Mercurial > vim
changeset 33523:1947bb095199 v9.0.2010
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Commit: https://github.com/vim/vim/commit/41e6f7d6ba67b61d911f9b1d76325cd79224753d
Author: Christian Brabandt <cb@256bit.org>
Date: Wed Oct 11 21:08:13 2023 +0200
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Problem: [security] use-after-free from buf_contents_changed()
Solution: block autocommands
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Wed, 11 Oct 2023 21:15:08 +0200 |
parents | d41f4b9a944e |
children | 4ff355d60b80 |
files | src/buffer.c src/testdir/crash/editing_arg_idx_POC_1 src/testdir/test_crash.vim src/version.c |
diffstat | 4 files changed, 16 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/buffer.c +++ b/src/buffer.c @@ -6013,6 +6013,9 @@ buf_contents_changed(buf_T *buf) return TRUE; } + // We don't want to trigger autocommands now, they may have nasty + // side-effects like wiping buffers + block_autocmds(); if (ml_open(curbuf) == OK && readfile(buf->b_ffname, buf->b_fname, (linenr_T)0, (linenr_T)0, (linenr_T)MAXLNUM, @@ -6038,6 +6041,8 @@ buf_contents_changed(buf_T *buf) if (curbuf != newbuf) // safety check wipe_buffer(newbuf, FALSE); + unblock_autocmds(); + return differ; }
new file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..5d048d03405a31e268f30950dc11d9dc767103de GIT binary patch literal 398 zc${s}!Ait15C-6Q&0W2Yy>wf2DbmwYi}(amL<%B0n@qZeHeHgI?M-jKgYV?Um+%QZ zuZg=N6@Lg!V1D=*(X}n=lQWH`x`?5qacv-LJ8AQV#_iTrHs?6>9b65nAe7gJAO;#K zusVSG+!avES&-p!P<apmSC3HoM(iV6`5;!PD{5-HLKAU;4cnNyCsj8zy9>*nY_ImY z{TWom0Z7(PWDNgig{5n}o-fix_XY)H&)n8cqAkHoXWE24x&KX~Y0S{85C5nSe$|X= z>7~`@PAWbod3SFIg$XqEP&a!*8s49V-WL7`?QyBSsYv){eaUqyCTBjLoY^fN?YF-G DgL#j6
--- a/src/testdir/test_crash.vim +++ b/src/testdir/test_crash.vim @@ -78,6 +78,14 @@ func Test_crash1() \ ' && echo "crash 9: [OK]" >> X_crash1_result.txt' .. "\<cr>") call TermWait(buf, 1000) + let file = 'crash/editing_arg_idx_POC_1' + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' || echo "crash 10: [OK]" >> X_crash1_result.txt' .. "\<cr>") + call TermWait(buf, 1000) + call delete('Xerr') + call delete('@') + " clean up exe buf .. "bw!" @@ -93,6 +101,7 @@ func Test_crash1() \ 'crash 7: [OK]', \ 'crash 8: [OK]', \ 'crash 9: [OK]', + \ 'crash 10: [OK]', \ ] call assert_equal(expected, getline(1, '$'))