patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both

Problem:  heap-buffer-overflow in vim_regsub_both
Solution: Disallow exchanging windows when textlock is active

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index 4f1d93244f0218b1ae907ff309b00df9b832d642..566ed7dad32d0bb6749df002a93de0b69972de12 100644 (file)
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4519,6 +4519,9 @@ ex_substitute(exarg_T *eap)
                {
                    nmatch = curbuf->b_ml.ml_line_count - sub_firstlnum + 1;
                    skip_match = TRUE;
+                   // safety check
+                   if (nmatch < 0)
+                       goto skip;
                }
 
                // Need room for:

diff --git a/src/testdir/crash/vim_regsub_both_poc b/src/testdir/crash/vim_regsub_both_poc
new file mode 100644 (file)
index 0000000..19a5711
Binary files /dev/null and b/src/testdir/crash/vim_regsub_both_poc differ

diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index e0884e5a058ee2211bdc9d00dabab7b5d55ba084..f7b528c3e98d7488084d47fdb1dc8a385bfee614 100644 (file)
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -46,6 +46,7 @@ func Test_crash1()
 
   let file = 'crash/poc_tagfunc.vim'
   let args = printf(cmn_args, vim, file)
+  " using || because this poc causes vim to exit with exitstatus != 0
   call term_sendkeys(buf, args ..
     \ '  || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\<cr>")
 
@@ -59,6 +60,13 @@ func Test_crash1()
   call delete('X')
   call TermWait(buf, 3000)
 
+  let file = 'crash/vim_regsub_both_poc'
+  let args = printf(cmn_args, vim, file)
+  " using || because this poc causes vim to exit with exitstatus != 0
+  call term_sendkeys(buf, args ..
+    \ '  && echo "crash 7: [OK]" >> X_crash1_result.txt' .. "\<cr>")
+  call TermWait(buf, 1000)
+
   " clean up
   exe buf .. "bw!"
 
@@ -71,6 +79,7 @@ func Test_crash1()
       \ 'crash 4: [OK]',
       \ 'crash 5: [OK]',
       \ 'crash 6: [OK]',
+      \ 'crash 7: [OK]',
       \ ]
 
   call assert_equal(expected, getline(1, '$'))

diff --git a/src/version.c b/src/version.c
index a5e570e9314fde7c645051dac891b836c7522f30..2faa9e668ec6f3ae8c51389db65aaa14926ef34e 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -699,6 +699,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1873,
 /**/
     1872,
 /**/

diff --git a/src/window.c b/src/window.c
index 1af2395df8b91c2ab0113479ea6c03396226591d..f77ede330d304ffbd0d65ef42e050ff1039da1e8 100644 (file)
--- a/src/window.c
+++ b/src/window.c
@@ -1733,6 +1733,11 @@ win_exchange(long Prenum)
        beep_flush();
        return;
     }
+    if (text_or_buf_locked())
+    {
+       beep_flush();
+       return;
+    }
 
 #ifdef FEAT_GUI
     need_mouse_correct = TRUE;