]> git.ipfire.org Git - thirdparty/vim.git/commitdiff
projects / thirdparty / vim.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fc68299)
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp() v9.0.1858
authorChristian Brabandt <cb@256bit.org>
Sun, 3 Sep 2023 19:24:33 +0000 (21:24 +0200)
committerChristian Brabandt <cb@256bit.org>
Sun, 3 Sep 2023 19:24:33 +0000 (21:24 +0200)
Problem:  heap use after free in ins_compl_get_exp()
Solution: validate buffer before accessing it

Signed-off-by: Christian Brabandt <cb@256bit.org>
src/insexpand.c patch | blob | blame | history
src/testdir/crash/poc_tagfunc.vim [new file with mode: 0644] patch | blob
src/testdir/test_crash.vim patch | blob | blame | history
src/version.c patch | blob | blame | history

diff --git a/src/insexpand.c b/src/insexpand.c
index 3cfdface4413370334eda0031607fab42ab30976..b767b4efddb01d025c97b28491031c2c6d709559 100644 (file)
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -3850,7 +3850,7 @@ ins_compl_get_exp(pos_T *ini)
        else
        {
            // Mark a buffer scanned when it has been scanned completely
-           if (type == 0 || type == CTRL_X_PATH_PATTERNS)
+           if (buf_valid(st.ins_buf) && (type == 0 || type == CTRL_X_PATH_PATTERNS))
                st.ins_buf->b_scanned = TRUE;
 
            compl_started = FALSE;
diff --git a/src/testdir/crash/poc_tagfunc.vim b/src/testdir/crash/poc_tagfunc.vim
new file mode 100644 (file)
index 0000000..49d9b6f
--- /dev/null
+++ b/src/testdir/crash/poc_tagfunc.vim
@@ -0,0 +1,6 @@
+fu Tagfunc(t,f,o)
+  bw
+endf
+set tagfunc=Tagfunc
+n0
+sil0norm0i\10
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index 516d991939620d76c7a7b0ad5bcedbccfca17cb6..27bf7b55d46e1b377f36a387753de04777477021 100644 (file)
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -39,12 +39,17 @@ func Test_crash1()
     \ '  && echo "crash 4: [OK]" >> X_crash1_result.txt' .. "\<cr>")
   " clean up
   call delete('Xerr')
-
   " This test takes a bit longer
   call TermWait(buf, 200)
 
+  let file = 'crash/poc_tagfunc.vim'
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args ..
+    \ '  || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\<cr>")
+
+  call TermWait(buf, 100)
+
   " clean up
-  call delete('Xerr')
   exe buf .. "bw!"
 
   sp X_crash1_result.txt
@@ -54,6 +59,7 @@ func Test_crash1()
       \ 'crash 2: [OK]',
       \ 'crash 3: [OK]',
       \ 'crash 4: [OK]',
+      \ 'crash 5: [OK]',
       \ ]
 
   call assert_equal(expected, getline(1, '$'))
diff --git a/src/version.c b/src/version.c
index 13d5d695a69fc91f664526a725ce1fa3f55ca56f..b604b57f8b37c2a48a3a03e1168928b26f6a36a1 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -699,6 +699,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1858,
 /**/
     1857,
 /**/
Mirror of https://github.com/vim/vim.git