[vim/vim] ml_recover() may write beyond block buffer (PR #20645)

0 views

Skip to first unread message

Christian Brabandt

unread,

3:45 PM (6 hours ago) 3:45 PM

to vim/vim, Subscribed

Problem: A crafted swap file can cause an out-of-bounds write during
recovery when the same block is referenced twice with
different pe_page_count values (cipher-security)
Solution: Check hp->bh_page_count against page_count after mf_get() and
clamp page_count to the actual block size.

You can view, comment on, or merge this pull request online at:

https://github.com/vim/vim/pull/20645

Commit Summary

23dab04 ml_recover() may write beyond block buffer

File Changes

(4 files)

M src/memline.c (14)
M src/po/vim.pot (5)
A src/testdir/samples/recover-mismatch-pc.swp (0)
M src/testdir/test_recover.vim (17)

Patch Links:

—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS and Android. Download it today!
You are receiving this because you are subscribed to this thread.

Reply all

Reply to author

Forward

0 new messages