git.ipfire.org Git - thirdparty/vim.git/commit

author	Hirohito Higashi <h.east.727@gmail.com>
	Sat, 20 Jun 2026 16:06:58 +0000 (16:06 +0000)
committer	Christian Brabandt <cb@256bit.org>
	Sat, 20 Jun 2026 16:06:58 +0000 (16:06 +0000)
commit	b3faeecc976d3031d7c0675623516ec60c30f949
tree	64d169121b4727d2458b4ad5a5f9d5872b5ad236	tree \| snapshot
parent	15a27646436aed462b269a0d35e9060d88b4c45e	commit \| diff

patch 9.2.0679: [security]: Out-of-bounds read with text property virtual text

Problem:  [security]: Out-of-bounds read with text property virtual text.
          A crafted undo file can declare a virtual-text property whose
          offset points outside the line's property data, so reading the
          virtual text reads out of bounds.  This completes the count-only
          check added in 9.2.0670.
Solution: Validate the virtual-text offset and length of each property
          against the available property data before turning the offset
          into a pointer.

Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-ww8h-47xp-hp4w

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

src/proto/textprop.pro		diff \| blob \| blame \| history
src/testdir/test_textprop2.vim		diff \| blob \| blame \| history
src/textprop.c		diff \| blob \| blame \| history
src/version.c		diff \| blob \| blame \| history