Mercurial > vim
annotate src/testdir/test_crash.vim @ 33864:6e4c686b6b5b v9.0.2142
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Commit: https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47
Author: Christian Brabandt <cb@256bit.org>
Date: Wed Nov 29 11:34:05 2023 +0100
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Problem: [security]: stack-buffer-overflow in option callback functions
Solution: pass size of errbuf down the call stack, use snprintf()
instead of sprintf()
We pass the error buffer down to the option callback functions, but in
some parts of the code, we simply use sprintf(buf) to write into the error
buffer, which can overflow.
So let's pass down the length of the error buffer and use sprintf(buf, size)
instead.
Reported by @henices, thanks!
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Sun, 10 Dec 2023 15:16:04 +0100 |
parents | 3b8089d550eb |
children | 8cdb69ea3711 |
rev | line source |
---|---|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
1 " Some tests, that used to crash Vim |
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
2 source check.vim |
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
3 source screendump.vim |
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
4 |
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
5 CheckScreendump |
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
6 |
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
7 func Test_crash1() |
33185
1ee65fdbd791
patch 9.0.1872: CI: test_crash() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33176
diff
changeset
|
8 CheckNotBSD |
33199
3395f1cbe3ab
patch 9.0.1878: tests running sh have problems
Christian Brabandt <cb@256bit.org>
parents:
33193
diff
changeset
|
9 CheckExecutable dash |
33208
ed46a7531bb3
patch 9.0.1882: Trailing white space in tests
Christian Brabandt <cb@256bit.org>
parents:
33206
diff
changeset
|
10 " Test 7 fails on Mac ... |
33206
3737c8d06c2f
patch 9.0.1881: Test_crash fails on Mac
Christian Brabandt <cb@256bit.org>
parents:
33199
diff
changeset
|
11 CheckNotMac |
33185
1ee65fdbd791
patch 9.0.1872: CI: test_crash() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33176
diff
changeset
|
12 |
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
13 " The following used to crash Vim |
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
14 let opts = #{cmd: 'sh'} |
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
15 let vim = GetVimProg() |
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
16 |
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
17 let buf = RunVimInTerminal('sh', opts) |
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
18 |
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
19 let file = 'crash/poc_huaf1' |
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
20 let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" |
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
21 let args = printf(cmn_args, vim, file) |
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
22 call term_sendkeys(buf, args .. |
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
23 \ ' && echo "crash 1: [OK]" > X_crash1_result.txt' .. "\<cr>") |
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
24 call TermWait(buf, 50) |
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
25 |
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
26 let file = 'crash/poc_huaf2' |
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
27 let args = printf(cmn_args, vim, file) |
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
28 call term_sendkeys(buf, args .. |
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
29 \ ' && echo "crash 2: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
30 call TermWait(buf, 50) |
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
31 |
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
32 let file = 'crash/poc_huaf3' |
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
33 let args = printf(cmn_args, vim, file) |
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
34 call term_sendkeys(buf, args .. |
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
35 \ ' && echo "crash 3: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
36 call TermWait(buf, 100) |
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
37 |
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
38 let file = 'crash/bt_quickfix_poc' |
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
39 let args = printf(cmn_args, vim, file) |
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
40 call term_sendkeys(buf, args .. |
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
41 \ ' && echo "crash 4: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
42 " clean up |
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
43 call delete('Xerr') |
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
44 " This test takes a bit longer |
33165
74fcf8a0846b
patch 9.0.1864: still crash with bt_quickfix1_poc
Christian Brabandt <cb@256bit.org>
parents:
33156
diff
changeset
|
45 call TermWait(buf, 1000) |
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
46 |
33152
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
47 let file = 'crash/poc_tagfunc.vim' |
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
48 let args = printf(cmn_args, vim, file) |
33187
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
49 " using || because this poc causes vim to exit with exitstatus != 0 |
33152
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
50 call term_sendkeys(buf, args .. |
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
51 \ ' || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
52 |
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
53 call TermWait(buf, 100) |
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
54 |
33154
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
55 let file = 'crash/bt_quickfix1_poc' |
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
56 let args = printf(cmn_args, vim, file) |
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
57 call term_sendkeys(buf, args .. |
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
58 \ ' && echo "crash 6: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
59 " clean up |
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
60 call delete('X') |
33176
8ac10cee18f3
patch 9.0.1868: test_crash still fails for circle ci
Christian Brabandt <cb@256bit.org>
parents:
33165
diff
changeset
|
61 call TermWait(buf, 3000) |
33154
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
62 |
33187
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
63 let file = 'crash/vim_regsub_both_poc' |
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
64 let args = printf(cmn_args, vim, file) |
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
65 call term_sendkeys(buf, args .. |
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
66 \ ' && echo "crash 7: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
33199
3395f1cbe3ab
patch 9.0.1878: tests running sh have problems
Christian Brabandt <cb@256bit.org>
parents:
33193
diff
changeset
|
67 call TermWait(buf, 3000) |
33187
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
68 |
33422
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
69 let file = 'crash/vim_msg_trunc_poc' |
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
70 let args = printf(cmn_args, vim, file) |
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
71 call term_sendkeys(buf, args .. |
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
72 \ ' || echo "crash 8: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
73 call TermWait(buf, 3000) |
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
74 |
33482
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
75 let file = 'crash/crash_scrollbar' |
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
76 let args = printf(cmn_args, vim, file) |
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
77 call term_sendkeys(buf, args .. |
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
78 \ ' && echo "crash 9: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
79 call TermWait(buf, 1000) |
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
80 |
33523
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
81 let file = 'crash/editing_arg_idx_POC_1' |
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
82 let args = printf(cmn_args, vim, file) |
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
83 call term_sendkeys(buf, args .. |
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
84 \ ' || echo "crash 10: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
85 call TermWait(buf, 1000) |
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
86 call delete('Xerr') |
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
87 call delete('@') |
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
88 |
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
89 " clean up |
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
90 exe buf .. "bw!" |
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
91 |
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
92 sp X_crash1_result.txt |
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
93 |
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
94 let expected = [ |
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
95 \ 'crash 1: [OK]', |
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
96 \ 'crash 2: [OK]', |
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
97 \ 'crash 3: [OK]', |
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
98 \ 'crash 4: [OK]', |
33152
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
99 \ 'crash 5: [OK]', |
33154
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
100 \ 'crash 6: [OK]', |
33187
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
101 \ 'crash 7: [OK]', |
33422
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
102 \ 'crash 8: [OK]', |
33482
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
103 \ 'crash 9: [OK]', |
33523
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
104 \ 'crash 10: [OK]', |
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
105 \ ] |
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
106 |
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
107 call assert_equal(expected, getline(1, '$')) |
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
108 bw! |
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
109 |
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
110 call delete('X_crash1_result.txt') |
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
111 endfunc |
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
112 |
33772
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
113 func Test_crash1_2() |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
114 CheckNotBSD |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
115 CheckExecutable dash |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
116 |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
117 " The following used to crash Vim |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
118 let opts = #{cmd: 'sh'} |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
119 let vim = GetVimProg() |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
120 let result = 'X_crash1_1_result.txt' |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
121 |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
122 let buf = RunVimInTerminal('sh', opts) |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
123 |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
124 let file = 'crash/poc1' |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
125 let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
126 let args = printf(cmn_args, vim, file) |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
127 call term_sendkeys(buf, args .. |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
128 \ ' && echo "crash 1: [OK]" > '.. result .. "\<cr>") |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
129 call TermWait(buf, 150) |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
130 |
33862
242b964d6269
patch 9.0.2140: [security]: use-after-free in win-enter
Christian Brabandt <cb@256bit.org>
parents:
33772
diff
changeset
|
131 let file = 'crash/poc_win_enter_ext' |
242b964d6269
patch 9.0.2140: [security]: use-after-free in win-enter
Christian Brabandt <cb@256bit.org>
parents:
33772
diff
changeset
|
132 let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" |
242b964d6269
patch 9.0.2140: [security]: use-after-free in win-enter
Christian Brabandt <cb@256bit.org>
parents:
33772
diff
changeset
|
133 let args = printf(cmn_args, vim, file) |
242b964d6269
patch 9.0.2140: [security]: use-after-free in win-enter
Christian Brabandt <cb@256bit.org>
parents:
33772
diff
changeset
|
134 call term_sendkeys(buf, args .. |
242b964d6269
patch 9.0.2140: [security]: use-after-free in win-enter
Christian Brabandt <cb@256bit.org>
parents:
33772
diff
changeset
|
135 \ ' && echo "crash 2: [OK]" >> '.. result .. "\<cr>") |
242b964d6269
patch 9.0.2140: [security]: use-after-free in win-enter
Christian Brabandt <cb@256bit.org>
parents:
33772
diff
changeset
|
136 call TermWait(buf, 350) |
242b964d6269
patch 9.0.2140: [security]: use-after-free in win-enter
Christian Brabandt <cb@256bit.org>
parents:
33772
diff
changeset
|
137 |
33863
3b8089d550eb
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Christian Brabandt <cb@256bit.org>
parents:
33862
diff
changeset
|
138 let file = 'crash/poc_suggest_trie_walk' |
3b8089d550eb
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Christian Brabandt <cb@256bit.org>
parents:
33862
diff
changeset
|
139 let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" |
3b8089d550eb
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Christian Brabandt <cb@256bit.org>
parents:
33862
diff
changeset
|
140 let args = printf(cmn_args, vim, file) |
3b8089d550eb
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Christian Brabandt <cb@256bit.org>
parents:
33862
diff
changeset
|
141 call term_sendkeys(buf, args .. |
3b8089d550eb
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Christian Brabandt <cb@256bit.org>
parents:
33862
diff
changeset
|
142 \ ' && echo "crash 3: [OK]" >> '.. result .. "\<cr>") |
3b8089d550eb
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Christian Brabandt <cb@256bit.org>
parents:
33862
diff
changeset
|
143 call TermWait(buf, 150) |
3b8089d550eb
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Christian Brabandt <cb@256bit.org>
parents:
33862
diff
changeset
|
144 |
33864
6e4c686b6b5b
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Christian Brabandt <cb@256bit.org>
parents:
33863
diff
changeset
|
145 let file = 'crash/poc_did_set_langmap' |
6e4c686b6b5b
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Christian Brabandt <cb@256bit.org>
parents:
33863
diff
changeset
|
146 let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'" |
6e4c686b6b5b
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Christian Brabandt <cb@256bit.org>
parents:
33863
diff
changeset
|
147 let args = printf(cmn_args, vim, file) |
6e4c686b6b5b
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Christian Brabandt <cb@256bit.org>
parents:
33863
diff
changeset
|
148 call term_sendkeys(buf, args .. |
6e4c686b6b5b
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Christian Brabandt <cb@256bit.org>
parents:
33863
diff
changeset
|
149 \ ' ; echo "crash 4: [OK]" >> '.. result .. "\<cr>") |
6e4c686b6b5b
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Christian Brabandt <cb@256bit.org>
parents:
33863
diff
changeset
|
150 call TermWait(buf, 150) |
6e4c686b6b5b
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Christian Brabandt <cb@256bit.org>
parents:
33863
diff
changeset
|
151 |
33772
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
152 " clean up |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
153 exe buf .. "bw!" |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
154 |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
155 exe "sp " .. result |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
156 |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
157 let expected = [ |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
158 \ 'crash 1: [OK]', |
33862
242b964d6269
patch 9.0.2140: [security]: use-after-free in win-enter
Christian Brabandt <cb@256bit.org>
parents:
33772
diff
changeset
|
159 \ 'crash 2: [OK]', |
33863
3b8089d550eb
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Christian Brabandt <cb@256bit.org>
parents:
33862
diff
changeset
|
160 \ 'crash 3: [OK]', |
33864
6e4c686b6b5b
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Christian Brabandt <cb@256bit.org>
parents:
33863
diff
changeset
|
161 \ 'crash 4: [OK]', |
33772
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
162 \ ] |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
163 |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
164 call assert_equal(expected, getline(1, '$')) |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
165 bw! |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
166 |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
167 call delete(result) |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
168 endfunc |
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
169 |
33132
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
170 func Test_crash2() |
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
171 " The following used to crash Vim |
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
172 let opts = #{wait_for_ruler: 0, rows: 20} |
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
173 let args = ' -u NONE -i NONE -n -e -s -S ' |
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
174 let buf = RunVimInTerminal(args .. ' crash/vim_regsub_both', opts) |
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
175 call VerifyScreenDump(buf, 'Test_crash_01', {}) |
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
176 exe buf .. "bw!" |
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
177 endfunc |
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
178 |
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
179 " vim: shiftwidth=2 sts=2 expandtab |