diff options
| author | Christian Brabandt <cb@256bit.org> | 2023-09-05 20:18:06 +0200 |
|---|---|---|
| committer | Christian Brabandt <cb@256bit.org> | 2023-09-05 20:18:06 +0200 |
| commit | f6d28fe2c95c678cc3202cc5dc825a3fcc709e93 (patch) | |
| tree | a0acea7e99632dae8fd280bdadf932fc59435b2b | |
| parent | d2a08ba0fa4a25f31cee9d9f33b0aa8237227387 (diff) | |
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_bothv9.0.1873
Problem: heap-buffer-overflow in vim_regsub_both
Solution: Disallow exchanging windows when textlock is active
Signed-off-by: Christian Brabandt <cb@256bit.org>
| -rw-r--r-- | src/ex_cmds.c | 3 | ||||
| -rw-r--r-- | src/testdir/crash/vim_regsub_both_poc | bin | 0 -> 244 bytes | |||
| -rw-r--r-- | src/testdir/test_crash.vim | 9 | ||||
| -rw-r--r-- | src/version.c | 2 | ||||
| -rw-r--r-- | src/window.c | 5 |
5 files changed, 19 insertions, 0 deletions
diff --git a/src/ex_cmds.c b/src/ex_cmds.c index 4f1d93244f..566ed7dad3 100644 --- a/src/ex_cmds.c +++ b/src/ex_cmds.c @@ -4519,6 +4519,9 @@ ex_substitute(exarg_T *eap) { nmatch = curbuf->b_ml.ml_line_count - sub_firstlnum + 1; skip_match = TRUE; + // safety check + if (nmatch < 0) + goto skip; } // Need room for: diff --git a/src/testdir/crash/vim_regsub_both_poc b/src/testdir/crash/vim_regsub_both_poc Binary files differnew file mode 100644 index 0000000000..19a57114be --- /dev/null +++ b/src/testdir/crash/vim_regsub_both_poc diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim index e0884e5a05..f7b528c3e9 100644 --- a/src/testdir/test_crash.vim +++ b/src/testdir/test_crash.vim @@ -46,6 +46,7 @@ func Test_crash1() let file = 'crash/poc_tagfunc.vim' let args = printf(cmn_args, vim, file) + " using || because this poc causes vim to exit with exitstatus != 0 call term_sendkeys(buf, args .. \ ' || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\<cr>") @@ -59,6 +60,13 @@ func Test_crash1() call delete('X') call TermWait(buf, 3000) + let file = 'crash/vim_regsub_both_poc' + let args = printf(cmn_args, vim, file) + " using || because this poc causes vim to exit with exitstatus != 0 + call term_sendkeys(buf, args .. + \ ' && echo "crash 7: [OK]" >> X_crash1_result.txt' .. "\<cr>") + call TermWait(buf, 1000) + " clean up exe buf .. "bw!" @@ -71,6 +79,7 @@ func Test_crash1() \ 'crash 4: [OK]', \ 'crash 5: [OK]', \ 'crash 6: [OK]', + \ 'crash 7: [OK]', \ ] call assert_equal(expected, getline(1, '$')) diff --git a/src/version.c b/src/version.c index a5e570e931..2faa9e668e 100644 --- a/src/version.c +++ b/src/version.c @@ -700,6 +700,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 1873, +/**/ 1872, /**/ 1871, diff --git a/src/window.c b/src/window.c index 1af2395df8..f77ede330d 100644 --- a/src/window.c +++ b/src/window.c @@ -1733,6 +1733,11 @@ win_exchange(long Prenum) beep_flush(); return; } + if (text_or_buf_locked()) + { + beep_flush(); + return; + } #ifdef FEAT_GUI need_mouse_correct = TRUE; |