Mercurial > vim
view src/testdir/test_listlbr_utf8.vim @ 33811:06219b3bdaf3 v9.0.2121
patch 9.0.2121: [security]: use-after-free in ex_substitute
Commit: https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb
Author: Christian Brabandt <cb@256bit.org>
Date: Wed Nov 22 21:26:41 2023 +0100
patch 9.0.2121: [security]: use-after-free in ex_substitute
Problem: [security]: use-after-free in ex_substitute
Solution: always allocate memory
closes: #13552
A recursive :substitute command could cause a heap-use-after free in Vim
(CVE-2023-48706).
The whole reproducible test is a bit tricky, I can only reproduce this
reliably when no previous substitution command has been used yet
(which is the reason, the test needs to run as first one in the
test_substitute.vim file) and as a combination of the `:~` command
together with a :s command that contains the special substitution atom `~\=`
which will make use of a sub-replace special atom and calls a vim script
function.
There was a comment in the existing :s code, that already makes the
`sub` variable allocate memory so that a recursive :s call won't be able
to cause any issues here, so this was known as a potential problem
already. But for the current test-case that one does not work, because
the substitution does not start with `\=` but with `~\=` (and since
there does not yet exist a previous substitution atom, Vim will simply
increment the `sub` pointer (which then was not allocated dynamically)
and later one happily use a sub-replace special expression (which could
then free the `sub` var).
The following commit fixes this, by making the sub var always using
allocated memory, which also means we need to free the pointer whenever
we leave the function. Since sub is now always an allocated variable,
we also do no longer need the sub_copy variable anymore, since this one
was used to indicated when sub pointed to allocated memory (and had
therefore to be freed on exit) and when not.
Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q
Signed-off-by: Christian Brabandt <cb@256bit.org>
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Wed, 22 Nov 2023 22:15:05 +0100 |
| parents | ccfca4f03a2b |
| children | 5525b635ed4a |
line wrap: on
line source
" Test for linebreak and list option in utf-8 mode set encoding=utf-8 scriptencoding utf-8 source check.vim CheckOption linebreak CheckFeature conceal CheckFeature signs source view_util.vim func s:screen_lines(lnum, width) abort return ScreenLines(a:lnum, a:width) endfunc func s:compare_lines(expect, actual) call assert_equal(a:expect, a:actual) endfunc func s:screen_attr(lnum, chars, ...) abort let line = getline(a:lnum) let attr = [] let prefix = get(a:000, 0, 0) for i in range(a:chars[0], a:chars[1]) let scol = strdisplaywidth(strcharpart(line, 0, i-1)) + 1 let attr += [screenattr(a:lnum, scol + prefix)] endfor return attr endfunc func s:test_windows(...) call NewWindow(10, 20) setl ts=4 sw=4 sts=4 linebreak sbr=+ wrap exe get(a:000, 0, '') endfunc func s:close_windows(...) call CloseWindow() exe get(a:000, 0, '') endfunc func Test_linebreak_with_fancy_listchars() call s:test_windows("setl list listchars=nbsp:\u2423,tab:\u2595\u2014,trail:\u02d1,eol:\ub6") call setline(1, "\tabcdef hijklmn\tpqrstuvwxyz\u00a01060ABCDEFGHIJKLMNOP ") redraw! let lines = s:screen_lines([1, 4], winwidth(0)) let expect = [ \ "▕———abcdef ", \ "+hijklmn▕——— ", \ "+pqrstuvwxyz␣1060ABC", \ "+DEFGHIJKLMNOPˑ¶ ", \ ] call s:compare_lines(expect, lines) call s:close_windows() endfunc func Test_nolinebreak_with_list() call s:test_windows("setl nolinebreak list listchars=nbsp:\u2423,tab:\u2595\u2014,trail:\u02d1,eol:\ub6") call setline(1, "\tabcdef hijklmn\tpqrstuvwxyz\u00a01060ABCDEFGHIJKLMNOP ") redraw! let lines = s:screen_lines([1, 4], winwidth(0)) let expect = [ \ "▕———abcdef hijklmn▕—", \ "+pqrstuvwxyz␣1060ABC", \ "+DEFGHIJKLMNOPˑ¶ ", \ "~ ", \ ] call s:compare_lines(expect, lines) call s:close_windows() endfunc " this was causing a crash func Test_linebreak_with_list_and_tabs() set linebreak list listchars=tab:⇤\ ⇥ tabstop=100 new call setline(1, "\t\t\ttext") redraw bwipe! set nolinebreak nolist listchars&vim tabstop=8 endfunc func Test_linebreak_with_nolist() call s:test_windows('setl nolist') call setline(1, "\t*mask = nil;") redraw! let lines = s:screen_lines([1, 4], winwidth(0)) let expect = [ \ " *mask = nil; ", \ "~ ", \ "~ ", \ "~ ", \ ] call s:compare_lines(expect, lines) call s:close_windows() endfunc func Test_list_and_concealing1() call s:test_windows('setl list listchars=tab:>- cole=1') call setline(1, [ \ "#define ABCDE\t\t1", \ "#define ABCDEF\t\t1", \ "#define ABCDEFG\t\t1", \ "#define ABCDEFGH\t1", \ "#define MSG_MODE_FILE\t\t\t1", \ "#define MSG_MODE_CONSOLE\t\t2", \ "#define MSG_MODE_FILE_AND_CONSOLE\t3", \ "#define MSG_MODE_FILE_THEN_CONSOLE\t4", \ ]) vert resize 40 syn match Conceal conceal cchar=>'AB\|MSG_MODE' redraw! let lines = s:screen_lines([1, 7], winwidth(0)) let expect = [ \ "#define ABCDE>-->---1 ", \ "#define >CDEF>-->---1 ", \ "#define >CDEFG>->---1 ", \ "#define >CDEFGH>----1 ", \ "#define >_FILE>--------->--->---1 ", \ "#define >_CONSOLE>---------->---2 ", \ "#define >_FILE_AND_CONSOLE>---------3 ", \ ] call s:compare_lines(expect, lines) call s:close_windows() endfunc func Test_list_and_concealing2() call s:test_windows('setl nowrap ts=2 list listchars=tab:>- cole=2 concealcursor=n') call setline(1, "bbeeeeee\t\t;\tsome text") vert resize 40 syn clear syn match meaning /;\s*\zs.*/ syn match hasword /^\x\{8}/ contains=word syn match word /\<\x\{8}\>/ contains=beginword,endword contained syn match beginword /\<\x\x/ contained conceal syn match endword /\x\{6}\>/ contained hi meaning guibg=blue hi beginword guibg=green hi endword guibg=red redraw! let lines = s:screen_lines([1, 1], winwidth(0)) let expect = [ \ "eeeeee>--->-;>some text ", \ ] call s:compare_lines(expect, lines) call s:close_windows() endfunc func Test_screenattr_for_comment() call s:test_windows("setl ft=c ts=7 list listchars=nbsp:\u2423,tab:\u2595\u2014,trail:\u02d1,eol:\ub6") call setline(1, " /*\t\t and some more */") norm! gg0 syntax on hi SpecialKey term=underline ctermfg=red guifg=red redraw! let line = getline(1) let attr = s:screen_attr(1, [1, 6]) call assert_notequal(attr[0], attr[1]) call assert_notequal(attr[1], attr[3]) call assert_notequal(attr[3], attr[5]) call s:close_windows() endfunc func Test_visual_block_and_selection_exclusive() call s:test_windows('setl selection=exclusive') call setline(1, "long line: " . repeat("foobar ", 40) . "TARGETÃ' at end") exe "norm! $3B\<C-v>eAx\<Esc>" let lines = s:screen_lines([1, 10], winwidth(0)) let expect = [ \ "+foobar foobar ", \ "+foobar foobar ", \ "+foobar foobar ", \ "+foobar foobar ", \ "+foobar foobar ", \ "+foobar foobar ", \ "+foobar foobar ", \ "+foobar foobar ", \ "+foobar foobar ", \ "+foobar TARGETÃx' ", \ ] call s:compare_lines(expect, lines) call s:close_windows() endfunc func Test_multibyte_sign_and_colorcolumn() call s:test_windows("setl nolinebreak cc=3 list listchars=nbsp:\u2423,tab:\u2595\u2014,trail:\u02d1,eol:\ub6") call setline(1, ["", "a b c", "a b c"]) exe "sign define foo text=\uff0b" exe "sign place 1 name=foo line=2 buffer=" . bufnr('%') redraw! norm! ggj0 let signwidth = strdisplaywidth("\uff0b") let attr1 = s:screen_attr(2, [1, 3], signwidth) let attr2 = s:screen_attr(3, [1, 3], signwidth) call assert_equal(attr1[0], attr2[0]) call assert_equal(attr1[1], attr2[1]) call assert_equal(attr1[2], attr2[2]) let lines = s:screen_lines([1, 3], winwidth(0)) let expect = [ \ " ¶ ", \ "+a b c¶ ", \ " a b c¶ ", \ ] call s:compare_lines(expect, lines) call s:close_windows() endfunc func Test_colorcolumn_priority() call s:test_windows('setl cc=4 cuc hls') call setline(1, ["xxyy", ""]) norm! gg exe "normal! /xxyy\<CR>" norm! G redraw! let line_attr = s:screen_attr(1, [1, &cc]) " Search wins over CursorColumn call assert_equal(line_attr[1], line_attr[0]) " Search wins over Colorcolumn call assert_equal(line_attr[2], line_attr[3]) call s:close_windows('setl hls&vim') endfunc func Test_illegal_byte_and_breakat() call s:test_windows("setl sbr= brk+=<") vert resize 18 call setline(1, repeat("\x80", 6)) redraw! let lines = s:screen_lines([1, 2], winwidth(0)) let expect = [ \ "<80><80><80><80><8", \ "0><80> ", \ ] call s:compare_lines(expect, lines) call s:close_windows('setl brk&vim') endfunc func Test_multibyte_wrap_and_breakat() call s:test_windows("setl sbr= brk+=>") call setline(1, repeat('a', 17) . repeat('あ', 2)) redraw! let lines = s:screen_lines([1, 2], winwidth(0)) let expect = [ \ "aaaaaaaaaaaaaaaaaあ>", \ "あ ", \ ] call s:compare_lines(expect, lines) call s:close_windows('setl brk&vim') endfunc func Test_chinese_char_on_wrap_column() call s:test_windows("setl nolbr wrap sbr=") call setline(1, [ \ 'aaaaaaaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaaaaa中'. \ 'hello']) call cursor(1,1) norm! $ redraw! let expect=[ \ '<<<aaaaaaaaaaaaaaaa>', \ '中aaaaaaaaaaaaaaaaa>', \ '中aaaaaaaaaaaaaaaaa>', \ '中aaaaaaaaaaaaaaaaa>', \ '中aaaaaaaaaaaaaaaaa>', \ '中aaaaaaaaaaaaaaaaa>', \ '中aaaaaaaaaaaaaaaaa>', \ '中aaaaaaaaaaaaaaaaa>', \ '中aaaaaaaaaaaaaaaaa>', \ '中hello '] let lines = s:screen_lines([1, 10], winwidth(0)) call s:compare_lines(expect, lines) call assert_equal(len(expect), winline()) call assert_equal(strwidth(trim(expect[-1], ' ', 2)), wincol()) call s:close_windows() endfunc func Test_chinese_char_on_wrap_column_sbr() call s:test_windows("setl nolbr wrap sbr=!!!") call setline(1, [ \ 'aaaaaaaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaa中'. \ 'aaaaaaaaaaaaaa中'. \ 'hello']) call cursor(1,1) norm! $ redraw! let expect=[ \ '!!!中aaaaaaaaaaaaaa>', \ '!!!中aaaaaaaaaaaaaa>', \ '!!!中aaaaaaaaaaaaaa>', \ '!!!中aaaaaaaaaaaaaa>', \ '!!!中aaaaaaaaaaaaaa>', \ '!!!中aaaaaaaaaaaaaa>', \ '!!!中aaaaaaaaaaaaaa>', \ '!!!中aaaaaaaaaaaaaa>', \ '!!!中aaaaaaaaaaaaaa>', \ '!!!中hello '] let lines = s:screen_lines([1, 10], winwidth(0)) call s:compare_lines(expect, lines) call assert_equal(len(expect), winline()) call assert_equal(strwidth(trim(expect[-1], ' ', 2)), wincol()) call s:close_windows() endfunc func Test_unprintable_char_on_wrap_column() call s:test_windows("setl nolbr wrap sbr=") call setline(1, 'aaa' .. repeat("\uFEFF", 50) .. 'bbb') call cursor(1,1) norm! $ redraw! let expect=[ \ '<<<<feff><feff><feff', \ '><feff><feff><feff><', \ 'feff><feff><feff><fe', \ 'ff><feff><feff><feff', \ '><feff><feff><feff><', \ 'feff><feff><feff><fe', \ 'ff><feff><feff><feff', \ '><feff><feff><feff><', \ 'feff><feff><feff><fe', \ 'ff>bbb '] let lines = s:screen_lines([1, 10], winwidth(0)) call s:compare_lines(expect, lines) call assert_equal(len(expect), winline()) call assert_equal(strwidth(trim(expect[-1], ' ', 2)), wincol()) setl sbr=!! redraw! let expect=[ \ '!!><feff><feff><feff', \ '!!><feff><feff><feff', \ '!!><feff><feff><feff', \ '!!><feff><feff><feff', \ '!!><feff><feff><feff', \ '!!><feff><feff><feff', \ '!!><feff><feff><feff', \ '!!><feff><feff><feff', \ '!!><feff><feff><feff', \ '!!><feff><feff>bbb '] let lines = s:screen_lines([1, 10], winwidth(0)) call s:compare_lines(expect, lines) call assert_equal(len(expect), winline()) call assert_equal(strwidth(trim(expect[-1], ' ', 2)), wincol()) call s:close_windows() endfunc " vim: shiftwidth=2 sts=2 expandtab