patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()

Problem:  buffer-overflow in vim_regsub_both()
Solution: Check remaining space

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index c30b6fddf24c4952f9dc9de75f5a07bb59edae4a..53c7bb5a3762d053dcc1f9e98d800bc38e3709c3 100644 (file)
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4651,6 +4651,9 @@ ex_substitute(exarg_T *eap)
                mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
                new_end += copy_len;
 
+               if (new_start_len - copy_len < sublen)
+                   sublen = new_start_len - copy_len - 1;
+
 #ifdef FEAT_EVAL
                ++textlock;
 #endif

diff --git a/src/regexp.c b/src/regexp.c
index 9c576c6893cb2139bdc6613f0c3181f5f1e6cdec..edd1293a530d9732c860bf6b77dec77924236abf 100644 (file)
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -2051,7 +2051,8 @@ vim_regsub_both(
        // "flags & REGSUB_COPY" != 0.
        if (copy)
        {
-           if (eval_result[nested] != NULL)
+           if (eval_result[nested] != NULL &&
+                   STRLEN(eval_result[nested]) < destlen)
            {
                STRCPY(dest, eval_result[nested]);
                dst += STRLEN(eval_result[nested]);

diff --git a/src/testdir/crash/vim_regsub_both b/src/testdir/crash/vim_regsub_both
new file mode 100644 (file)
index 0000000..a82b205
--- /dev/null
+++ b/src/testdir/crash/vim_regsub_both
@@ -0,0 +1,10 @@
+fu R()
+sil!norm0z=\17\18
+endf
+cal R()
+s/\%')/\=R()
+d
+no0 norm\1cyynore sm:vs0@vvvvvvvvvvse()dir(¼Xtest=csd{so88
+vs
+0scr
+so

diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index 0dea3c2cb1cba74647dd359fa5927f08bbf23f55..445fe8d5a725a131207c04c94acf60a1ecc0f97c 100644 (file)
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -6,7 +6,7 @@ CheckScreendump
 
 func Test_crash1()
   " The following used to crash Vim
-  let opts = #{wait_for_ruler: 0}
+  let opts = #{wait_for_ruler: 0, rows: 20}
   let args = ' -u NONE -i NONE -n -e -s -S '
   let buf = RunVimInTerminal(args .. ' crash/poc_huaf1', opts)
   call VerifyScreenDump(buf, 'Test_crash_01', {})
@@ -22,4 +22,13 @@ func Test_crash1()
 
 endfunc
 
+func Test_crash2()
+  " The following used to crash Vim
+  let opts = #{wait_for_ruler: 0, rows: 20}
+  let args = ' -u NONE -i NONE -n -e -s -S '
+  let buf = RunVimInTerminal(args .. ' crash/vim_regsub_both', opts)
+  call VerifyScreenDump(buf, 'Test_crash_01', {})
+  exe buf .. "bw!"
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index c638a107e30f1b2beac321fca6b8d532c81063b3..b69c41068720435b04082b14e4e01245d878c128 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -699,6 +699,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1848,
 /**/
     1847,
 /**/