patch 9.0.1848: [security] buffer-overflow in vim_regsub_both() Commit: https://github.com/vim/vim/commit/ced2c7394aafdc90fb7845e09b3a3fee23d48cb1 Author: Christian Brabandt <c...@256bit.org> Date: Sat Sep 2 21:15:52 2023 +0200
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both() Problem: buffer-overflow in vim_regsub_both() Solution: Check remaining space Signed-off-by: Christian Brabandt <c...@256bit.org> diff --git a/src/ex_cmds.c b/src/ex_cmds.c index c30b6fddf..53c7bb5a3 100644 --- a/src/ex_cmds.c +++ b/src/ex_cmds.c @@ -4651,6 +4651,9 @@ ex_substitute(exarg_T *eap) mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len); new_end += copy_len; + if (new_start_len - copy_len < sublen) + sublen = new_start_len - copy_len - 1; + #ifdef FEAT_EVAL ++textlock; #endif diff --git a/src/regexp.c b/src/regexp.c index 9c576c689..edd1293a5 100644 --- a/src/regexp.c +++ b/src/regexp.c @@ -2051,7 +2051,8 @@ vim_regsub_both( // "flags & REGSUB_COPY" != 0. if (copy) { - if (eval_result[nested] != NULL) + if (eval_result[nested] != NULL && + STRLEN(eval_result[nested]) < destlen) { STRCPY(dest, eval_result[nested]); dst += STRLEN(eval_result[nested]); diff --git a/src/testdir/crash/vim_regsub_both b/src/testdir/crash/vim_regsub_both new file mode 100644 index 000000000..a82b205c8 --- /dev/null +++ b/src/testdir/crash/vim_regsub_both @@ -0,0 +1,10 @@ +fu R() +sil!norm0z= +endf +cal R() +s/\%')/\=R() +d +no0 norm yynore sm:vs0@vvvvvvvvvvse()dir(¼Xtest=csd{so88 +vs +0scr +so diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim index 0dea3c2cb..445fe8d5a 100644 --- a/src/testdir/test_crash.vim +++ b/src/testdir/test_crash.vim @@ -6,7 +6,7 @@ CheckScreendump func Test_crash1() " The following used to crash Vim - let opts = #{wait_for_ruler: 0} + let opts = #{wait_for_ruler: 0, rows: 20} let args = ' -u NONE -i NONE -n -e -s -S ' let buf = RunVimInTerminal(args .. ' crash/poc_huaf1', opts) call VerifyScreenDump(buf, 'Test_crash_01', {}) @@ -22,4 +22,13 @@ func Test_crash1() endfunc +func Test_crash2() + " The following used to crash Vim + let opts = #{wait_for_ruler: 0, rows: 20} + let args = ' -u NONE -i NONE -n -e -s -S ' + let buf = RunVimInTerminal(args .. ' crash/vim_regsub_both', opts) + call VerifyScreenDump(buf, 'Test_crash_01', {}) + exe buf .. "bw!" +endfunc + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index c638a107e..b69c41068 100644 --- a/src/version.c +++ b/src/version.c @@ -699,6 +699,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 1848, /**/ 1847, /**/ -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/vim_dev/E1qcWYJ-00CSrT-IS%40256bit.org.