Mercurial > vim
annotate src/testdir/test_crash.vim @ 33772:7624df087ebf v9.0.2106
patch 9.0.2106: [security]: Use-after-free in win_close()
Commit: https://github.com/vim/vim/commit/25aabc2b8ee1e19ced6f4da9d866cf9378fc4c5a
Author: Christian Brabandt <cb@256bit.org>
Date: Tue Nov 14 19:31:34 2023 +0100
patch 9.0.2106: [security]: Use-after-free in win_close()
Problem: [security]: Use-after-free in win_close()
Solution: Check window is valid, before accessing it
If the current window structure is no longer valid (because a previous
autocommand has already freed this window), fail and return before
attempting to set win->w_closing variable.
Add a test to trigger ASAN in CI
Signed-off-by: Christian Brabandt <cb@256bit.org>
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Thu, 16 Nov 2023 22:15:05 +0100 |
| parents | 1947bb095199 |
| children | 242b964d6269 |
| rev | line source |
|---|---|
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
1 " Some tests, that used to crash Vim |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
2 source check.vim |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
3 source screendump.vim |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
4 |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
5 CheckScreendump |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
6 |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
7 func Test_crash1() |
|
33185
1ee65fdbd791
patch 9.0.1872: CI: test_crash() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33176
diff
changeset
|
8 CheckNotBSD |
|
33199
3395f1cbe3ab
patch 9.0.1878: tests running sh have problems
Christian Brabandt <cb@256bit.org>
parents:
33193
diff
changeset
|
9 CheckExecutable dash |
|
33208
ed46a7531bb3
patch 9.0.1882: Trailing white space in tests
Christian Brabandt <cb@256bit.org>
parents:
33206
diff
changeset
|
10 " Test 7 fails on Mac ... |
|
33206
3737c8d06c2f
patch 9.0.1881: Test_crash fails on Mac
Christian Brabandt <cb@256bit.org>
parents:
33199
diff
changeset
|
11 CheckNotMac |
|
33185
1ee65fdbd791
patch 9.0.1872: CI: test_crash() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33176
diff
changeset
|
12 |
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
13 " The following used to crash Vim |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
14 let opts = #{cmd: 'sh'} |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
15 let vim = GetVimProg() |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
16 |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
17 let buf = RunVimInTerminal('sh', opts) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
18 |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
19 let file = 'crash/poc_huaf1' |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
20 let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
21 let args = printf(cmn_args, vim, file) |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
22 call term_sendkeys(buf, args .. |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
23 \ ' && echo "crash 1: [OK]" > X_crash1_result.txt' .. "\<cr>") |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
24 call TermWait(buf, 50) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
25 |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
26 let file = 'crash/poc_huaf2' |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
27 let args = printf(cmn_args, vim, file) |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
28 call term_sendkeys(buf, args .. |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
29 \ ' && echo "crash 2: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
30 call TermWait(buf, 50) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
31 |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
32 let file = 'crash/poc_huaf3' |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
33 let args = printf(cmn_args, vim, file) |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
34 call term_sendkeys(buf, args .. |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
35 \ ' && echo "crash 3: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
36 call TermWait(buf, 100) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
37 |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
38 let file = 'crash/bt_quickfix_poc' |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
39 let args = printf(cmn_args, vim, file) |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
40 call term_sendkeys(buf, args .. |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
41 \ ' && echo "crash 4: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
42 " clean up |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
43 call delete('Xerr') |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
44 " This test takes a bit longer |
|
33165
74fcf8a0846b
patch 9.0.1864: still crash with bt_quickfix1_poc
Christian Brabandt <cb@256bit.org>
parents:
33156
diff
changeset
|
45 call TermWait(buf, 1000) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
46 |
|
33152
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
47 let file = 'crash/poc_tagfunc.vim' |
|
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
48 let args = printf(cmn_args, vim, file) |
|
33187
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
49 " using || because this poc causes vim to exit with exitstatus != 0 |
|
33152
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
50 call term_sendkeys(buf, args .. |
|
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
51 \ ' || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
52 |
|
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
53 call TermWait(buf, 100) |
|
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
54 |
|
33154
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
55 let file = 'crash/bt_quickfix1_poc' |
|
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
56 let args = printf(cmn_args, vim, file) |
|
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
57 call term_sendkeys(buf, args .. |
|
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
58 \ ' && echo "crash 6: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
59 " clean up |
|
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
60 call delete('X') |
|
33176
8ac10cee18f3
patch 9.0.1868: test_crash still fails for circle ci
Christian Brabandt <cb@256bit.org>
parents:
33165
diff
changeset
|
61 call TermWait(buf, 3000) |
|
33154
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
62 |
|
33187
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
63 let file = 'crash/vim_regsub_both_poc' |
|
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
64 let args = printf(cmn_args, vim, file) |
|
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
65 call term_sendkeys(buf, args .. |
|
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
66 \ ' && echo "crash 7: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
33199
3395f1cbe3ab
patch 9.0.1878: tests running sh have problems
Christian Brabandt <cb@256bit.org>
parents:
33193
diff
changeset
|
67 call TermWait(buf, 3000) |
|
33187
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
68 |
|
33422
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
69 let file = 'crash/vim_msg_trunc_poc' |
|
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
70 let args = printf(cmn_args, vim, file) |
|
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
71 call term_sendkeys(buf, args .. |
|
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
72 \ ' || echo "crash 8: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
73 call TermWait(buf, 3000) |
|
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
74 |
|
33482
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
75 let file = 'crash/crash_scrollbar' |
|
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
76 let args = printf(cmn_args, vim, file) |
|
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
77 call term_sendkeys(buf, args .. |
|
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
78 \ ' && echo "crash 9: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
79 call TermWait(buf, 1000) |
|
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
80 |
|
33523
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
81 let file = 'crash/editing_arg_idx_POC_1' |
|
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
82 let args = printf(cmn_args, vim, file) |
|
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
83 call term_sendkeys(buf, args .. |
|
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
84 \ ' || echo "crash 10: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
85 call TermWait(buf, 1000) |
|
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
86 call delete('Xerr') |
|
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
87 call delete('@') |
|
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
88 |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
89 " clean up |
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
90 exe buf .. "bw!" |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
91 |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
92 sp X_crash1_result.txt |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
93 |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
94 let expected = [ |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
95 \ 'crash 1: [OK]', |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
96 \ 'crash 2: [OK]', |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
97 \ 'crash 3: [OK]', |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
98 \ 'crash 4: [OK]', |
|
33152
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
99 \ 'crash 5: [OK]', |
|
33154
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
100 \ 'crash 6: [OK]', |
|
33187
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
101 \ 'crash 7: [OK]', |
|
33422
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
102 \ 'crash 8: [OK]', |
|
33482
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
103 \ 'crash 9: [OK]', |
|
33523
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
104 \ 'crash 10: [OK]', |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
105 \ ] |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
106 |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
107 call assert_equal(expected, getline(1, '$')) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
108 bw! |
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
109 |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
110 call delete('X_crash1_result.txt') |
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
111 endfunc |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
112 |
|
33772
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
113 func Test_crash1_2() |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
114 CheckNotBSD |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
115 CheckExecutable dash |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
116 |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
117 " The following used to crash Vim |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
118 let opts = #{cmd: 'sh'} |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
119 let vim = GetVimProg() |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
120 let result = 'X_crash1_1_result.txt' |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
121 |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
122 let buf = RunVimInTerminal('sh', opts) |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
123 |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
124 let file = 'crash/poc1' |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
125 let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
126 let args = printf(cmn_args, vim, file) |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
127 call term_sendkeys(buf, args .. |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
128 \ ' && echo "crash 1: [OK]" > '.. result .. "\<cr>") |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
129 call TermWait(buf, 150) |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
130 |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
131 " clean up |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
132 exe buf .. "bw!" |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
133 |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
134 exe "sp " .. result |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
135 |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
136 let expected = [ |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
137 \ 'crash 1: [OK]', |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
138 \ ] |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
139 |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
140 call assert_equal(expected, getline(1, '$')) |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
141 bw! |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
142 |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
143 call delete(result) |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
144 endfunc |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
145 |
|
33132
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
146 func Test_crash2() |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
147 " The following used to crash Vim |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
148 let opts = #{wait_for_ruler: 0, rows: 20} |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
149 let args = ' -u NONE -i NONE -n -e -s -S ' |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
150 let buf = RunVimInTerminal(args .. ' crash/vim_regsub_both', opts) |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
151 call VerifyScreenDump(buf, 'Test_crash_01', {}) |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
152 exe buf .. "bw!" |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
153 endfunc |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
154 |
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
155 " vim: shiftwidth=2 sts=2 expandtab |