Mercurial > vim
annotate src/testdir/test_crash.vim @ 34686:83875247fbc0 v9.1.0224
patch 9.1.0224: cursor may move too many lines over "right" & "below" virt text
Commit: https://github.com/vim/vim/commit/515f734e687f28f7199b2a8042197624d9f3ec15
Author: Dylan Thacker-Smith <dylan.ah.smith@gmail.com>
Date: Thu Mar 28 12:01:14 2024 +0100
patch 9.1.0224: cursor may move too many lines over "right" & "below" virt text
Problem: If a line has "right" & "below" virtual text properties,
where the "below" property may be stored first due to lack of
ordering between them, then the line height is calculated to
be 1 more and causes the cursor to far over the line.
Solution: Remove some unnecessary setting of a
`next_right_goes_below = TRUE` flag for "below" and "above"
text properties. (Dylan Thacker-Smith)
I modified a regression test I recently added to cover this case,
leveraging the fact that "after", "right" & "below" text properties are
being stored in the reverse of the order they are added in. The
previous version of this regression test was crafted to workaround this
issue so it can be addressed by this separate patch.
closes: #14317
Signed-off-by: Dylan Thacker-Smith <dylan.ah.smith@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Thu, 28 Mar 2024 12:15:03 +0100 |
| parents | a49ae967e9ed |
| children | 1758bb7a9865 |
| rev | line source |
|---|---|
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
1 " Some tests, that used to crash Vim |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
2 source check.vim |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
3 source screendump.vim |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
4 |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
5 CheckScreendump |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
6 |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
7 func Test_crash1() |
|
33185
1ee65fdbd791
patch 9.0.1872: CI: test_crash() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33176
diff
changeset
|
8 CheckNotBSD |
|
33199
3395f1cbe3ab
patch 9.0.1878: tests running sh have problems
Christian Brabandt <cb@256bit.org>
parents:
33193
diff
changeset
|
9 CheckExecutable dash |
|
33208
ed46a7531bb3
patch 9.0.1882: Trailing white space in tests
Christian Brabandt <cb@256bit.org>
parents:
33206
diff
changeset
|
10 " Test 7 fails on Mac ... |
|
33206
3737c8d06c2f
patch 9.0.1881: Test_crash fails on Mac
Christian Brabandt <cb@256bit.org>
parents:
33199
diff
changeset
|
11 CheckNotMac |
|
33185
1ee65fdbd791
patch 9.0.1872: CI: test_crash() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33176
diff
changeset
|
12 |
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
13 " The following used to crash Vim |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
14 let opts = #{cmd: 'sh'} |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
15 let vim = GetVimProg() |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
16 |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
17 let buf = RunVimInTerminal('sh', opts) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
18 |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
19 let file = 'crash/poc_huaf1' |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
20 let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
21 let args = printf(cmn_args, vim, file) |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
22 call term_sendkeys(buf, args .. |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
23 \ ' && echo "crash 1: [OK]" > X_crash1_result.txt' .. "\<cr>") |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
24 call TermWait(buf, 50) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
25 |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
26 let file = 'crash/poc_huaf2' |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
27 let args = printf(cmn_args, vim, file) |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
28 call term_sendkeys(buf, args .. |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
29 \ ' && echo "crash 2: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
30 call TermWait(buf, 50) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
31 |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
32 let file = 'crash/poc_huaf3' |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
33 let args = printf(cmn_args, vim, file) |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
34 call term_sendkeys(buf, args .. |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
35 \ ' && echo "crash 3: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
36 call TermWait(buf, 100) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
37 |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
38 let file = 'crash/bt_quickfix_poc' |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
39 let args = printf(cmn_args, vim, file) |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
40 call term_sendkeys(buf, args .. |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
41 \ ' && echo "crash 4: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
42 " clean up |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
43 call delete('Xerr') |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
44 " This test takes a bit longer |
|
33165
74fcf8a0846b
patch 9.0.1864: still crash with bt_quickfix1_poc
Christian Brabandt <cb@256bit.org>
parents:
33156
diff
changeset
|
45 call TermWait(buf, 1000) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
46 |
|
33152
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
47 let file = 'crash/poc_tagfunc.vim' |
|
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
48 let args = printf(cmn_args, vim, file) |
|
33187
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
49 " using || because this poc causes vim to exit with exitstatus != 0 |
|
33152
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
50 call term_sendkeys(buf, args .. |
|
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
51 \ ' || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
52 |
|
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
53 call TermWait(buf, 100) |
|
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
54 |
|
33154
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
55 let file = 'crash/bt_quickfix1_poc' |
|
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
56 let args = printf(cmn_args, vim, file) |
|
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
57 call term_sendkeys(buf, args .. |
|
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
58 \ ' && echo "crash 6: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
59 " clean up |
|
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
60 call delete('X') |
|
33176
8ac10cee18f3
patch 9.0.1868: test_crash still fails for circle ci
Christian Brabandt <cb@256bit.org>
parents:
33165
diff
changeset
|
61 call TermWait(buf, 3000) |
|
33154
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
62 |
|
33187
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
63 let file = 'crash/vim_regsub_both_poc' |
|
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
64 let args = printf(cmn_args, vim, file) |
|
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
65 call term_sendkeys(buf, args .. |
|
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
66 \ ' && echo "crash 7: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
33199
3395f1cbe3ab
patch 9.0.1878: tests running sh have problems
Christian Brabandt <cb@256bit.org>
parents:
33193
diff
changeset
|
67 call TermWait(buf, 3000) |
|
33187
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
68 |
|
33422
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
69 let file = 'crash/vim_msg_trunc_poc' |
|
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
70 let args = printf(cmn_args, vim, file) |
|
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
71 call term_sendkeys(buf, args .. |
|
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
72 \ ' || echo "crash 8: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
73 call TermWait(buf, 3000) |
|
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
74 |
|
33482
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
75 let file = 'crash/crash_scrollbar' |
|
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
76 let args = printf(cmn_args, vim, file) |
|
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
77 call term_sendkeys(buf, args .. |
|
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
78 \ ' && echo "crash 9: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
79 call TermWait(buf, 1000) |
|
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
80 |
|
33523
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
81 let file = 'crash/editing_arg_idx_POC_1' |
|
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
82 let args = printf(cmn_args, vim, file) |
|
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
83 call term_sendkeys(buf, args .. |
|
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
84 \ ' || echo "crash 10: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
85 call TermWait(buf, 1000) |
|
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
86 call delete('Xerr') |
|
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
87 call delete('@') |
|
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
88 |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
89 " clean up |
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
90 exe buf .. "bw!" |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
91 |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
92 sp X_crash1_result.txt |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
93 |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
94 let expected = [ |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
95 \ 'crash 1: [OK]', |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
96 \ 'crash 2: [OK]', |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
97 \ 'crash 3: [OK]', |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
98 \ 'crash 4: [OK]', |
|
33152
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
99 \ 'crash 5: [OK]', |
|
33154
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
100 \ 'crash 6: [OK]', |
|
33187
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
101 \ 'crash 7: [OK]', |
|
33422
25d250a74bb6
patch 9.0.1969: [security] buffer-overflow in trunc_string()
Christian Brabandt <cb@256bit.org>
parents:
33208
diff
changeset
|
102 \ 'crash 8: [OK]', |
|
33482
39b2e200c4d7
patch 9.0.1992: [security] segfault in exmode
Christian Brabandt <cb@256bit.org>
parents:
33422
diff
changeset
|
103 \ 'crash 9: [OK]', |
|
33523
1947bb095199
patch 9.0.2010: [security] use-after-free from buf_contents_changed()
Christian Brabandt <cb@256bit.org>
parents:
33482
diff
changeset
|
104 \ 'crash 10: [OK]', |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
105 \ ] |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
106 |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
107 call assert_equal(expected, getline(1, '$')) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
108 bw! |
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
109 |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
110 call delete('X_crash1_result.txt') |
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
111 endfunc |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
112 |
|
33772
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
113 func Test_crash1_2() |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
114 CheckNotBSD |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
115 CheckExecutable dash |
|
33879
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
116 let g:test_is_flaky = 1 |
|
33772
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
117 |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
118 " The following used to crash Vim |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
119 let opts = #{cmd: 'sh'} |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
120 let vim = GetVimProg() |
|
33865
8cdb69ea3711
patch 9.0.2143: [security]: buffer-overflow in ex_substitute
Christian Brabandt <cb@256bit.org>
parents:
33864
diff
changeset
|
121 let result = 'X_crash1_2_result.txt' |
|
33772
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
122 |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
123 let buf = RunVimInTerminal('sh', opts) |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
124 |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
125 let file = 'crash/poc1' |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
126 let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
127 let args = printf(cmn_args, vim, file) |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
128 call term_sendkeys(buf, args .. |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
129 \ ' && echo "crash 1: [OK]" > '.. result .. "\<cr>") |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
130 call TermWait(buf, 150) |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
131 |
|
33862
242b964d6269
patch 9.0.2140: [security]: use-after-free in win-enter
Christian Brabandt <cb@256bit.org>
parents:
33772
diff
changeset
|
132 let file = 'crash/poc_win_enter_ext' |
|
242b964d6269
patch 9.0.2140: [security]: use-after-free in win-enter
Christian Brabandt <cb@256bit.org>
parents:
33772
diff
changeset
|
133 let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" |
|
242b964d6269
patch 9.0.2140: [security]: use-after-free in win-enter
Christian Brabandt <cb@256bit.org>
parents:
33772
diff
changeset
|
134 let args = printf(cmn_args, vim, file) |
|
242b964d6269
patch 9.0.2140: [security]: use-after-free in win-enter
Christian Brabandt <cb@256bit.org>
parents:
33772
diff
changeset
|
135 call term_sendkeys(buf, args .. |
|
242b964d6269
patch 9.0.2140: [security]: use-after-free in win-enter
Christian Brabandt <cb@256bit.org>
parents:
33772
diff
changeset
|
136 \ ' && echo "crash 2: [OK]" >> '.. result .. "\<cr>") |
|
242b964d6269
patch 9.0.2140: [security]: use-after-free in win-enter
Christian Brabandt <cb@256bit.org>
parents:
33772
diff
changeset
|
137 call TermWait(buf, 350) |
|
242b964d6269
patch 9.0.2140: [security]: use-after-free in win-enter
Christian Brabandt <cb@256bit.org>
parents:
33772
diff
changeset
|
138 |
|
33863
3b8089d550eb
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Christian Brabandt <cb@256bit.org>
parents:
33862
diff
changeset
|
139 let file = 'crash/poc_suggest_trie_walk' |
|
3b8089d550eb
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Christian Brabandt <cb@256bit.org>
parents:
33862
diff
changeset
|
140 let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" |
|
3b8089d550eb
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Christian Brabandt <cb@256bit.org>
parents:
33862
diff
changeset
|
141 let args = printf(cmn_args, vim, file) |
|
3b8089d550eb
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Christian Brabandt <cb@256bit.org>
parents:
33862
diff
changeset
|
142 call term_sendkeys(buf, args .. |
|
3b8089d550eb
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Christian Brabandt <cb@256bit.org>
parents:
33862
diff
changeset
|
143 \ ' && echo "crash 3: [OK]" >> '.. result .. "\<cr>") |
|
3b8089d550eb
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Christian Brabandt <cb@256bit.org>
parents:
33862
diff
changeset
|
144 call TermWait(buf, 150) |
|
3b8089d550eb
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Christian Brabandt <cb@256bit.org>
parents:
33862
diff
changeset
|
145 |
|
33864
6e4c686b6b5b
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Christian Brabandt <cb@256bit.org>
parents:
33863
diff
changeset
|
146 let file = 'crash/poc_did_set_langmap' |
|
6e4c686b6b5b
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Christian Brabandt <cb@256bit.org>
parents:
33863
diff
changeset
|
147 let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'" |
|
6e4c686b6b5b
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Christian Brabandt <cb@256bit.org>
parents:
33863
diff
changeset
|
148 let args = printf(cmn_args, vim, file) |
|
6e4c686b6b5b
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Christian Brabandt <cb@256bit.org>
parents:
33863
diff
changeset
|
149 call term_sendkeys(buf, args .. |
|
6e4c686b6b5b
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Christian Brabandt <cb@256bit.org>
parents:
33863
diff
changeset
|
150 \ ' ; echo "crash 4: [OK]" >> '.. result .. "\<cr>") |
|
6e4c686b6b5b
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Christian Brabandt <cb@256bit.org>
parents:
33863
diff
changeset
|
151 call TermWait(buf, 150) |
|
6e4c686b6b5b
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Christian Brabandt <cb@256bit.org>
parents:
33863
diff
changeset
|
152 |
|
33772
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
153 " clean up |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
154 exe buf .. "bw!" |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
155 exe "sp " .. result |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
156 let expected = [ |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
157 \ 'crash 1: [OK]', |
|
33862
242b964d6269
patch 9.0.2140: [security]: use-after-free in win-enter
Christian Brabandt <cb@256bit.org>
parents:
33772
diff
changeset
|
158 \ 'crash 2: [OK]', |
|
33863
3b8089d550eb
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Christian Brabandt <cb@256bit.org>
parents:
33862
diff
changeset
|
159 \ 'crash 3: [OK]', |
|
33864
6e4c686b6b5b
patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions
Christian Brabandt <cb@256bit.org>
parents:
33863
diff
changeset
|
160 \ 'crash 4: [OK]', |
|
33772
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
161 \ ] |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
162 |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
163 call assert_equal(expected, getline(1, '$')) |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
164 bw! |
|
33879
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
165 call delete(result) |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
166 endfunc |
|
33772
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
167 |
|
33879
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
168 " This test just runs various scripts, that caused issues before. |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
169 " We are not really asserting anything here, it's just important |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
170 " that ASAN does not detect any issues. |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
171 func Test_crash1_3() |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
172 let vim = GetVimProg() |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
173 let buf = RunVimInTerminal('sh', #{cmd: 'sh'}) |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
174 |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
175 let file = 'crash/poc_ex_substitute' |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
176 let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>" |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
177 let args = printf(cmn_args, vim, file) |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
178 call term_sendkeys(buf, args) |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
179 call TermWait(buf, 150) |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
180 |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
181 let file = 'crash/poc_uaf_exec_instructions' |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
182 let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>" |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
183 let args = printf(cmn_args, vim, file) |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
184 call term_sendkeys(buf, args) |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
185 call TermWait(buf, 150) |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
186 |
|
33915
a49ae967e9ed
patch 9.0.2158: [security]: use-after-free in check_argument_type
Christian Brabandt <cb@256bit.org>
parents:
33879
diff
changeset
|
187 let file = 'crash/poc_uaf_check_argument_types' |
|
a49ae967e9ed
patch 9.0.2158: [security]: use-after-free in check_argument_type
Christian Brabandt <cb@256bit.org>
parents:
33879
diff
changeset
|
188 let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>" |
|
a49ae967e9ed
patch 9.0.2158: [security]: use-after-free in check_argument_type
Christian Brabandt <cb@256bit.org>
parents:
33879
diff
changeset
|
189 let args = printf(cmn_args, vim, file) |
|
a49ae967e9ed
patch 9.0.2158: [security]: use-after-free in check_argument_type
Christian Brabandt <cb@256bit.org>
parents:
33879
diff
changeset
|
190 call term_sendkeys(buf, args) |
|
a49ae967e9ed
patch 9.0.2158: [security]: use-after-free in check_argument_type
Christian Brabandt <cb@256bit.org>
parents:
33879
diff
changeset
|
191 call TermWait(buf, 150) |
|
a49ae967e9ed
patch 9.0.2158: [security]: use-after-free in check_argument_type
Christian Brabandt <cb@256bit.org>
parents:
33879
diff
changeset
|
192 |
|
33879
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
193 " clean up |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
194 exe buf .. "bw!" |
|
d418c82f02a4
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Christian Brabandt <cb@256bit.org>
parents:
33865
diff
changeset
|
195 bw! |
|
33772
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
196 endfunc |
|
7624df087ebf
patch 9.0.2106: [security]: Use-after-free in win_close()
Christian Brabandt <cb@256bit.org>
parents:
33523
diff
changeset
|
197 |
|
33132
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
198 func Test_crash2() |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
199 " The following used to crash Vim |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
200 let opts = #{wait_for_ruler: 0, rows: 20} |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
201 let args = ' -u NONE -i NONE -n -e -s -S ' |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
202 let buf = RunVimInTerminal(args .. ' crash/vim_regsub_both', opts) |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
203 call VerifyScreenDump(buf, 'Test_crash_01', {}) |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
204 exe buf .. "bw!" |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
205 endfunc |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
206 |
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
207 " vim: shiftwidth=2 sts=2 expandtab |