# HG changeset patch # User Christian Brabandt # Date 1693658705 -7200 # Node ID e64f3ab1a8b992aafca0233f6a63b02cf6a0ca6a # Parent 0fdb758ceec2175950546a29a9d5f6c7d0be38fb patch 9.0.1840: [security] use-after-free in do_ecmd Commit: https://github.com/vim/vim/commit/e1dc9a627536304bc4f738c21e909ad9fcf3974c Author: Christian Brabandt Date: Sat Sep 2 14:40:13 2023 +0200 patch 9.0.1840: [security] use-after-free in do_ecmd Problem: use-after-free in do_ecmd Solution: Verify oldwin pointer after reset_VIsual() Signed-off-by: Christian Brabandt diff --git a/src/ex_cmds.c b/src/ex_cmds.c --- a/src/ex_cmds.c +++ b/src/ex_cmds.c @@ -2646,12 +2646,18 @@ do_ecmd( goto theend; } - /* - * End Visual mode before switching to another buffer, so the text can be - * copied into the GUI selection buffer. - */ + + // End Visual mode before switching to another buffer, so the text can be + // copied into the GUI selection buffer. + // Careful: may trigger ModeChanged() autocommand + + // Should we block autocommands here? reset_VIsual(); + // autocommands freed window :( + if (oldwin != NULL && !win_valid(oldwin)) + oldwin = NULL; + #if defined(FEAT_EVAL) if ((command != NULL || newlnum > (linenr_T)0) && *get_vim_var_str(VV_SWAPCOMMAND) == NUL) diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak --- a/src/testdir/Make_all.mak +++ b/src/testdir/Make_all.mak @@ -105,6 +105,7 @@ NEW_TESTS = \ test_conceal \ test_const \ test_cpoptions \ + test_crash \ test_crypt \ test_cscope \ test_cursor_func \ @@ -369,6 +370,7 @@ NEW_TESTS_RES = \ test_conceal.res \ test_const.res \ test_cpoptions.res \ + test_crash.res \ test_crypt.res \ test_cscope.res \ test_cursor_func.res \ diff --git a/src/testdir/crash/poc_huaf1 b/src/testdir/crash/poc_huaf1 new file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0d0ea475c1062a4df89ee505a078ecc578d57f22 GIT binary patch literal 1541 zc%0Q!O=uHA6n>H9kVhIv3qeG2QY40&YRIk8Lq&|jQbmL0k}B36x5_rbWYvQ$ji6{Z ziUn`#*Sd84y?Ymgiig@ZbkK^XC1`n{U3^T_6!Am$As2 z4TZ%<o6J#{Bs($meX(Gi_G|Yjr z&`MG?ev#&L@BrLE3dLC=OM;sPGz-VfDZ#UcIhTicFTC>Ej8;C0Wx>m{mvwu}w(YmJ zeQH09;0T;?$p-?F>A=y*s}qq(z=UT{F^7g&57ev3$5t5VCDcn&eyGS9;X@|z4$1{7 zvBJl6TKu{$^FB0QBBfPRm?J8y9*YUZbx3i2p3%TZ^P{R?%)5L?J-*iQpI22bK!s~} z@0$=+_p(>jP(7fKE!O`|$9&&9W_O}v=6~1mW|xj%mgbh8T-vB(5<5C>sbQNjcNq`2 znZE0w*aqimH`IMyR&xEVXVFsoQ}Yy%x8^-LT1M*(I?~XyYb8Rhw#bcUt%DczsX`av z-{dhpRsq_fwgbF($4|X(0N`DY?lbkG-cKu#+vjZgPxRAZI~bcGY?M|2=5sh%3daF| OJ71kEd0~#55B~sDO&Co8 diff --git a/src/testdir/crash/poc_huaf2 b/src/testdir/crash/poc_huaf2 new file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..4867e0f956bbb2a3621dac76fa5bdbdcd8fe789f GIT binary patch literal 3238 zc%1E3O=uHA6n-nsp)aXEEd&+CsYsOCO31B^hk7syK}Cb~k|OGkDY9)aS@mMcdJr+G zv`4Yt1Vi-FL%j-~(n}6Kc=s+uiXKWX^ z@lGKfv-#QG-MvmY)2)4bypW^R*vH-8l#6^SwQP!{u%ly+fWEg#*bhAR zFBXfHV)5Kz7{oz1?=lYr!V`hh;kkG?9I)W|G>&3M`hjK%#mFZDGlym_sL)Z5q=BUH zKB`&8wiq$l_Yz#Ro@tbIH)-!+Isf=9Ai_A*v+{dtPDJV$+!_E~;I|J2gEoL>uUQ|^?713%Qc0C7_&5pXq>lA79glEsm9QQ4 z*NyK}$8))2z_Vpfx!7zfF00q7qwB=j-q8{{*|D-6Y!8mh$|~>$?5I-vq8@JO2fx9G(f* U)ikDM9KJRkPtfvDh$_eY0himUtpET3 diff --git a/src/testdir/crash/poc_huaf3 b/src/testdir/crash/poc_huaf3 new file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..7e38a9a17c2690ae6fa6b9f7da44c2b938aa1361 GIT binary patch literal 4053 zc%1E3O=wd=5S~bL$Rw?!fuN$e6^T+)3GviaFdmFTP|+Z{Boy1XrpQZz$x|;D<3Yis zVz2((Jd}FsAzr`2GHHjXa-kB;+_T>Lw9)9kHn+0VxYq{Zy@1lUuMv2jxxj5Ctem zbiDa~lxQEH;k+C;hJ2c!#wFefz-%s`314TY9@-;J=X7y%KVki#Qx394bc={Rd2%zE z@Xyb7xx7VR+GXmF+9rpnxto`&WsD zllx%q&w^1!A z=0!wf=IfkFIxzhlS*;wx1gEfWN1xir@o6*$4qhLYN91EG&nY`kBZxDmEz<-zRP?&8i1c&oO zk(J*4Z%}uZ`vd?`zdrg#6QDULUu!0T$OgZ%DdJqubnoa@7dqeU<(Wl$e8XrE<1nzJ z$KfF6)^G23Riqn#>VXek^vS=2;q)CGhSPTo)=V;-zQgG|oW8%ro1QJKf?Z7st1-Nf k#;}g=-mt%e=N?n4$WMT~t`;#Vr{PPROM;GJ&t0Q^2MmMq +0&#ffffff0@74 +@75 +@75 +@75 +@75 +@75 +@75 +@75 +@75 +@75 +@75 +@75 +@75 +@75 +@75 +@75 +@75 +@75 +@75 +@75 diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim new file mode 100644 --- /dev/null +++ b/src/testdir/test_crash.vim @@ -0,0 +1,25 @@ +" Some tests, that used to crash Vim +source check.vim +source screendump.vim + +CheckScreendump + +func Test_crash1() + " The following used to crash Vim + let opts = #{wait_for_ruler: 0} + let args = ' -u NONE -i NONE -n -e -s -S ' + let buf = RunVimInTerminal(args .. ' crash/poc_huaf1', opts) + call VerifyScreenDump(buf, 'Test_crash_01', {}) + exe buf .. "bw!" + + let buf = RunVimInTerminal(args .. ' crash/poc_huaf2', opts) + call VerifyScreenDump(buf, 'Test_crash_01', {}) + exe buf .. "bw!" + + let buf = RunVimInTerminal(args .. ' crash/poc_huaf3', opts) + call VerifyScreenDump(buf, 'Test_crash_01', {}) + exe buf .. "bw!" + +endfunc + +" vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c --- a/src/version.c +++ b/src/version.c @@ -700,6 +700,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 1840, +/**/ 1839, /**/ 1838,