Mercurial > vim

diff src/getchar.c @ 36048:179d2e139736 v9.1.0697

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 9.1.0697: [security]: heap-buffer-overflow in ins_typebuf Commit: https://github.com/vim/vim/commit/322ba9108612bead5eb7731ccb66763dec69ef1b Author: Christian Brabandt <cb@256bit.org> Date: Sun Aug 25 21:33:03 2024 +0200 patch 9.1.0697: [security]: heap-buffer-overflow in ins_typebuf Problem: heap-buffer-overflow in ins_typebuf (SuyueGuo) Solution: When flushing the typeahead buffer, validate that there is enough space left Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh Signed-off-by: Christian Brabandt <cb@256bit.org>
author Christian Brabandt <cb@256bit.org>
date Sun, 25 Aug 2024 21:45:04 +0200
parents 26e0c3d37fef
children
line wrap: on
line diff
--- a/src/getchar.c
+++ b/src/getchar.c
@@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_type
 
     if (flush_typeahead == FLUSH_MINIMAL)
     {
-	// remove mapped characters at the start only
-	typebuf.tb_off += typebuf.tb_maplen;
-	typebuf.tb_len -= typebuf.tb_maplen;
+	// remove mapped characters at the start only,
+	// but only when enough space left in typebuf
+	if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
+	{
+	    typebuf.tb_off = MAXMAPLEN;
+	    typebuf.tb_len = 0;
+	}
+	else
+	{
+	    typebuf.tb_off += typebuf.tb_maplen;
+	    typebuf.tb_len -= typebuf.tb_maplen;
+	}
 #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
 	if (typebuf.tb_len == 0)
 	    typebuf_was_filled = FALSE;