]> git.ipfire.org Git - thirdparty/vim.git/commitdiff
projects / thirdparty / vim.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 663950d)
patch 9.1.0697: [security]: heap-buffer-overflow in ins_typebuf v9.1.0697
authorChristian Brabandt <cb@256bit.org>
Sun, 25 Aug 2024 19:33:03 +0000 (21:33 +0200)
committerChristian Brabandt <cb@256bit.org>
Sun, 25 Aug 2024 19:33:03 +0000 (21:33 +0200)
Problem:  heap-buffer-overflow in ins_typebuf
          (SuyueGuo)
Solution: When flushing the typeahead buffer, validate that there
          is enough space left

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh

Signed-off-by: Christian Brabandt <cb@256bit.org>
src/getchar.c patch | blob | blame | history
src/testdir/crash/heap_overflow3 [new file with mode: 0644] patch | blob
src/testdir/test_crash.vim patch | blob | blame | history
src/version.c patch | blob | blame | history

diff --git a/src/getchar.c b/src/getchar.c
index 29323fa328bd1efda2af83d351de1b44e4bf80a3..96e180f4ae1a99ee1407b919e14fd6b758a4d602 100644 (file)
--- a/src/getchar.c
+++ b/src/getchar.c
@@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_typeahead)
 
     if (flush_typeahead == FLUSH_MINIMAL)
     {
-       // remove mapped characters at the start only
-       typebuf.tb_off += typebuf.tb_maplen;
-       typebuf.tb_len -= typebuf.tb_maplen;
+       // remove mapped characters at the start only,
+       // but only when enough space left in typebuf
+       if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
+       {
+           typebuf.tb_off = MAXMAPLEN;
+           typebuf.tb_len = 0;
+       }
+       else
+       {
+           typebuf.tb_off += typebuf.tb_maplen;
+           typebuf.tb_len -= typebuf.tb_maplen;
+       }
 #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
        if (typebuf.tb_len == 0)
            typebuf_was_filled = FALSE;
diff --git a/src/testdir/crash/heap_overflow3 b/src/testdir/crash/heap_overflow3
new file mode 100644 (file)
index 0000000..c40adbe
Binary files /dev/null and b/src/testdir/crash/heap_overflow3 differ
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index f1843c426611d9929bbd1031fd16c4c70a4c28a5..5ec103f6dba26e226bae5a8ece99230c8fb10f9c 100644 (file)
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -216,6 +216,13 @@ func Test_crash1_3()
   call term_sendkeys(buf, args)
   call TermWait(buf, 50)
 
+  let file = 'crash/heap_overflow3'
+  let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 150)
+
+
   " clean up
   exe buf .. "bw!"
   bw!
diff --git a/src/version.c b/src/version.c
index b07964e2d7d6c170b524830f53bb52008344384c..7f88c8c6836bff778c26055c795cbac8bc2c67d6 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    697,
 /**/
     696,
 /**/
Mirror of https://github.com/vim/vim.git