Mercurial > vim
changeset 34753:a87c4383404a v9.1.0254
patch 9.1.0254: [security]: Heap buffer overflow when calling complete_add() in 'cfu'
Commit: https://github.com/vim/vim/commit/0a419e07a705675ac159218f42c1daa151d2ceea
Author: zeertzjq <zeertzjq@outlook.com>
Date: Tue Apr 2 19:01:14 2024 +0200
patch 9.1.0254: [security]: Heap buffer overflow when calling complete_add() in 'cfu'
Problem: [security]: Heap buffer overflow when calling complete_add()
in the first call of 'completefunc'
Solution: Call check_cursor() after calling 'completefunc' (zeertzjq)
closes: #14391
Signed-off-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Tue, 02 Apr 2024 19:15:02 +0200 |
parents | 0e6516f5b03c |
children | 66e88c438206 |
files | src/insexpand.c src/testdir/test_ins_complete.vim src/version.c |
diffstat | 3 files changed, 26 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/insexpand.c +++ b/src/insexpand.c @@ -2741,6 +2741,7 @@ expand_by_function(int type, char_u *bas --textlock; curwin->w_cursor = pos; // restore the cursor position + check_cursor(); // make sure cursor position is valid, just in case validate_cursor(); if (!EQUAL_POS(curwin->w_cursor, pos)) { @@ -4606,6 +4607,7 @@ get_userdefined_compl_info(colnr_T curs_ State = save_State; curwin->w_cursor = pos; // restore the cursor position + check_cursor(); // make sure cursor position is valid, just in case validate_cursor(); if (!EQUAL_POS(curwin->w_cursor, pos)) {
--- a/src/testdir/test_ins_complete.vim +++ b/src/testdir/test_ins_complete.vim @@ -2429,4 +2429,26 @@ func Test_complete_changed_complete_info call StopVimInTerminal(buf) endfunc +func Test_completefunc_first_call_complete_add() + new + + func Complete(findstart, base) abort + if a:findstart + let col = col('.') + call complete_add('#') + return col - 1 + else + return [] + endif + endfunc + + set completeopt=longest completefunc=Complete + " This used to cause heap-buffer-overflow + call assert_fails('call feedkeys("ifoo#\<C-X>\<C-U>", "xt")', 'E840:') + + delfunc Complete + set completeopt& completefunc& + bwipe! +endfunc + " vim: shiftwidth=2 sts=2 expandtab nofoldenable