Mercurial > vim
view src/create_nvcmdidxs.vim @ 33581:403d57b06231 v9.0.2035
patch 9.0.2035: [security] use-after-free with wildmenu
Commit: https://github.com/vim/vim/commit/8f4fb007e4d472b09ff6bed9ffa485e0c3093699
Author: Yee Cheng Chin <ychin.git@gmail.com>
Date: Tue Oct 17 10:06:56 2023 +0200
patch 9.0.2035: [security] use-after-free with wildmenu
Problem: [security] use-after-free with wildmenu
Solution: properly clean up the wildmenu when exiting
Fix wildchar/wildmenu/pum memory corruption with special wildchar's
Currently, using `wildchar=<Esc>` or `wildchar=<C-\>` can lead to a
memory corruption if using wildmenu+pum, or wrong states if only using
wildmenu. This is due to the code only using one single place inside the
cmdline process loop to perform wild menu clean up (by checking
`end_wildmenu`) but there are other odd situations where the loop could
have exited and we need a post-loop clean up just to be sure. If the
clean up was not done you would have a stale popup menu referring to
invalid memory, or if not using popup menu, incorrect status line (if
`laststatus=0`).
For example, if you hit `<Esc>` two times when it's wildchar, there's a
hard-coded behavior to exit command-line as a failsafe for user, and if
you hit `<C-\><C-\><C-N>` it will also exit command-line, but the clean
up code would not have hit because of specialized `<C-\>` handling.
Fix Ctrl-E / Ctrl-Y to not cancel/accept wildmenu if they are also
used for 'wildchar'/'wildcharm'. Currently they don't behave properly,
and also have potentially memory unsafe behavior as the logic is
currently not accounting for this situation and try to do both.
(Previous patch that addressed this: #11677)
Also, correctly document Escape key behavior (double-hit it to escape)
in wildchar docs as it's previously undocumented.
In addition, block known invalid chars to be set in `wildchar` option,
such as Ctrl-C and `<CR>`. This is just to make it clear to the user
they shouldn't be set, and is not required for this bug fix.
closes: #13361
Signed-off-by: Christian Brabandt <cb@256bit.org>
Co-authored-by: Yee Cheng Chin <ychin.git@gmail.com>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Tue, 17 Oct 2023 10:15:08 +0200 |
parents | ee1019e59bef |
children |
line wrap: on
line source
" This script generates the table nv_cmd_idx[] which contains the index in " nv_cmds[] table (normal.c) for each of the command character supported in " normal/visual mode. " This is used to speed up the command lookup in nv_cmds[]. " " Script should be run using "make nvcmdidxs", every time the nv_cmds[] table " in src/nv_cmds.h changes. " " This is written in legacy Vim script so that it can be run by a slightly " older Vim version. " Generate the table of normal/visual mode command characters and their " corresponding index. let cmd = 'create_nvcmdidxs' if has('unix') let cmd = './' .. cmd endif let nv_cmdtbl = systemlist(cmd)->map({i, ch -> {'idx': i, 'cmdchar': ch}}) " sort the table by the command character call sort(nv_cmdtbl, {a, b -> a.cmdchar - b.cmdchar}) " Compute the highest index upto which the command character can be directly " used as an index. let nv_max_linear = 0 for i in range(nv_cmdtbl->len()) if i != nv_cmdtbl[i].cmdchar let nv_max_linear = i - 1 break endif endfor " Generate a header file with the table let output =<< trim END /* * Automatically generated code by the create_nvcmdidxs.vim script. * * Table giving the index in nv_cmds[] to lookup based on * the command character. */ // nv_cmd_idx[<normal mode command character>] => nv_cmds[] index static const unsigned short nv_cmd_idx[] = { END " Add each command character in comment and the corresponding index let output += nv_cmdtbl->map({_, v -> \ printf(' /* %5d */ %3d,', v.cmdchar, v.idx)}) let output += ['};', '', \ '// The highest index for which', \ '// nv_cmds[idx].cmd_char == nv_cmd_idx[nv_cmds[idx].cmd_char]'] let output += ['static const int nv_max_linear = ' .. nv_max_linear .. ';'] call writefile(output, "nv_cmdidxs.h") quit " vim: shiftwidth=2 sts=2 expandtab