Mercurial > vim
view src/testdir/dumps/Test_prop_with_text_after_trunc_5.dump @ 33863:3b8089d550eb v9.0.2141
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Commit: https://github.com/vim/vim/commit/0fb375aae608d7306b4baf9c1f906961f32e2abf
Author: Christian Brabandt <cb@256bit.org>
Date: Wed Nov 29 10:23:39 2023 +0100
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Problem: [security]: buffer-overflow in suggest_trie_walk
Solution: Check n before using it as index into byts array
Basically, n as an index into the byts array, can point to beyond the byts
array. So let's double check, that n is within the expected range after
incrementing it from sp->ts_curi and bail out if it would be invalid.
Reported by @henices, thanks!
Signed-off-by: Christian Brabandt <cb@256bit.org>
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Sun, 10 Dec 2023 15:16:03 +0100 |
| parents | f2d7f20d83c3 |
| children |
line wrap: on
line source
|o+0&#ffffff0|n|e| |t|w|o| |t|h|r|e@1| |f|o|u|r||+1&&|o+0&&|n|e| |t|w|o| |t|h|r|e@1| |f|o|u|r| |f|i|v|e| |s|i|x| |s|e|v|e|n| +0&#ffff4012|o|n|e| |A|N|… | +0&#ffffff0|f|i|v|e| |s|i|x| |s|e|v|e|n| +0&#ffff4012|O|N||+1&#ffffff0|o+0&&|n|e| |t|w|o| |t|h|r|e@1| |f|o|u|r| |f|i|v|e| |s|i|x| |s|e|v|e|n| @7 |E+0&#ffff4012| |a|n|d| |T|W|O| |a|n|d| |T|H|R|…||+1&#ffffff0| +0&#ffff4012|o|n|e| |A|N|D| |t|w|o| |A|N|D| |t|h|r|e@1| |A|N|D| |f|o|u|r| |A|N|D| |f|i|v|e|… |o+0&#ffffff0|n|e| |t|w|o| |t|h|r|e@1| |f|o|u|r||+1&&|c+0&&|u|r|s|o|r| |h|e|r|e| @29 @1|f|i|v|e| |s|i>x| |s|e|v|e|n| +0&#ffff4012|o|n||+1&#ffffff0|~+0#4040ff13&| @39 |e+0#0000000#ffff4012| |A|N|D| |t|w|o| |A|N|D| |t|h|r|…||+1&#ffffff0|~+0#4040ff13&| @39 |@@2| @14||+1#0000000&|~+0#4040ff13&| @39 |<+3#0000000&|m|e|]| |[|+|]| |2|,|2|7| @1|T|o|p| |[+1&&|N|o| |N|a|m|e|]| |[|+|]| @9|4|,|8| @11|B|o|t |:+0&&|1|8|w|i|n|c|m|d| ||| @48