Mercurial > vim
view runtime/doc/os_qnx.txt @ 33811:06219b3bdaf3 v9.0.2121
patch 9.0.2121: [security]: use-after-free in ex_substitute
Commit: https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb
Author: Christian Brabandt <cb@256bit.org>
Date: Wed Nov 22 21:26:41 2023 +0100
patch 9.0.2121: [security]: use-after-free in ex_substitute
Problem: [security]: use-after-free in ex_substitute
Solution: always allocate memory
closes: #13552
A recursive :substitute command could cause a heap-use-after free in Vim
(CVE-2023-48706).
The whole reproducible test is a bit tricky, I can only reproduce this
reliably when no previous substitution command has been used yet
(which is the reason, the test needs to run as first one in the
test_substitute.vim file) and as a combination of the `:~` command
together with a :s command that contains the special substitution atom `~\=`
which will make use of a sub-replace special atom and calls a vim script
function.
There was a comment in the existing :s code, that already makes the
`sub` variable allocate memory so that a recursive :s call won't be able
to cause any issues here, so this was known as a potential problem
already. But for the current test-case that one does not work, because
the substitution does not start with `\=` but with `~\=` (and since
there does not yet exist a previous substitution atom, Vim will simply
increment the `sub` pointer (which then was not allocated dynamically)
and later one happily use a sub-replace special expression (which could
then free the `sub` var).
The following commit fixes this, by making the sub var always using
allocated memory, which also means we need to free the pointer whenever
we leave the function. Since sub is now always an allocated variable,
we also do no longer need the sub_copy variable anymore, since this one
was used to indicated when sub pointed to allocated memory (and had
therefore to be freed on exit) and when not.
Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q
Signed-off-by: Christian Brabandt <cb@256bit.org>
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Wed, 22 Nov 2023 22:15:05 +0100 |
| parents | f8116058ca76 |
| children | 4635e43f2c6f |
line wrap: on
line source
*os_qnx.txt* For Vim version 9.0. Last change: 2005 Mar 29 VIM REFERENCE MANUAL by Julian Kinraid *QNX* *qnx* 1. General |qnx-general| 2. Compiling Vim |qnx-compiling| 3. Terminal support |qnx-terminal| 4. Photon GUI |photon-gui| 5. Photon fonts |photon-fonts| 6. Bugs & things To Do ============================================================================== 1. General *qnx-general* Vim on QNX behaves much like other unix versions. |os_unix.txt| 2. Compiling Vim *qnx-compiling* Vim can be compiled using the standard configure/make approach. If you want to compile for X11, pass the --with-x option to configure. Otherwise, running ./configure without any arguments or passing --enable-gui=photon, will compile vim with the Photon gui support. Run ./configure --help , to find out other features you can enable/disable. 3. Terminal support *qnx-terminal* Vim has support for the mouse and clipboard in a pterm, if those options are compiled in, which they are normally. The options that affect mouse support are |'mouse'| and |'ttymouse'|. When using the mouse, only simple left and right mouse clicking/dragging is supported. If you hold down shift, ctrl, or alt while using the mouse, pterm will handle the mouse itself. It will make a selection, separate from what vim's doing. When the mouse is in use, you can press Alt-RightMouse to open the pterm menu. To turn the mouse off in vim, set the mouse option to nothing, set mouse= 4. Photon GUI *photon-gui* To start the gui for vim, you need to run either gvim or vim -g, otherwise the terminal version will run. For more info - |gui-x11-start| Supported features: :browse command |:browse| :confirm command |:confirm| Cursor blinking |'guicursor'| Menus, popup menus and menu priorities |:menu| |popup-menu| |menu-priority| Toolbar |gui-toolbar| |'toolbar'| Font selector (:set guifont=*) |photon-fonts| Mouse focus |'mousefocus'| Mouse hide |'mousehide'| Mouse cursor shapes |'mouseshape'| Clipboard |gui-clipboard| Unfinished features: Various international support, such as Farsi & Hebrew support, different encodings, etc. This help file Unsupported features: Find & Replace window |:promptfind| Tearoff menus Other things which I can't think of so I can't list them 5. Fonts *photon-fonts* You set fonts in the gui with the guifont option > :set guifont=Lucida\ Terminal < The font must be a monospace font, and any spaces in the font name must be escaped with a '\'. The default font used is PC Terminal, size 8. Using '*' as the font name will open a standard Photon font selector where you can select a font. Following the name, you can include optional settings to control the size and style of the font, each setting separated by a ':'. Not all fonts support the various styles. The options are, s{size} Set the size of the font to {size} b Bold style a Use antialiasing i Italic style Examples: Set the font to monospace size 10 with antialiasing > :set guifont=monospace:s10:a < Set the font to Courier size 12, with bold and italics > :set guifont=Courier:s12:b:i < Select a font with the requester > :set guifont=* < 6. Bugs & things To Do Known problems: - Vim hangs sometimes when running an external program. Workaround: put this line in your |vimrc| file: > set noguipty Bugs: - Still a slight problem with menu highlighting. - When using phditto/phinows/etc., if you are using a font that doesn't support the bold attribute, when vim attempts to draw bold text it will be all messed up. - The cursor can sometimes be hard to see. - A number of minor problems that can fixed. :) Todo: - Improve multi-language support. - Options for setting the fonts used in the menu and toolbar. - Find & Replace dialog. - The clientserver features. - Maybe tearoff menus. - Replace usage of fork() with spawn() when launching external programs. vim:tw=78:sw=4:ts=8:noet:ft=help:norl: