patch 9.1.1115: [security]: use-after-free in str_to_reg()

Problem:  [security]: use-after-free in str_to_reg()
          (fizz-is-on-the-way)
Solution: when redirecting the :display command, check that one
          does not output to the register being displayed

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/register.c b/src/register.c
index 0df05054ca7229139da2292c46cdbda978603328..a9630f8ef5db93c71115e25c1052111e627c01f8 100644 (file)
--- a/src/register.c
+++ b/src/register.c
@@ -2420,7 +2420,8 @@ ex_display(exarg_T *eap)
 
 #ifdef FEAT_EVAL
        if (name == MB_TOLOWER(redir_reg)
-               || (redir_reg == '"' && yb == y_previous))
+               || (vim_strchr((char_u *)"\"*+", redir_reg) != NULL &&
+                   (yb == y_previous || yb == &y_regs[0])))
            continue;       // do not list register being written to, the
                            // pointer can be freed
 #endif

diff --git a/src/testdir/test_registers.vim b/src/testdir/test_registers.vim
index 1177c2395d3f09ffd43c2a223cb3f477dace3f71..13127022666e0435902a8c0445690888e60c22c4 100644 (file)
--- a/src/testdir/test_registers.vim
+++ b/src/testdir/test_registers.vim
@@ -1102,4 +1102,24 @@ func Test_clipboard_regs_not_working2()
   let $DISPLAY=display
 endfunc
 
+" This caused use-after-free
+func Test_register_redir_display()
+  " don't touch the clipboard, so only perform this, when the clipboard is not working
+  if has("clipboard_working")
+    throw "Skipped: skip touching the clipboard register!"
+  endif
+  let @"=''
+  redir @+>
+  disp +"
+  redir END
+  call assert_equal("\nType Name Content", getreg('+'))
+  let a = [getreg('1'), getregtype('1')]
+  let @1='register 1'
+  redir @+
+  disp 1
+  redir END
+  call assert_equal("register 1", getreg('1'))
+  call setreg(1, a[0], a[1])
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index deff163335a57e15772794818bc9c09fde139249..0c85695b907634d15d4abfe882a5130145b61cbb 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1115,
 /**/
     1114,
 /**/