Mercurial > vim
annotate src/testdir/test_plus_arg_edit.vim @ 33811:06219b3bdaf3 v9.0.2121
patch 9.0.2121: [security]: use-after-free in ex_substitute
Commit: https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb
Author: Christian Brabandt <cb@256bit.org>
Date: Wed Nov 22 21:26:41 2023 +0100
patch 9.0.2121: [security]: use-after-free in ex_substitute
Problem: [security]: use-after-free in ex_substitute
Solution: always allocate memory
closes: #13552
A recursive :substitute command could cause a heap-use-after free in Vim
(CVE-2023-48706).
The whole reproducible test is a bit tricky, I can only reproduce this
reliably when no previous substitution command has been used yet
(which is the reason, the test needs to run as first one in the
test_substitute.vim file) and as a combination of the `:~` command
together with a :s command that contains the special substitution atom `~\=`
which will make use of a sub-replace special atom and calls a vim script
function.
There was a comment in the existing :s code, that already makes the
`sub` variable allocate memory so that a recursive :s call won't be able
to cause any issues here, so this was known as a potential problem
already. But for the current test-case that one does not work, because
the substitution does not start with `\=` but with `~\=` (and since
there does not yet exist a previous substitution atom, Vim will simply
increment the `sub` pointer (which then was not allocated dynamically)
and later one happily use a sub-replace special expression (which could
then free the `sub` var).
The following commit fixes this, by making the sub var always using
allocated memory, which also means we need to free the pointer whenever
we leave the function. Since sub is now always an allocated variable,
we also do no longer need the sub_copy variable anymore, since this one
was used to indicated when sub pointed to allocated memory (and had
therefore to be freed on exit) and when not.
Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Wed, 22 Nov 2023 22:15:05 +0100 |
parents | 457ea0570b6f |
children |
rev | line source |
---|---|
11651
140d51d5b5c3
patch 8.0.0708: some tests are old style
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
1 " Tests for complicated + argument to :edit command |
21765
08940efa6b4e
patch 8.2.1432: various inconsistencies in test files
Bram Moolenaar <Bram@vim.org>
parents:
19471
diff
changeset
|
2 |
11651
140d51d5b5c3
patch 8.0.0708: some tests are old style
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
3 function Test_edit() |
30592
457ea0570b6f
patch 9.0.0631: too many delete() calls in tests
Bram Moolenaar <Bram@vim.org>
parents:
30051
diff
changeset
|
4 call writefile(["foo|bar"], "Xfile1", 'D') |
457ea0570b6f
patch 9.0.0631: too many delete() calls in tests
Bram Moolenaar <Bram@vim.org>
parents:
30051
diff
changeset
|
5 call writefile(["foo/bar"], "Xfile2", 'D') |
11651
140d51d5b5c3
patch 8.0.0708: some tests are old style
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
6 edit +1|s/|/PIPE/|w Xfile1| e Xfile2|1 | s/\//SLASH/|w |
140d51d5b5c3
patch 8.0.0708: some tests are old style
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
7 call assert_equal(["fooPIPEbar"], readfile("Xfile1")) |
140d51d5b5c3
patch 8.0.0708: some tests are old style
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
8 call assert_equal(["fooSLASHbar"], readfile("Xfile2")) |
140d51d5b5c3
patch 8.0.0708: some tests are old style
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
9 endfunction |
14051
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
10 |
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
11 func Test_edit_bad() |
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
12 " Test loading a utf8 file with bad utf8 sequences. |
30592
457ea0570b6f
patch 9.0.0631: too many delete() calls in tests
Bram Moolenaar <Bram@vim.org>
parents:
30051
diff
changeset
|
13 call writefile(["[\xff][\xc0][\xe2\x89\xf0][\xc2\xc2]"], "Xbadfile", 'D') |
14051
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
14 new |
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
15 |
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
16 " Without ++bad=..., the default behavior is like ++bad=? |
30051
13b02c1ea0f7
patch 9.0.0363: common names in test files causes tests to be flaky
Bram Moolenaar <Bram@vim.org>
parents:
21765
diff
changeset
|
17 e! ++enc=utf8 Xbadfile |
14051
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
18 call assert_equal('[?][?][???][??]', getline(1)) |
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
19 |
30051
13b02c1ea0f7
patch 9.0.0363: common names in test files causes tests to be flaky
Bram Moolenaar <Bram@vim.org>
parents:
21765
diff
changeset
|
20 e! ++encoding=utf8 ++bad=_ Xbadfile |
14051
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
21 call assert_equal('[_][_][___][__]', getline(1)) |
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
22 |
30051
13b02c1ea0f7
patch 9.0.0363: common names in test files causes tests to be flaky
Bram Moolenaar <Bram@vim.org>
parents:
21765
diff
changeset
|
23 e! ++enc=utf8 ++bad=drop Xbadfile |
14051
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
24 call assert_equal('[][][][]', getline(1)) |
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
25 |
30051
13b02c1ea0f7
patch 9.0.0363: common names in test files causes tests to be flaky
Bram Moolenaar <Bram@vim.org>
parents:
21765
diff
changeset
|
26 e! ++enc=utf8 ++bad=keep Xbadfile |
14051
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
27 call assert_equal("[\xff][\xc0][\xe2\x89\xf0][\xc2\xc2]", getline(1)) |
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
28 |
30051
13b02c1ea0f7
patch 9.0.0363: common names in test files causes tests to be flaky
Bram Moolenaar <Bram@vim.org>
parents:
21765
diff
changeset
|
29 call assert_fails('e! ++enc=utf8 ++bad=foo Xbadfile', 'E474:') |
14051
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
30 |
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
31 bw! |
c1ead25ed819
patch 8.1.0043: ++bad argument of :edit does not work properly
Christian Brabandt <cb@256bit.org>
parents:
12899
diff
changeset
|
32 endfunc |
19407
2f4be7ca1b1b
patch 8.2.0261: some code not covered by tests
Bram Moolenaar <Bram@vim.org>
parents:
15607
diff
changeset
|
33 |
2f4be7ca1b1b
patch 8.2.0261: some code not covered by tests
Bram Moolenaar <Bram@vim.org>
parents:
15607
diff
changeset
|
34 " Test for ++bin and ++nobin arguments |
2f4be7ca1b1b
patch 8.2.0261: some code not covered by tests
Bram Moolenaar <Bram@vim.org>
parents:
15607
diff
changeset
|
35 func Test_binary_arg() |
2f4be7ca1b1b
patch 8.2.0261: some code not covered by tests
Bram Moolenaar <Bram@vim.org>
parents:
15607
diff
changeset
|
36 new |
2f4be7ca1b1b
patch 8.2.0261: some code not covered by tests
Bram Moolenaar <Bram@vim.org>
parents:
15607
diff
changeset
|
37 edit ++bin Xfile1 |
2f4be7ca1b1b
patch 8.2.0261: some code not covered by tests
Bram Moolenaar <Bram@vim.org>
parents:
15607
diff
changeset
|
38 call assert_equal(1, &binary) |
2f4be7ca1b1b
patch 8.2.0261: some code not covered by tests
Bram Moolenaar <Bram@vim.org>
parents:
15607
diff
changeset
|
39 edit ++nobin Xfile2 |
2f4be7ca1b1b
patch 8.2.0261: some code not covered by tests
Bram Moolenaar <Bram@vim.org>
parents:
15607
diff
changeset
|
40 call assert_equal(0, &binary) |
2f4be7ca1b1b
patch 8.2.0261: some code not covered by tests
Bram Moolenaar <Bram@vim.org>
parents:
15607
diff
changeset
|
41 call assert_fails('edit ++binabc Xfile3', 'E474:') |
2f4be7ca1b1b
patch 8.2.0261: some code not covered by tests
Bram Moolenaar <Bram@vim.org>
parents:
15607
diff
changeset
|
42 close! |
2f4be7ca1b1b
patch 8.2.0261: some code not covered by tests
Bram Moolenaar <Bram@vim.org>
parents:
15607
diff
changeset
|
43 endfunc |
2f4be7ca1b1b
patch 8.2.0261: some code not covered by tests
Bram Moolenaar <Bram@vim.org>
parents:
15607
diff
changeset
|
44 |
2f4be7ca1b1b
patch 8.2.0261: some code not covered by tests
Bram Moolenaar <Bram@vim.org>
parents:
15607
diff
changeset
|
45 " vim: shiftwidth=2 sts=2 expandtab |