Mercurial > vim
view runtime/tools/demoserver.py @ 33879:d418c82f02a4 v9.0.2149
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Commit: https://github.com/vim/vim/commit/5dd41d4b6370b7b7d09d691f9252b3899c66102a
Author: Christian Brabandt <cb@256bit.org>
Date: Mon Dec 4 22:52:23 2023 +0100
patch 9.0.2149: [security]: use-after-free in exec_instructions()
Problem: [security]: use-after-free in exec_instructions()
Solution: get tv pointer again
[security]: use-after-free in exec_instructions()
exec_instructions may access freed memory, if the GA_GROWS_FAILS()
re-allocates memory. When this happens, the typval tv may still point to
now already freed memory. So let's get that pointer again and compare it
with tv. If those two pointers differ, tv is now invalid and we have to
refresh the tv pointer.
closes: #13621
Signed-off-by: Christian Brabandt <cb@256bit.org>
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Sun, 10 Dec 2023 15:16:17 +0100 |
| parents | dce918af0c00 |
| children |
line wrap: on
line source
#!/usr/bin/python # # Server that will accept connections from a Vim channel. # Run this server and then in Vim you can open the channel: # :let handle = ch_open('localhost:8765') # # Then Vim can send requests to the server: # :let response = ch_sendexpr(handle, 'hello!') # # And you can control Vim by typing a JSON message here, e.g.: # ["ex","echo 'hi there'"] # # There is no prompt, just type a line and press Enter. # To exit cleanly type "quit<Enter>". # # See ":help channel-demo" in Vim. # # This requires Python 2.6 or later. from __future__ import print_function import json import socket import sys import threading try: # Python 3 import socketserver except ImportError: # Python 2 import SocketServer as socketserver thesocket = None class ThreadedTCPRequestHandler(socketserver.BaseRequestHandler): def handle(self): print("=== socket opened ===") global thesocket thesocket = self.request while True: try: data = self.request.recv(4096).decode('utf-8') except socket.error: print("=== socket error ===") break if data == '': print("=== socket closed ===") break print("received: {0}".format(data)) try: decoded = json.loads(data) except ValueError: print("json decoding failed") decoded = [-1, ''] # Send a response if the sequence number is positive. # Negative numbers are used for "eval" responses. if decoded[0] >= 0: if decoded[1] == 'hello!': response = "got it" id = decoded[0] elif decoded[1] == 'hello channel!': response = "got that" # response is not to a specific message callback but to the # channel callback, need to use ID zero id = 0 else: response = "what?" id = decoded[0] encoded = json.dumps([id, response]) print("sending {0}".format(encoded)) self.request.sendall(encoded.encode('utf-8')) thesocket = None class ThreadedTCPServer(socketserver.ThreadingMixIn, socketserver.TCPServer): pass if __name__ == "__main__": HOST, PORT = "localhost", 8765 server = ThreadedTCPServer((HOST, PORT), ThreadedTCPRequestHandler) ip, port = server.server_address # Start a thread with the server -- that thread will then start one # more thread for each request server_thread = threading.Thread(target=server.serve_forever) # Exit the server thread when the main thread terminates server_thread.daemon = True server_thread.start() print("Server loop running in thread: ", server_thread.name) print("Listening on port {0}".format(PORT)) while True: typed = sys.stdin.readline() if "quit" in typed: print("Goodbye!") break if thesocket is None: print("No socket yet") else: print("sending {0}".format(typed)) thesocket.sendall(typed.encode('utf-8')) server.shutdown() server.server_close()