/test_crypt.vim
+++ b/src/testdir/test_crypt.vim
@@ -491,4 +491,28 @@ func Test_crypt_off_by_one()
bwipe!
endfunc
+func Test_crypt_sodium_short_body()
+ CheckFeature sodium
+ " A VimCrypt~04! file with a complete 36-byte header (12 magic + 16 salt +
+ " 8 seed) but a body shorter than one secretstream header (24 bytes) used to
+ " underflow the body length and crash with a wild out-of-bounds read in
+ " crypto_secretstream_xchacha20poly1305_pull(). It must now fail cleanly.
+ " Bytes: "VimCrypt~04!" + 16 salt + 8 seed + 8-byte body = 44 bytes.
+ call writefile(0z56696D43727970747E303421
+ \ + 0zA0A1A2A3A4A5A6A7A8A9AAABACADAEAF
+ \ + 0zB0B1B2B3B4B5B6B7
+ \ + 0z0000000000000000, 'Xtest_sodium_short')
+
+ let v:errmsg = ''
+ try
+ call feedkeys(":split Xtest_sodium_short\<CR>foobar\<CR>", "xt")
+ catch /^Vim\%((\S\+)\)\=:E1198:/
+ " no-op
+ endtry
+
+ bwipe!
+ call delete('Xtest_sodium_short')
+ set key=
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 7d1c8885b..ba2f392d1 100644
--- a/src/version.c
+++ b/src/version.c
@@ -759,6 +759,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 671,
/**/
670,
/**/
Reply all
Reply to author
Forward
0 new messages