patch 9.1.2139: Buffer overflow in :wlrestore command

Problem:  Buffer overflow in :wlrestore command, caused by assuming
          wrong buffer length in vwl_log_handler() (Seungyeon Park)
Solution: Use correct buffer size (512 bytes) in vim_vsnprintf()
          to properly truncate long messages.

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt
index 843868c20752634f8acbaa16e68ebe4c7a01f539..989c7c07b04ce7100c0b451b2abf2badfc817e21 100644 (file)
--- a/runtime/doc/version9.txt
+++ b/runtime/doc/version9.txt
@@ -52517,4 +52517,10 @@ Problem:  With 'autochdir' win_execute() can corrupt the buffer name, causing
           :write to use wrong path.
 Solution: Save and restore b_fname when 'autochdir' is active (Ingo Karkat).
 
+Patch 9.1.2139
+Problem:  Buffer overflow in :wlrestore command, caused by assuming
+          wrong buffer length in vwl_log_handler() (Seungyeon Park)
+Solution: Use correct buffer size (512 bytes) in vim_vsnprintf()
+          to properly truncate long messages.
+
  vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable

diff --git a/src/testdir/test_wayland.vim b/src/testdir/test_wayland.vim
index 155172a0fa93ed548609f2054cbc583850aefa9c..c18b6b5d0c6ecf532def9511666f056f73ed40fb 100644 (file)
--- a/src/testdir/test_wayland.vim
+++ b/src/testdir/test_wayland.vim
@@ -614,4 +614,9 @@ func Test_wayland_handle_large_data()
   call assert_equal(l:contents, system('wl-paste -n -t TEXT'))
 endfunc
 
+" Test for heap buffer overflow in wayland log handler
+func Test_wayland_protocol_error_overflow()
+  exe "wlrestore " .. repeat('X', 4096)
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index 0a395c50ecf5e950106f4b913102d0fac7cbc15d..a892d87c789b311d9b0060b41c598b89113c04c3 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2139,
 /**/
     2138,
 /**/

diff --git a/src/wayland.c b/src/wayland.c
index 4db13c4c0781cd6f530f733b21757c5c4860b72a..6461337aabed75deeb26689f3ab9190333e9aecf 100644 (file)
--- a/src/wayland.c
+++ b/src/wayland.c
@@ -234,7 +234,7 @@ vwl_log_handler(const char *fmt, va_list args)
        return;
 
     vim_strncpy((char_u*)buf, (char_u*)prefix, len);
-    vim_vsnprintf(buf + len, 4096 - len, fmt, args);
+    vim_vsnprintf(buf + len, 512 - len, fmt, args);
 
     // Remove newline that libwayland puts
     buf[STRLEN(buf) - 1] = NUL;