diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2024-04-02 19:01:14 +0200 |
|---|---|---|
| committer | Christian Brabandt <cb@256bit.org> | 2024-04-02 19:01:14 +0200 |
| commit | 0a419e07a705675ac159218f42c1daa151d2ceea (patch) | |
| tree | 43c75a9a601261ce0ffbf07062e6e07baa2b57f9 | |
| parent | 6c9f4f98f1cda3793406724a260cd651210a5d0d (diff) | |
patch 9.1.0254: [security]: Heap buffer overflow when calling complete_add() in 'cfu'v9.1.0254
Problem: [security]: Heap buffer overflow when calling complete_add()
in the first call of 'completefunc'
Solution: Call check_cursor() after calling 'completefunc' (zeertzjq)
closes: #14391
Signed-off-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
| -rw-r--r-- | src/insexpand.c | 2 | ||||
| -rw-r--r-- | src/testdir/test_ins_complete.vim | 22 | ||||
| -rw-r--r-- | src/version.c | 2 |
3 files changed, 26 insertions, 0 deletions
diff --git a/src/insexpand.c b/src/insexpand.c index 9b5e5de64c..93a56a8bd3 100644 --- a/src/insexpand.c +++ b/src/insexpand.c @@ -2741,6 +2741,7 @@ expand_by_function(int type, char_u *base) --textlock; curwin->w_cursor = pos; // restore the cursor position + check_cursor(); // make sure cursor position is valid, just in case validate_cursor(); if (!EQUAL_POS(curwin->w_cursor, pos)) { @@ -4606,6 +4607,7 @@ get_userdefined_compl_info(colnr_T curs_col UNUSED) State = save_State; curwin->w_cursor = pos; // restore the cursor position + check_cursor(); // make sure cursor position is valid, just in case validate_cursor(); if (!EQUAL_POS(curwin->w_cursor, pos)) { diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim index 376d82ff55..eb89a15c53 100644 --- a/src/testdir/test_ins_complete.vim +++ b/src/testdir/test_ins_complete.vim @@ -2429,4 +2429,26 @@ func Test_complete_changed_complete_info() call StopVimInTerminal(buf) endfunc +func Test_completefunc_first_call_complete_add() + new + + func Complete(findstart, base) abort + if a:findstart + let col = col('.') + call complete_add('#') + return col - 1 + else + return [] + endif + endfunc + + set completeopt=longest completefunc=Complete + " This used to cause heap-buffer-overflow + call assert_fails('call feedkeys("ifoo#\<C-X>\<C-U>", "xt")', 'E840:') + + delfunc Complete + set completeopt& completefunc& + bwipe! +endfunc + " vim: shiftwidth=2 sts=2 expandtab nofoldenable diff --git a/src/version.c b/src/version.c index 4c7ab84362..abb028b6dc 100644 --- a/src/version.c +++ b/src/version.c @@ -705,6 +705,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 254, +/**/ 253, /**/ 252, |