patch 9.1.1115: [security]: use-after-free in str_to_reg()
Commit:
https://github.com/vim/vim/commit/c0f0e2380e5954f4a52a131bf6b8499838ad1dae
Author: Christian Brabandt <[email protected]>
Date: Sun Feb 16 16:06:38 2025 +0100
patch 9.1.1115: [security]: use-after-free in str_to_reg()
Problem: [security]: use-after-free in str_to_reg()
(fizz-is-on-the-way)
Solution: when redirecting the :display command, check that one
does not output to the register being displayed
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v
Signed-off-by: Christian Brabandt <[email protected]>
diff --git a/src/register.c b/src/register.c
index 0df05054c..a9630f8ef 100644
--- a/src/register.c
+++ b/src/register.c
@@ -2420,7 +2420,8 @@ ex_display(exarg_T *eap)
#ifdef FEAT_EVAL
if (name == MB_TOLOWER(redir_reg)
- || (redir_reg == '"' && yb == y_previous))
+ || (vim_strchr((char_u *)"\"*+", redir_reg) != NULL &&
+ (yb == y_previous || yb == &y_regs[0])))
continue; // do not list register being written to, the
// pointer can be freed
#endif
diff --git a/src/testdir/test_registers.vim b/src/testdir/test_registers.vim
index 1177c2395..131270226 100644
--- a/src/testdir/test_registers.vim
+++ b/src/testdir/test_registers.vim
@@ -1102,4 +1102,24 @@ func Test_clipboard_regs_not_working2()
let $DISPLAY=display
endfunc
+" This caused use-after-free
+func Test_register_redir_display()
+ " don't touch the clipboard, so only perform this, when the clipboard is not
working
+ if has("clipboard_working")
+ throw "Skipped: skip touching the clipboard register!"
+ endif
+ let @"=''
+ redir @+>
+ disp +"
+ redir END
+ call assert_equal("
Type Name Content", getreg('+'))
+ let a = [getreg('1'), getregtype('1')]
+ let @1='register 1'
+ redir @+
+ disp 1
+ redir END
+ call assert_equal("register 1", getreg('1'))
+ call setreg(1, a[0], a[1])
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index deff16333..0c85695b9 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1115,
/**/
1114,
/**/
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/vim_dev/E1tjgMJ-00CQhj-1H%40256bit.org.
