Mercurial > vim
annotate runtime/autoload/spellfile.vim @ 33150:cdc797578b8b v9.0.1857
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Commit: https://github.com/vim/vim/commit/fc68299d436cf87453e432daa77b6d545df4d7ed
Author: Christian Brabandt <cb@256bit.org>
Date: Sun Sep 3 20:20:52 2023 +0200
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Problem: heap-use-after-free in is_qf_win()
Solution: Check buffer is valid before accessing it
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Sun, 03 Sep 2023 20:30:02 +0200 |
parents | 4027cefc2aab |
children |
rev | line source |
---|---|
651 | 1 " Vim script to download a missing spell file |
32770
4027cefc2aab
Farewell to Bram and dedicate upcoming Vim 9.1 to him (#12749)
Christian Brabandt <cb@256bit.org>
parents:
21250
diff
changeset
|
2 " Maintainer: The Vim Project <https://github.com/vim/vim> |
4027cefc2aab
Farewell to Bram and dedicate upcoming Vim 9.1 to him (#12749)
Christian Brabandt <cb@256bit.org>
parents:
21250
diff
changeset
|
3 " Last Change: 2023 Aug 10 |
4027cefc2aab
Farewell to Bram and dedicate upcoming Vim 9.1 to him (#12749)
Christian Brabandt <cb@256bit.org>
parents:
21250
diff
changeset
|
4 " Former Maintainer: Bram Moolenaar <Bram@vim.org> |
651 | 5 |
6 if !exists('g:spellfile_URL') | |
21250 | 7 " Always use https:// because it's secure. The certificate is for nluug.nl, |
8 " thus we can't use the alias ftp.vim.org here. | |
9 let g:spellfile_URL = 'https://ftp.nluug.nl/pub/vim/runtime/spell' | |
651 | 10 endif |
11 let s:spellfile_URL = '' " Start with nothing so that s:donedict is reset. | |
12 | |
13 " This function is used for the spellfile plugin. | |
14 function! spellfile#LoadFile(lang) | |
15 " If the netrw plugin isn't loaded we silently skip everything. | |
16 if !exists(":Nread") | |
17 if &verbose | |
18 echomsg 'spellfile#LoadFile(): Nread command is not available.' | |
19 endif | |
20 return | |
21 endif | |
14372 | 22 let lang = tolower(a:lang) |
651 | 23 |
24 " If the URL changes we try all files again. | |
25 if s:spellfile_URL != g:spellfile_URL | |
26 let s:donedict = {} | |
27 let s:spellfile_URL = g:spellfile_URL | |
28 endif | |
29 | |
30 " I will say this only once! | |
14372 | 31 if has_key(s:donedict, lang . &enc) |
651 | 32 if &verbose |
33 echomsg 'spellfile#LoadFile(): Tried this language/encoding before.' | |
34 endif | |
35 return | |
36 endif | |
14372 | 37 let s:donedict[lang . &enc] = 1 |
651 | 38 |
39 " Find spell directories we can write in. | |
2034 | 40 let [dirlist, dirchoices] = spellfile#GetDirChoices() |
651 | 41 if len(dirlist) == 0 |
2034 | 42 let dir_to_create = spellfile#WritableSpellDir() |
43 if &verbose || dir_to_create != '' | |
651 | 44 echomsg 'spellfile#LoadFile(): There is no writable spell directory.' |
45 endif | |
2034 | 46 if dir_to_create != '' |
47 if confirm("Shall I create " . dir_to_create, "&Yes\n&No", 2) == 1 | |
48 " After creating the directory it should show up in the list. | |
49 call mkdir(dir_to_create, "p") | |
50 let [dirlist, dirchoices] = spellfile#GetDirChoices() | |
51 endif | |
52 endif | |
53 if len(dirlist) == 0 | |
54 return | |
55 endif | |
651 | 56 endif |
57 | |
14372 | 58 let msg = 'Cannot find spell file for "' . lang . '" in ' . &enc |
651 | 59 let msg .= "\nDo you want me to try downloading it?" |
60 if confirm(msg, "&Yes\n&No", 2) == 1 | |
61 let enc = &encoding | |
62 if enc == 'iso-8859-15' | |
63 let enc = 'latin1' | |
64 endif | |
14372 | 65 let fname = lang . '.' . enc . '.spl' |
651 | 66 |
67 " Split the window, read the file into a new buffer. | |
1185 | 68 " Remember the buffer number, we check it below. |
651 | 69 new |
1185 | 70 let newbufnr = winbufnr(0) |
3256 | 71 setlocal bin fenc= |
651 | 72 echo 'Downloading ' . fname . '...' |
884 | 73 call spellfile#Nread(fname) |
651 | 74 if getline(2) !~ 'VIMspell' |
75 " Didn't work, perhaps there is an ASCII one. | |
1185 | 76 " Careful: Nread() may have opened a new window for the error message, |
77 " we need to go back to our own buffer and window. | |
78 if newbufnr != winbufnr(0) | |
79 let winnr = bufwinnr(newbufnr) | |
80 if winnr == -1 | |
81 " Our buffer has vanished!? Open a new window. | |
82 echomsg "download buffer disappeared, opening a new one" | |
83 new | |
3256 | 84 setlocal bin fenc= |
1185 | 85 else |
86 exe winnr . "wincmd w" | |
87 endif | |
88 endif | |
89 if newbufnr == winbufnr(0) | |
90 " We are back the old buffer, remove any (half-finished) download. | |
91 g/^/d | |
92 else | |
93 let newbufnr = winbufnr(0) | |
94 endif | |
95 | |
14372 | 96 let fname = lang . '.ascii.spl' |
651 | 97 echo 'Could not find it, trying ' . fname . '...' |
884 | 98 call spellfile#Nread(fname) |
651 | 99 if getline(2) !~ 'VIMspell' |
100 echo 'Sorry, downloading failed' | |
1185 | 101 exe newbufnr . "bwipe!" |
651 | 102 return |
103 endif | |
104 endif | |
105 | |
106 " Delete the empty first line and mark the file unmodified. | |
107 1d | |
108 set nomod | |
109 | |
110 let msg = "In which directory do you want to write the file:" | |
111 for i in range(len(dirlist)) | |
112 let msg .= "\n" . (i + 1) . '. ' . dirlist[i] | |
113 endfor | |
114 let dirchoice = confirm(msg, dirchoices) - 2 | |
115 if dirchoice >= 0 | |
1624 | 116 if exists('*fnameescape') |
117 let dirname = fnameescape(dirlist[dirchoice]) | |
118 else | |
119 let dirname = escape(dirlist[dirchoice], ' ') | |
120 endif | |
3256 | 121 setlocal fenc= |
1624 | 122 exe "write " . dirname . '/' . fname |
651 | 123 |
124 " Also download the .sug file, if the user wants to. | |
125 let msg = "Do you want me to try getting the .sug file?\n" | |
126 let msg .= "This will improve making suggestions for spelling mistakes,\n" | |
127 let msg .= "but it uses quite a bit of memory." | |
128 if confirm(msg, "&No\n&Yes") == 2 | |
129 g/^/d | |
130 let fname = substitute(fname, '\.spl$', '.sug', '') | |
131 echo 'Downloading ' . fname . '...' | |
884 | 132 call spellfile#Nread(fname) |
1185 | 133 if getline(2) =~ 'VIMsug' |
651 | 134 1d |
1624 | 135 exe "write " . dirname . '/' . fname |
1185 | 136 set nomod |
137 else | |
138 echo 'Sorry, downloading failed' | |
139 " Go back to our own buffer/window, Nread() may have taken us to | |
140 " another window. | |
141 if newbufnr != winbufnr(0) | |
142 let winnr = bufwinnr(newbufnr) | |
143 if winnr != -1 | |
144 exe winnr . "wincmd w" | |
145 endif | |
146 endif | |
147 if newbufnr == winbufnr(0) | |
148 set nomod | |
149 endif | |
651 | 150 endif |
151 endif | |
152 endif | |
153 | |
1185 | 154 " Wipe out the buffer we used. |
155 exe newbufnr . "bwipe" | |
651 | 156 endif |
157 endfunc | |
884 | 158 |
950 | 159 " Read "fname" from the server. |
884 | 160 function! spellfile#Nread(fname) |
1226 | 161 " We do our own error handling, don't want a window for it. |
162 if exists("g:netrw_use_errorwindow") | |
163 let save_ew = g:netrw_use_errorwindow | |
164 endif | |
165 let g:netrw_use_errorwindow=0 | |
166 | |
950 | 167 if g:spellfile_URL =~ '^ftp://' |
168 " for an ftp server use a default login and password to avoid a prompt | |
169 let machine = substitute(g:spellfile_URL, 'ftp://\([^/]*\).*', '\1', '') | |
170 let dir = substitute(g:spellfile_URL, 'ftp://[^/]*/\(.*\)', '\1', '') | |
171 exe 'Nread "' . machine . ' anonymous vim7user ' . dir . '/' . a:fname . '"' | |
172 else | |
173 exe 'Nread ' g:spellfile_URL . '/' . a:fname | |
174 endif | |
1226 | 175 |
176 if exists("save_ew") | |
177 let g:netrw_use_errorwindow = save_ew | |
178 else | |
179 unlet g:netrw_use_errorwindow | |
180 endif | |
884 | 181 endfunc |
2034 | 182 |
183 " Get a list of writable spell directories and choices for confirm(). | |
184 function! spellfile#GetDirChoices() | |
185 let dirlist = [] | |
186 let dirchoices = '&Cancel' | |
187 for dir in split(globpath(&rtp, 'spell'), "\n") | |
188 if filewritable(dir) == 2 | |
189 call add(dirlist, dir) | |
190 let dirchoices .= "\n&" . len(dirlist) | |
191 endif | |
192 endfor | |
193 return [dirlist, dirchoices] | |
194 endfunc | |
195 | |
196 function! spellfile#WritableSpellDir() | |
197 if has("unix") | |
198 " For Unix always use the $HOME/.vim directory | |
199 return $HOME . "/.vim/spell" | |
200 endif | |
201 for dir in split(&rtp, ',') | |
202 if filewritable(dir) == 2 | |
203 return dir . "/spell" | |
204 endif | |
205 endfor | |
206 return '' | |
207 endfunction |