Mercurial > vim

view src/osdef.sh @ 33581:403d57b06231 v9.0.2035

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 9.0.2035: [security] use-after-free with wildmenu Commit: https://github.com/vim/vim/commit/8f4fb007e4d472b09ff6bed9ffa485e0c3093699 Author: Yee Cheng Chin <ychin.git@gmail.com> Date: Tue Oct 17 10:06:56 2023 +0200 patch 9.0.2035: [security] use-after-free with wildmenu Problem: [security] use-after-free with wildmenu Solution: properly clean up the wildmenu when exiting Fix wildchar/wildmenu/pum memory corruption with special wildchar's Currently, using `wildchar=<Esc>` or `wildchar=<C-\>` can lead to a memory corruption if using wildmenu+pum, or wrong states if only using wildmenu. This is due to the code only using one single place inside the cmdline process loop to perform wild menu clean up (by checking `end_wildmenu`) but there are other odd situations where the loop could have exited and we need a post-loop clean up just to be sure. If the clean up was not done you would have a stale popup menu referring to invalid memory, or if not using popup menu, incorrect status line (if `laststatus=0`). For example, if you hit `<Esc>` two times when it's wildchar, there's a hard-coded behavior to exit command-line as a failsafe for user, and if you hit `<C-\><C-\><C-N>` it will also exit command-line, but the clean up code would not have hit because of specialized `<C-\>` handling. Fix Ctrl-E / Ctrl-Y to not cancel/accept wildmenu if they are also used for 'wildchar'/'wildcharm'. Currently they don't behave properly, and also have potentially memory unsafe behavior as the logic is currently not accounting for this situation and try to do both. (Previous patch that addressed this: #11677) Also, correctly document Escape key behavior (double-hit it to escape) in wildchar docs as it's previously undocumented. In addition, block known invalid chars to be set in `wildchar` option, such as Ctrl-C and `<CR>`. This is just to make it clear to the user they shouldn't be set, and is not required for this bug fix. closes: #13361 Signed-off-by: Christian Brabandt <cb@256bit.org> Co-authored-by: Yee Cheng Chin <ychin.git@gmail.com>
author Christian Brabandt <cb@256bit.org>
date Tue, 17 Oct 2023 10:15:08 +0200
parents befdf44737d1
children
line wrap: on
line source

#! /bin/sh
#
# osdef.sh -- copy osdef.h.in to osdef.h while removing declarations
# found in the system header files. Caution: weird sed magic going on here.
# Warnings are printed if sed did not survive.
#
# (C) Michael Schroeder, Juergen Weigert
#
# osdef.h.in has been split into osdef1.h.in and osdef2.h.in, because some
# sed's could not handle the amount of commands (is 50 commands the limit?).
#
# 31.10.95 jw.

if test -z "$CC"; then
  CC=cc
fi
if test -z "$srcdir"; then
  srcdir=.
fi

# Make sure collation works as expected
# swedish range [a-z] does not match 'w'
export LC_COLLATE=C
export LC_ALL=

rm -f core* *.core

cat << EOF > osdef0.c
#ifndef __APPLE__
# define select select_declared_wrong
#endif
#define tgetstr tgetstr_declared_wrong
#include "auto/config.h"
#include "os_unix.h"	/* bring in most header files, more follow below */
#include "os_unixx.h"	/* bring in header files for os_unix.c */

#ifdef HAVE_TERMCAP_H
# include <termcap.h>	/* only for term.c */
#endif

#ifdef HAVE_FCNTL_H
# include <fcntl.h>		/* only used in a few files */
#endif

#ifdef HAVE_SYS_STATFS_H
# include <sys/types.h>
# include <sys/statfs.h>	/* only for memfile.c */
#endif

#ifdef HAVE_X11
# include <X11/Intrinsic.h>
#endif
EOF

$CC -I. -I$srcdir -E osdef0.c >osdef0.cc

# insert a space in front of each line, so that a function name at the
# start of the line is matched with "[)*, 	]\1[ 	(]"
sed < osdef0.cc -e '/\(..*\)/s// \1/' > osdef0.ccc

sed < $srcdir/osdef1.h.in -n -e '/^extern/s@.*[)* 	][)* 	]*\([a-zA-Z_][a-zA-Z0-9_]*\)(.*@/[)*, 	][(]*\1[)]*[ 	(]/i\\\
\\/\\[^a-zA-Z_\\]\1(\\/d@p' > osdef11.sed

sed < $srcdir/osdef2.h.in -n -e '/^extern/s@.*[)* 	][)* 	]*\([a-zA-Z_][a-zA-Z0-9_]*\)(.*@/[)*, 	][(]*\1[)]*[ 	(]/i\\\
\\/\\[^a-zA-Z_\\]\1(\\/d@p' > osdef21.sed

cat << EOF > osdef2.sed
1i\\
/*
1i\\
 * osdef.h is automagically created from osdef?.h.in by osdef.sh -- DO NOT EDIT
1i\\
 */
EOF

cat osdef0.ccc | sed -n -f osdef11.sed >> osdef2.sed
sed -f osdef2.sed < $srcdir/osdef1.h.in > auto/osdef.h

cat osdef0.ccc | sed -n -f osdef21.sed > osdef2.sed
sed -f osdef2.sed < $srcdir/osdef2.h.in >> auto/osdef.h

rm osdef0.c osdef0.cc osdef0.ccc osdef11.sed osdef21.sed osdef2.sed

if test -f core*; then
  file core*
  echo "  Sorry, your sed is broken. Call the system administrator."
  echo "  Meanwhile, you may try to compile Vim with an empty osdef.h file."
  echo "  If you compiler complains about missing prototypes, move the needed"
  echo "  ones from osdef1.h.in and osdef2.h.in to osdef.h."
  exit 1
fi
cat $srcdir/osdef1.h.in $srcdir/osdef2.h.in >osdefX.h.in
if eval test "`diff auto/osdef.h osdefX.h.in | wc -l`" -eq 4; then
  echo "  Hmm, sed is very pessimistic about your system header files."
  echo "  But it did not dump core -- strange! Let's continue carefully..."
  echo "  If this fails, you may want to remove offending lines from osdef.h"
  echo "  or try with an empty osdef.h file, if your compiler can do without"
  echo "  function declarations."
fi
rm osdefX.h.in