patch 9.0.1858: [security] heap use after free in ins_compl_get_exp() Commit: https://github.com/vim/vim/commit/ee9166eb3b41846661a39b662dc7ebe8b5e15139 Author: Christian Brabandt <c...@256bit.org> Date: Sun Sep 3 21:24:33 2023 +0200
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp() Problem: heap use after free in ins_compl_get_exp() Solution: validate buffer before accessing it Signed-off-by: Christian Brabandt <c...@256bit.org> diff --git a/src/insexpand.c b/src/insexpand.c index 3cfdface4..b767b4efd 100644 --- a/src/insexpand.c +++ b/src/insexpand.c @@ -3850,7 +3850,7 @@ ins_compl_get_exp(pos_T *ini) else { // Mark a buffer scanned when it has been scanned completely - if (type == 0 || type == CTRL_X_PATH_PATTERNS) + if (buf_valid(st.ins_buf) && (type == 0 || type == CTRL_X_PATH_PATTERNS)) st.ins_buf->b_scanned = TRUE; compl_started = FALSE; diff --git a/src/testdir/crash/poc_tagfunc.vim b/src/testdir/crash/poc_tagfunc.vim new file mode 100644 index 000000000..49d9b6f71 --- /dev/null +++ b/src/testdir/crash/poc_tagfunc.vim @@ -0,0 +1,6 @@ +fu Tagfunc(t,f,o) + bw +endf +set tagfunc=Tagfunc +n0 +sil0norm0i diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim index 516d99193..27bf7b55d 100644 --- a/src/testdir/test_crash.vim +++ b/src/testdir/test_crash.vim @@ -39,12 +39,17 @@ func Test_crash1() \ ' && echo "crash 4: [OK]" >> X_crash1_result.txt' .. "\<cr>") " clean up call delete('Xerr') - " This test takes a bit longer call TermWait(buf, 200) + let file = 'crash/poc_tagfunc.vim' + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\<cr>") + + call TermWait(buf, 100) + " clean up - call delete('Xerr') exe buf .. "bw!" sp X_crash1_result.txt @@ -54,6 +59,7 @@ func Test_crash1() \ 'crash 2: [OK]', \ 'crash 3: [OK]', \ 'crash 4: [OK]', + \ 'crash 5: [OK]', \ ] call assert_equal(expected, getline(1, '$')) diff --git a/src/version.c b/src/version.c index 13d5d695a..b604b57f8 100644 --- a/src/version.c +++ b/src/version.c @@ -699,6 +699,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 1858, /**/ 1857, /**/ -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/vim_dev/E1qcsnL-00DueP-0s%40256bit.org.