patch 9.1.0697: [security]: heap-buffer-overflow in ins_typebuf
Commit:
https://github.com/vim/vim/commit/322ba9108612bead5eb7731ccb66763dec69ef1b
Author: Christian Brabandt <[email protected]>
Date: Sun Aug 25 21:33:03 2024 +0200
patch 9.1.0697: [security]: heap-buffer-overflow in ins_typebuf
Problem: heap-buffer-overflow in ins_typebuf
(SuyueGuo)
Solution: When flushing the typeahead buffer, validate that there
is enough space left
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh
Signed-off-by: Christian Brabandt <[email protected]>
diff --git a/src/getchar.c b/src/getchar.c
index 29323fa32..96e180f4a 100644
--- a/src/getchar.c
+++ b/src/getchar.c
@@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_typeahead)
if (flush_typeahead == FLUSH_MINIMAL)
{
- // remove mapped characters at the start only
- typebuf.tb_off += typebuf.tb_maplen;
- typebuf.tb_len -= typebuf.tb_maplen;
+ // remove mapped characters at the start only,
+ // but only when enough space left in typebuf
+ if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
+ {
+ typebuf.tb_off = MAXMAPLEN;
+ typebuf.tb_len = 0;
+ }
+ else
+ {
+ typebuf.tb_off += typebuf.tb_maplen;
+ typebuf.tb_len -= typebuf.tb_maplen;
+ }
#if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
if (typebuf.tb_len == 0)
typebuf_was_filled = FALSE;
diff --git a/src/testdir/crash/heap_overflow3 b/src/testdir/crash/heap_overflow3
new file mode 100644
index
0000000000000000000000000000000000000000..c40adbec4d07a66bcc9aa51e40dbbb90fdc36623
GIT binary patch
literal 700
zcmZ{hO=}ZD7{@174?bQz$Wq8<gm_8Fn-(=~NE8jF#rP5`N;9UN%}kmlo7uWE2{zd^
zff_tk=uM~;^wx{Vo&-OEpoiZ2B_zkX&ZaLY;*WWGn0aRY&-}-{?D=qG`hmkNksw|*
zo6Nm9A6dQ)!g1TQHp`m6VcZOiXfA3P#3QVqt#gh|f@dy8^g@5Xe?mY&QGZPzgg5Xb
z2Gq^VhGp}DcP+f@G_9XqoMn!0M61_t&CSf^a<2_dbQlCd*<s3h>~blwYI0mDEj_I~
z#4Wyom4oY!P?qTMHvg-P`?`z?XefMGSG^v1AIK`kUr&%+VYMPErTK+N)J-JP>G^aT
zAZ{Y$4E~`YaRD~2pecm*%CU(Fe%tiJC@&{d=*n|%Iir2jcC<KOZ&P81)@3ZyrlPf|
z-rvC(5yW4~RVo!p3{gu>0(~G8oP(})q<t(%fMYq2S#KMmu*9j9S<RRv>g5n(t`-d4
zkb2NTN-_lOVrS`Y1Znh89(*pxrqJZ4dI$ffVRxx=12p{UwvU2fK<ye%2BS!gAO-->
zL=pVy065g2)SJ{@p<Qa(4NlgMnYelqpH0Gzn*^kz+u^_?o?s=`*98}gMH4{MU-vEm
zjI>g|BdnJlURZ#nqNaXvTnpKCo#R~9`EqA#^V7G{Xf)9MjP&=9<L#XY+J3jSIs9|=
PaCh&^{;u8|j}LwWP8A7n
literal 0
HcmV?d00001
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index f1843c426..5ec103f6d 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -216,6 +216,13 @@ func Test_crash1_3()
call term_sendkeys(buf, args)
call TermWait(buf, 50)
+ let file = 'crash/heap_overflow3'
+ let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'"
+ let args = printf(cmn_args, vim, file)
+ call term_sendkeys(buf, args)
+ call TermWait(buf, 150)
+
+
" clean up
exe buf .. "bw!"
bw!
diff --git a/src/version.c b/src/version.c
index b07964e2d..7f88c8c68 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 697,
/**/
696,
/**/
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/vim_dev/E1siJAe-007m8k-2a%40256bit.org.
