Mercurial > vim
diff src/getchar.c @ 36048:179d2e139736 v9.1.0697
patch 9.1.0697: [security]: heap-buffer-overflow in ins_typebuf
Commit: https://github.com/vim/vim/commit/322ba9108612bead5eb7731ccb66763dec69ef1b
Author: Christian Brabandt <cb@256bit.org>
Date: Sun Aug 25 21:33:03 2024 +0200
patch 9.1.0697: [security]: heap-buffer-overflow in ins_typebuf
Problem: heap-buffer-overflow in ins_typebuf
(SuyueGuo)
Solution: When flushing the typeahead buffer, validate that there
is enough space left
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Sun, 25 Aug 2024 21:45:04 +0200 |
parents | 26e0c3d37fef |
children |
line wrap: on
line diff
--- a/src/getchar.c +++ b/src/getchar.c @@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_type if (flush_typeahead == FLUSH_MINIMAL) { - // remove mapped characters at the start only - typebuf.tb_off += typebuf.tb_maplen; - typebuf.tb_len -= typebuf.tb_maplen; + // remove mapped characters at the start only, + // but only when enough space left in typebuf + if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen) + { + typebuf.tb_off = MAXMAPLEN; + typebuf.tb_len = 0; + } + else + { + typebuf.tb_off += typebuf.tb_maplen; + typebuf.tb_len -= typebuf.tb_maplen; + } #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL) if (typebuf.tb_len == 0) typebuf_was_filled = FALSE;