Mercurial > vim

changeset 33187:201c54cdde82 v9.0.1873

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both Commit: https://github.com/vim/vim/commit/f6d28fe2c95c678cc3202cc5dc825a3fcc709e93 Author: Christian Brabandt <cb@256bit.org> Date: Tue Sep 5 20:18:06 2023 +0200 patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both Problem: heap-buffer-overflow in vim_regsub_both Solution: Disallow exchanging windows when textlock is active Signed-off-by: Christian Brabandt <cb@256bit.org>
author Christian Brabandt <cb@256bit.org>
date Tue, 05 Sep 2023 20:30:04 +0200
parents f325d46b2e84
children d33e0d3f95ed
files src/ex_cmds.c src/testdir/crash/vim_regsub_both_poc src/testdir/test_crash.vim src/version.c src/window.c
diffstat 5 files changed, 19 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4519,6 +4519,9 @@ ex_substitute(exarg_T *eap)
 		{
 		    nmatch = curbuf->b_ml.ml_line_count - sub_firstlnum + 1;
 		    skip_match = TRUE;
+		    // safety check
+		    if (nmatch < 0)
+			goto skip;
 		}
 
 		// Need room for:
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..19a57114be60c39dfb8b97ab95118caad7105322
GIT binary patch
literal 244
zc$`I!u?oU45QgJ=E>7xDFoI&+r5USGaPSEnL^MljQY_d;dm6M3K7nuKlexsSNWJBL
z{{Q&?ORse8dVtw+T&Obdvnm=4yC4gZLJ}W;;a_TMo}?h8LjWaUz^5}W;E~Nf#9CQZ
zQ(#uD_jrP{q?j)RST<`apwTL1ZK01{b<ShO`OcV^;hgk9XZaj`4(b_0p%|^A)otR)
u`rNtS?P{<Z*;2QI()C7kBeK$cZ!Z!rQG()uDhxp*Fic8w=n-LGR`3NUEKW24
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -46,6 +46,7 @@ func Test_crash1()
 
   let file = 'crash/poc_tagfunc.vim'
   let args = printf(cmn_args, vim, file)
+  " using || because this poc causes vim to exit with exitstatus != 0
   call term_sendkeys(buf, args ..
     \ '  || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\<cr>")
 
@@ -59,6 +60,13 @@ func Test_crash1()
   call delete('X')
   call TermWait(buf, 3000)
 
+  let file = 'crash/vim_regsub_both_poc'
+  let args = printf(cmn_args, vim, file)
+  " using || because this poc causes vim to exit with exitstatus != 0
+  call term_sendkeys(buf, args ..
+    \ '  && echo "crash 7: [OK]" >> X_crash1_result.txt' .. "\<cr>")
+  call TermWait(buf, 1000)
+
   " clean up
   exe buf .. "bw!"
 
@@ -71,6 +79,7 @@ func Test_crash1()
       \ 'crash 4: [OK]',
       \ 'crash 5: [OK]',
       \ 'crash 6: [OK]',
+      \ 'crash 7: [OK]',
       \ ]
 
   call assert_equal(expected, getline(1, '$'))
--- a/src/version.c
+++ b/src/version.c
@@ -700,6 +700,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    1873,
+/**/
     1872,
 /**/
     1871,
--- a/src/window.c
+++ b/src/window.c
@@ -1733,6 +1733,11 @@ win_exchange(long Prenum)
 	beep_flush();
 	return;
     }
+    if (text_or_buf_locked())
+    {
+	beep_flush();
+	return;
+    }
 
 #ifdef FEAT_GUI
     need_mouse_correct = TRUE;