[vim/vim] SIGSEGV crash due to unverified 'shellpipe' (Issue #20157)

4 views
Skip to first unread message

bfredl

unread,
6:00 AM (15 hours ago) 6:00 AM
to vim/vim, Subscribed
bfredl created an issue (vim/vim#20157)

Steps to reproduce

vim --clean -N

:set shellpipe=%s%s%s%s%s%s%s%s

:make

This triggers a crash as append_redir() uses user options as a snprintf format string without verification. The above example is quite silly just to maximize the chance of demonstrating a segfault, but even an innocent mistake like set shellpipe=2> %s|tee %s is enough to trigger UB and a possible crash.

This is not a security issue, as 'shellpipe' is already disabled in modeline.

Expected behaviour

no crash. (possibly an error when setting the option to an invalid value)

Version of Vim

version 9.2.449

Environment

arch linux, gcc 15.2.1
pangoterm
TERM=xterm
/bin/zsh

Logs and stack traces





Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issues/20157@github.com>




Reply all
Reply to author
Forward
0 new messages