patch 9.2.0078: [security]: stack-buffer-overflow in build_stl_str_hl()

Problem:  A stack-buffer-overflow occurs when rendering a statusline
          with a multi-byte fill character on a very wide terminal.
          The size check in build_stl_str_hl() uses the cell width
          rather than the byte length, allowing the subsequent fill
          loop to write beyond the 4096-byte MAXPATHL buffer
          (ehdgks0627, un3xploitable).
Solution: Update the size check to account for the byte length of
          the fill character (using MB_CHAR2LEN).

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-gmqx-prf2-8mwf

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/buffer.c b/src/buffer.c
index 5a639fcf58e86f6c28580ce4d6b2d73b20fd7bc0..d96f2fdc1ad6a5514fb41fb0f15e077333bf9742 100644 (file)
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -5296,7 +5296,8 @@ build_stl_str_hl(
        }
        width = maxwidth;
     }
-    else if (width < maxwidth && outputlen + maxwidth - width + 1 < outlen)
+    else if (width < maxwidth &&
+           outputlen + (maxwidth - width) * MB_CHAR2LEN(fillchar) + 1 < outlen)
     {
        // Find how many separators there are, which we will use when
        // figuring out how many groups there are.

diff --git a/src/version.c b/src/version.c
index 360e31edfb1721dbdb1154b1fd2b9c7adefb0c4b..7abc134fc54efcb56a55e85b661adf9b598ed6e1 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    78,
 /**/
     77,
 /**/