Mercurial > vim

changeset 33115:e64f3ab1a8b9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 9.0.1840: [security] use-after-free in do_ecmd Commit: https://github.com/vim/vim/commit/e1dc9a627536304bc4f738c21e909ad9fcf3974c Author: Christian Brabandt <cb@256bit.org> Date: Sat Sep 2 14:40:13 2023 +0200 patch 9.0.1840: [security] use-after-free in do_ecmd Problem: use-after-free in do_ecmd Solution: Verify oldwin pointer after reset_VIsual() Signed-off-by: Christian Brabandt <cb@256bit.org>
author Christian Brabandt <cb@256bit.org>
date Sat, 02 Sep 2023 14:45:05 +0200
parents 0fdb758ceec2
children 4eeb5da5577e
files src/ex_cmds.c src/testdir/Make_all.mak src/testdir/crash/poc_huaf1 src/testdir/crash/poc_huaf2 src/testdir/crash/poc_huaf3 src/testdir/dumps/Test_crash_01.dump src/testdir/test_crash.vim src/version.c
diffstat 8 files changed, 59 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -2646,12 +2646,18 @@ do_ecmd(
 	goto theend;
     }
 
-    /*
-     * End Visual mode before switching to another buffer, so the text can be
-     * copied into the GUI selection buffer.
-     */
+    
+     // End Visual mode before switching to another buffer, so the text can be
+     // copied into the GUI selection buffer.
+     // Careful: may trigger ModeChanged() autocommand
+     
+    // Should we block autocommands here?
     reset_VIsual();
 
+    // autocommands freed window :(
+    if (oldwin != NULL && !win_valid(oldwin))
+	oldwin = NULL;
+
 #if defined(FEAT_EVAL)
     if ((command != NULL || newlnum > (linenr_T)0)
 	    && *get_vim_var_str(VV_SWAPCOMMAND) == NUL)
--- a/src/testdir/Make_all.mak
+++ b/src/testdir/Make_all.mak
@@ -105,6 +105,7 @@ NEW_TESTS = \
 	test_conceal \
 	test_const \
 	test_cpoptions \
+	test_crash \
 	test_crypt \
 	test_cscope \
 	test_cursor_func \
@@ -369,6 +370,7 @@ NEW_TESTS_RES = \
 	test_conceal.res \
 	test_const.res \
 	test_cpoptions.res \
+	test_crash.res \
 	test_crypt.res \
 	test_cscope.res \
 	test_cursor_func.res \
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0d0ea475c1062a4df89ee505a078ecc578d57f22
GIT binary patch
literal 1541
zc%0Q!O=uHA6n>H9kVhIv3qeG2QY40&YRIk8Lq&|jQbmL0k}B36x5_rbWYvQ$ji6{Z
ziUn`#*<cRRL-bU<>Sd84y?Ymgiig<C_+~eWP1@2>@ZbkK^XC1`n{U3^T_6!Am$As2
z4TZ%<<ITs0hgd9@US{4H`hFuPqD&#g_Hgz?S^S<)8y!jrQD)9J$8qu-u)q$8TU0?v
zG8SL^JiypKY8JSVID*ucv*vlSIAEbznoeJ9Z?7=^*B*8qEa79E-DZq7390n%wll3c
z7#yrbjG!tQ@ahh-wcRv@vo6Zn)2lkyxRso!aER8C6$f>o6J#{Bs($meX(Gi_G|Yjr
z&`MG?ev#&L@BrLE3dLC=OM;sPGz-VfDZ#UcIhTicFTC>Ej8;C0Wx>m{mvwu}w(YmJ
zeQH09;0T;?$p-?F>A=y*s}qq(z=UT{F^7g&57ev3$5t5VCDcn&eyGS9;X@|z4$1{7
zvBJl6TKu{$^FB0QBBfPRm?J8y9*YUZbx3i2p3%TZ^P{R?%)5L?J-*iQpI22bK!s~}
z@0$=+_p(>jP(7fKE!O`|$9&&9W_O}v=6~1mW|xj%mgbh8T-vB(5<5C>sbQNjcNq`2
znZE0w*aqimH`IMyR&xEVXVFsoQ}Yy%x8^-LT1M*(I?~XyYb8Rhw#bcUt%DczsX`av
z-{dhpRsq_fwgbF($4|X(0N`DY?lbkG-cKu#+vjZgPxRAZI~bcGY?M|2=5sh%3daF|
OJ71kEd0~#55B~sDO&Co8
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..4867e0f956bbb2a3621dac76fa5bdbdcd8fe789f
GIT binary patch
literal 3238
zc%1E3O=uHA6n-nsp)aXEEd&+CsYsOCO31B^hk7syK}Cb~k|OGkDY9)aS@mMcdJr+G
zv`4Yt1Vi-FL%j-~(n}6Kc=s+uiXKWX<D1?7Y+|iOqV1s{?99BG_h#PrX7}4Ypb%~?
zVU|`FH0JsFu;3vQi3~4M=*yi^*+-1JZp1_5-Heq^k9><KhmH?OnWx(4TCJA;3A1!W
z-ldQZiV~e_EcOr`<bwiN22LU$DQM*~j|AXkHa9VRll?-pUub{2v@z~?CuqPRZ;9>^
z@lGKfv-#QG-MvmY)2)4bypW^R*vH-8l#6^SwQP!{u%ly+fWEg#*<KSkjYJadQkV70
zvXIwf+!R2M(2nZWtK46N$KWo+P+pMAkiwcoYx0aWE=B5u@WTt6N+k1VF)u}a>bhAR
zFBXfHV)5Kz7{oz1?=lYr!V`hh;kkG?9I)W|G>&3M`hjK%#mFZDGlym_sL)Z5q=BUH
zKB`&8wiq$l_<mcZ4a~emb}PkjlqoEG*^jMroJl0X;QmReOFnaX4tYH7DBfV-vJU`2
z<^K-O658=^05m#vcD2Q>Yz#Ro@tbIH)-!+Isf=9Ai_A*v+{d<dc+s(3wiWK%d~Hm)
zUu_EQ;I4>tPDJV$+!_E~;I|J2gEoL>uUQ|^?713%Qc0C7_&5pXq>lA79glEsm9QQ4
z*NyK}$8))2z_Vpfx!7zfF00q7qwB=j<nEuA^#^OTr6X&2@3z&J*-DdDXj7v$#p2pv
zX&sJw@N54!f3)k45$(CH{CAFM`>-q8{{*|D-6Y!8mh$|~>$?5I-vq8@JO2fx9G(f*
U)ikDM9KJRkPtfvDh$_eY0himUtpET3
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..7e38a9a17c2690ae6fa6b9f7da44c2b938aa1361
GIT binary patch
literal 4053
zc%1E3O=wd=5S~bL$Rw?!fuN$e6^T+)3GviaFdmFTP|+Z{Boy1XrpQZz$x|;D<3Yis
zVz2((Jd}FsAzr<Bs0caa;N80rDJX<o)_Lzqo233EBo(pw;LYy5`PrG-VRjcNgxMPA
zs8K1*)+&ru{@zw>`2GHHjXa-kB;+_T>Lw9)9kHn+0VxYq{Zy@1lUuMv2jxxj5Ctem
zbiDa~lxQEH;k+C;hJ2c!#wFefz-%s`314TY9@-;J=X7y%KVki#Qx394bc={Rd2%zE
z@Xyb7xx7VR+GXmF+9rpnxto`<xP?MIzOIRwFoLO~fbrKzIj;sBMl^;-c|?Dy>&WsD
zllx%q&<L8+E4*HS2Ve<8D9=lkmqO2?o;|70OA$XRT49?lL}P{1SdgNya7`=CmrA9T
zQt9jgn8ZmqXJzhm`ZCTFz8BLzpHqh?i<rQ)Yz1m%6p@bvS{}8$TVYY%lMW<>w^1!A
z=0!wf=IfkFIxzhlS*;wx1gEfWN1xir@o6*$4qhLYN91EG&nY`kBZxDmE<kZRFD<`=
zE^V6<_^Z9Zk(v?iHTBsRP^yjs3ND~JJi)bVudWen%`uLKY0u6>z<-zRP?&8i1c&oO
zk(J*4Z%}uZ`vd?`zdrg#6QDULUu!0T$OgZ%DdJqubnoa@7dqeU<(Wl$e8XrE<1nzJ
z$KfF6)^G23Riqn#>VXek^vS=2;q)CGhSPTo)=V;-zQgG|oW8%ro1QJKf?Z7st1-Nf
k#;}g=-mt%e=N?n4$WMT~t`;#Vr{PPROM;GJ&t0Q^2MmMq<NyEw
new file mode 100644
--- /dev/null
+++ b/src/testdir/dumps/Test_crash_01.dump
@@ -0,0 +1,20 @@
+> +0&#ffffff0@74
+@75
+@75
+@75
+@75
+@75
+@75
+@75
+@75
+@75
+@75
+@75
+@75
+@75
+@75
+@75
+@75
+@75
+@75
+@75
new file mode 100644
--- /dev/null
+++ b/src/testdir/test_crash.vim
@@ -0,0 +1,25 @@
+" Some tests, that used to crash Vim
+source check.vim
+source screendump.vim
+
+CheckScreendump
+
+func Test_crash1()
+  " The following used to crash Vim
+  let opts = #{wait_for_ruler: 0}
+  let args = ' -u NONE -i NONE -n -e -s -S '
+  let buf = RunVimInTerminal(args .. ' crash/poc_huaf1', opts)
+  call VerifyScreenDump(buf, 'Test_crash_01', {})
+  exe buf .. "bw!"
+
+  let buf = RunVimInTerminal(args .. ' crash/poc_huaf2', opts)
+  call VerifyScreenDump(buf, 'Test_crash_01', {})
+  exe buf .. "bw!"
+
+  let buf = RunVimInTerminal(args .. ' crash/poc_huaf3', opts)
+  call VerifyScreenDump(buf, 'Test_crash_01', {})
+  exe buf .. "bw!"
+
+endfunc
+
+" vim: shiftwidth=2 sts=2 expandtab
--- a/src/version.c
+++ b/src/version.c
@@ -700,6 +700,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    1840,
+/**/
     1839,
 /**/
     1838,