Mercurial > vim

view runtime/plugin/rrhelper.vim @ 33865:8cdb69ea3711 v9.0.2143

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 9.0.2143: [security]: buffer-overflow in ex_substitute Commit: https://github.com/vim/vim/commit/abfa13ebe92d81aaf66669c428d767847b577453 Author: Christian Brabandt <cb@256bit.org> Date: Thu Nov 30 11:32:18 2023 +0100 patch 9.0.2143: [security]: buffer-overflow in ex_substitute Problem: [security]: buffer-overflow in ex_substitute Solution: clear memory after allocating When allocating the new_start pointer in ex_substitute() the memory pointer points to some garbage that the following for loop in ex_cmds.c:4743 confuses and causes it to accessing the new_start pointer beyond it's size, leading to a buffer-overlow. So fix this by using alloc_clear() instead of alloc(), which will clear the memory by NUL and therefore cause the loop to terminate correctly. Reported by @henices, thanks! closes: #13596 Signed-off-by: Christian Brabandt <cb@256bit.org>
author Christian Brabandt <cb@256bit.org>
date Sun, 10 Dec 2023 15:16:05 +0100
parents f177a6431514
children
line wrap: on
line source

" Vim plugin with helper function(s) for --remote-wait
" Maintainer: Flemming Madsen <fma@cci.dk>
" Last Change: 2008 May 29

" Has this already been loaded?
if exists("loaded_rrhelper") || !has("clientserver")
  finish
endif
let loaded_rrhelper = 1

" Setup answers for a --remote-wait client who will assume
" a SetupRemoteReplies() function in the command server

function SetupRemoteReplies()
  let cnt = 0
  let max = argc()

  let id = expand("<client>")
  if id == 0
    return
  endif
  while cnt < max
    " Handle same file from more clients and file being more than once
    " on the command line by encoding this stuff in the group name
    let uniqueGroup = "RemoteReply_".id."_".cnt

    " Path separators are always forward slashes for the autocommand pattern.
    " Escape special characters with a backslash.
    let f = substitute(argv(cnt), '\\', '/', "g")
    if exists('*fnameescape')
      let f = fnameescape(f)
    else
      let f = escape(f, " \t\n*?[{`$\\%#'\"|!<")
    endif
    execute "augroup ".uniqueGroup
    execute "autocmd ".uniqueGroup." BufUnload ". f ."  call DoRemoteReply('".id."', '".cnt."', '".uniqueGroup."', '". f ."')"
    let cnt = cnt + 1
  endwhile
  augroup END
endfunc

function DoRemoteReply(id, cnt, group, file)
  call server2client(a:id, a:cnt)
  execute 'autocmd! '.a:group.' BufUnload '.a:file
  execute 'augroup! '.a:group
endfunc

" vim: set sw=2 sts=2 :