patch 9.1.0689: [security]: buffer-overflow in do_search() with 'rightleft'
Commit: https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc4bc33eccbae3 Author: Christian Brabandt <c...@256bit.org> Date: Thu Aug 22 21:40:14 2024 +0200 patch 9.1.0689: [security]: buffer-overflow in do_search() with 'rightleft' Problem: buffer-overflow in do_search() with 'rightleft' (SuyueGuo) Solution: after reversing the text (which allocates a new buffer), re-calculate the text length Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm Signed-off-by: Christian Brabandt <c...@256bit.org> diff --git a/src/search.c b/src/search.c index 01c143f69..e5936d829 100644 --- a/src/search.c +++ b/src/search.c @@ -1548,6 +1548,7 @@ do_search( { vim_free(msgbuf); msgbuf = r; + msgbuflen = STRLEN(msgbuf); // move reversed text to beginning of buffer while (*r != NUL && *r == ' ') r++; diff --git a/src/testdir/crash/reverse_text_overflow b/src/testdir/crash/reverse_text_overflow new file mode 100644 index 0000000000000000000000000000000000000000..dfbfe2c9a611aad20c444aec335a11c9edf0ebf6 GIT binary patch literal 314 zcmXry1p-aY9IoR33dPBssrhM)3jd2U^2_rLbqu9z|CVq9X)Xn>q(lXVCVhRb23)|N zE3bipfq^S8FSWQNHAN**Oib*hwwRbJkS^m&Fq~h|0JJ0(WXb<}1{SV*1~CP$;>?`X zyb{H{{G#0drFo_GIgB3FMmmNDaWN_XQ~rBYJLni10@*>;hB~?i!ayJmaxTx`NyVup zVVNKSeSKbiAYcHRm8wvb!v!>|;lBz<1~>S~o0AIkvu0X!ba6?tE+;2vU|=9;SyC>S iqZ`Z@Ko_Z~*g}AxN+1Ix1A~|V*fW{Ma)!JL!u0@x2~~;! literal 0 HcmV?d00001 diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim index 800f3e5e6..302d3730b 100644 --- a/src/testdir/test_crash.vim +++ b/src/testdir/test_crash.vim @@ -150,6 +150,13 @@ func Test_crash1_2() \ ' ; echo "crash 4: [OK]" >> '.. result .. "\<cr>") call TermWait(buf, 150) + let file = 'crash/reverse_text_overflow' + let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'" + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' ; echo "crash 5: [OK]" >> '.. result .. "\<cr>") + call TermWait(buf, 150) + " clean up exe buf .. "bw!" exe "sp " .. result @@ -158,6 +165,7 @@ func Test_crash1_2() \ 'crash 2: [OK]', \ 'crash 3: [OK]', \ 'crash 4: [OK]', + \ 'crash 5: [OK]', \ ] call assert_equal(expected, getline(1, '$')) @@ -201,6 +209,7 @@ func Test_crash1_3() let args = printf(cmn_args, vim, file) call term_sendkeys(buf, args) call TermWait(buf, 150) + call delete('Untitled') let file = 'crash/nullpointer' let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>" diff --git a/src/version.c b/src/version.c index e77ef0f4c..05ae6ca2a 100644 --- a/src/version.c +++ b/src/version.c @@ -704,6 +704,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 689, /**/ 688, /**/ -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/vim_dev/E1shED0-001PsC-Py%40256bit.org.