summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristian Brabandt <cb@256bit.org>2023-09-02 21:15:52 +0200
committerChristian Brabandt <cb@256bit.org>2023-09-02 21:37:04 +0200
commitced2c7394aafdc90fb7845e09b3a3fee23d48cb1 (patch)
tree9576ca9f0aa1d127ed8d06821375b6d2de50fd5a
parent889f6af37164775192e33b233a90e86fd3df0f57 (diff)
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()v9.0.1848
Problem: buffer-overflow in vim_regsub_both() Solution: Check remaining space Signed-off-by: Christian Brabandt <cb@256bit.org>
Diffstat
-rw-r--r--src/ex_cmds.c3
-rw-r--r--src/regexp.c3
-rw-r--r--src/testdir/crash/vim_regsub_both10
-rw-r--r--src/testdir/test_crash.vim11
-rw-r--r--src/version.c2
5 files changed, 27 insertions, 2 deletions
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index c30b6fddf2..53c7bb5a37 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4651,6 +4651,9 @@ ex_substitute(exarg_T *eap)
mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
new_end += copy_len;
+ if (new_start_len - copy_len < sublen)
+ sublen = new_start_len - copy_len - 1;
+
#ifdef FEAT_EVAL
++textlock;
#endif
diff --git a/src/regexp.c b/src/regexp.c
index 9c576c6893..edd1293a53 100644
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -2051,7 +2051,8 @@ vim_regsub_both(
// "flags & REGSUB_COPY" != 0.
if (copy)
{
- if (eval_result[nested] != NULL)
+ if (eval_result[nested] != NULL &&
+ STRLEN(eval_result[nested]) < destlen)
{
STRCPY(dest, eval_result[nested]);
dst += STRLEN(eval_result[nested]);
diff --git a/src/testdir/crash/vim_regsub_both b/src/testdir/crash/vim_regsub_both
new file mode 100644
index 0000000000..a82b205c8f
--- /dev/null
+++ b/src/testdir/crash/vim_regsub_both
@@ -0,0 +1,10 @@
+fu R()
+sil!norm0z=
+endf
+cal R()
+s/\%')/\=R()
+d
+no0 normyynore sm:vs0@vvvvvvvvvvse()dir(¼Xtest=csd{so88
+vs
+0scr
+so
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index 0dea3c2cb1..445fe8d5a7 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -6,7 +6,7 @@ CheckScreendump
func Test_crash1()
" The following used to crash Vim
- let opts = #{wait_for_ruler: 0}
+ let opts = #{wait_for_ruler: 0, rows: 20}
let args = ' -u NONE -i NONE -n -e -s -S '
let buf = RunVimInTerminal(args .. ' crash/poc_huaf1', opts)
call VerifyScreenDump(buf, 'Test_crash_01', {})
@@ -22,4 +22,13 @@ func Test_crash1()
endfunc
+func Test_crash2()
+ " The following used to crash Vim
+ let opts = #{wait_for_ruler: 0, rows: 20}
+ let args = ' -u NONE -i NONE -n -e -s -S '
+ let buf = RunVimInTerminal(args .. ' crash/vim_regsub_both', opts)
+ call VerifyScreenDump(buf, 'Test_crash_01', {})
+ exe buf .. "bw!"
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index c638a107e3..b69c410687 100644
--- a/src/version.c
+++ b/src/version.c
@@ -700,6 +700,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 1848,
+/**/
1847,
/**/
1846,
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-02 15:20:24 +0000