patch 9.1.0689: [security]: buffer-overflow in do_search() with 'rightleft'

author Christian Brabandt <cb@256bit.org>

Thu, 22 Aug 2024 19:40:14 +0000 (21:40 +0200)

committer Christian Brabandt <cb@256bit.org>

Thu, 22 Aug 2024 19:40:14 +0000 (21:40 +0200)
author Christian Brabandt <cb@256bit.org>
Thu, 22 Aug 2024 19:40:14 +0000 (21:40 +0200)
committer Christian Brabandt <cb@256bit.org>
Thu, 22 Aug 2024 19:40:14 +0000 (21:40 +0200)
diff --git a/src/search.c b/src/search.c

index 01c143f69bec7adbaefe7641ba41542d8accf8a0..e5936d8294129fed708a9459f94466e6844d1ad3 100644 (file)
--- a/src/search.c
+++ b/src/search.c
@@ -1548,6 +1548,7 @@ do_search(
                         {
                             vim_free(msgbuf);
                             msgbuf = r;
+                           msgbuflen = STRLEN(msgbuf);
                             // move reversed text to beginning of buffer
                             while (*r != NUL && *r == ' ')
                                 r++;
diff --git a/src/testdir/crash/reverse_text_overflow b/src/testdir/crash/reverse_text_overflow

new file mode 100644 (file)

index 0000000..dfbfe2c

Binary files /dev/null and b/src/testdir/crash/reverse_text_overflow differ
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim

index 800f3e5e64df1f3234085b51079a548ef6f84720..302d3730b6b12c0e1d3adcb61bc368c29bcd5779 100644 (file)
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -150,6 +150,13 @@ func Test_crash1_2()
      \ ' ; echo "crash 4: [OK]" >> '.. result .. "\<cr>")
    call TermWait(buf, 150)
  
+  let file = 'crash/reverse_text_overflow'
+  let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args ..
+    \ ' ; echo "crash 5: [OK]" >> '.. result .. "\<cr>")
+  call TermWait(buf, 150)
+
    " clean up
    exe buf .. "bw!"
    exe "sp " .. result
@@ -158,6 +165,7 @@ func Test_crash1_2()
        \ 'crash 2: [OK]',
        \ 'crash 3: [OK]',
        \ 'crash 4: [OK]',
+      \ 'crash 5: [OK]',
        \ ]
  
    call assert_equal(expected, getline(1, '$'))
@@ -201,6 +209,7 @@ func Test_crash1_3()
    let args = printf(cmn_args, vim, file)
    call term_sendkeys(buf, args)
    call TermWait(buf, 150)
+  call delete('Untitled')
  
    let file = 'crash/nullpointer'
    let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
diff --git a/src/version.c b/src/version.c

index e77ef0f4c9635c5bc4ae3f813a52a1c8e9b12387..05ae6ca2ae7e771f80b9980e35dcade560a6660a 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
  
  static int included_patches[] =
  {   /* Add new patch number below this line */
+/**/
+    689,
  /**/
      688,
  /**/
author	Christian Brabandt <cb@256bit.org>
	Thu, 22 Aug 2024 19:40:14 +0000 (21:40 +0200)
committer	Christian Brabandt <cb@256bit.org>
	Thu, 22 Aug 2024 19:40:14 +0000 (21:40 +0200)
src/search.c		patch \| blob \| blame \| history
src/testdir/crash/reverse_text_overflow	[new file with mode: 0644]	patch \| blob
src/testdir/test_crash.vim		patch \| blob \| blame \| history
src/version.c		patch \| blob \| blame \| history