patch 9.0.2035: [security] use-after-free with wildmenu Commit: https://github.com/vim/vim/commit/8f4fb007e4d472b09ff6bed9ffa485e0c3093699 Author: Yee Cheng Chin <ychin.git@gmail.com> Date: Tue Oct 17 10:06:56 2023 +0200 patch 9.0.2035: [security] use-after-free with wildmenu Problem: [security] use-after-free with wildmenu Solution: properly clean up the wildmenu when exiting Fix wildchar/wildmenu/pum memory corruption with special wildchar's Currently, using `wildchar=<Esc>` or `wildchar=<C-\>` can lead to a memory corruption if using wildmenu+pum, or wrong states if only using wildmenu. This is due to the code only using one single place inside the cmdline process loop to perform wild menu clean up (by checking `end_wildmenu`) but there are other odd situations where the loop could have exited and we need a post-loop clean up just to be sure. If the clean up was not done you would have a stale popup menu referring to invalid memory, or if not using popup menu, incorrect status line (if `laststatus=0`). For example, if you hit `<Esc>` two times when it's wildchar, there's a hard-coded behavior to exit command-line as a failsafe for user, and if you hit `<C-\><C-\><C-N>` it will also exit command-line, but the clean up code would not have hit because of specialized `<C-\>` handling. Fix Ctrl-E / Ctrl-Y to not cancel/accept wildmenu if they are also used for 'wildchar'/'wildcharm'. Currently they don't behave properly, and also have potentially memory unsafe behavior as the logic is currently not accounting for this situation and try to do both. (Previous patch that addressed this: #11677) Also, correctly document Escape key behavior (double-hit it to escape) in wildchar docs as it's previously undocumented. In addition, block known invalid chars to be set in `wildchar` option, such as Ctrl-C and `<CR>`. This is just to make it clear to the user they shouldn't be set, and is not required for this bug fix. closes: #13361 Signed-off-by: Christian Brabandt <cb@256bit.org> Co-authored-by: Yee Cheng Chin <ychin.git@gmail.com>

" This script generates the table nv_cmd_idx[] which contains the index in
" nv_cmds[] table (normal.c) for each of the command character supported in
" normal/visual mode.
" This is used to speed up the command lookup in nv_cmds[].
"
" Script should be run using "make nvcmdidxs", every time the nv_cmds[] table
" in src/nv_cmds.h changes.
"
" This is written in legacy Vim script so that it can be run by a slightly
" older Vim version.

" Generate the table of normal/visual mode command characters and their
" corresponding index.
let cmd = 'create_nvcmdidxs'
if has('unix')
  let cmd = './' .. cmd
endif
let nv_cmdtbl = systemlist(cmd)->map({i, ch -> {'idx': i, 'cmdchar': ch}})

" sort the table by the command character
call sort(nv_cmdtbl, {a, b -> a.cmdchar - b.cmdchar})

" Compute the highest index upto which the command character can be directly
" used as an index.
let nv_max_linear = 0
for i in range(nv_cmdtbl->len())
  if i != nv_cmdtbl[i].cmdchar
    let nv_max_linear = i - 1
    break
  endif
endfor

" Generate a header file with the table
let output =<< trim END
  /*
   * Automatically generated code by the create_nvcmdidxs.vim script.
   *
   * Table giving the index in nv_cmds[] to lookup based on
   * the command character.
   */

  // nv_cmd_idx[<normal mode command character>] => nv_cmds[] index
  static const unsigned short nv_cmd_idx[] =
  {
END

" Add each command character in comment and the corresponding index
let output += nv_cmdtbl->map({_, v ->
      \ printf('  /* %5d */ %3d,', v.cmdchar, v.idx)})

let output += ['};', '',
      \ '// The highest index for which',
      \ '// nv_cmds[idx].cmd_char == nv_cmd_idx[nv_cmds[idx].cmd_char]']

let output += ['static const int nv_max_linear = ' .. nv_max_linear .. ';']

call writefile(output, "nv_cmdidxs.h")
quit

" vim: shiftwidth=2 sts=2 expandtab