diff options
author | Christian Brabandt <cb@256bit.org> | 2023-11-29 10:23:39 +0100 |
---|---|---|
committer | Christian Brabandt <cb@256bit.org> | 2023-12-01 18:58:50 +0100 |
commit | 0fb375aae608d7306b4baf9c1f906961f32e2abf (patch) | |
tree | 10a990e59a5b11b65536b3ad9a482e0a26a9d584 /src/testdir | |
parent | eec0c2b3a4cfab93dd8d4adaa60638d47a2bbc8a (diff) |
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walkv9.0.2141
Problem: [security]: buffer-overflow in suggest_trie_walk
Solution: Check n before using it as index into byts array
Basically, n as an index into the byts array, can point to beyond the byts
array. So let's double check, that n is within the expected range after
incrementing it from sp->ts_curi and bail out if it would be invalid.
Reported by @henices, thanks!
Signed-off-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src/testdir')
-rw-r--r-- | src/testdir/crash/poc_suggest_trie_walk | bin | 0 -> 100 bytes | |||
-rw-r--r-- | src/testdir/test_crash.vim | 8 |
2 files changed, 8 insertions, 0 deletions
diff --git a/src/testdir/crash/poc_suggest_trie_walk b/src/testdir/crash/poc_suggest_trie_walk Binary files differnew file mode 100644 index 0000000000..c79b6eeb5c --- /dev/null +++ b/src/testdir/crash/poc_suggest_trie_walk diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim index 11c5f4e014..eef1731454 100644 --- a/src/testdir/test_crash.vim +++ b/src/testdir/test_crash.vim @@ -135,6 +135,13 @@ func Test_crash1_2() \ ' && echo "crash 2: [OK]" >> '.. result .. "\<cr>") call TermWait(buf, 350) + let file = 'crash/poc_suggest_trie_walk' + let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' && echo "crash 3: [OK]" >> '.. result .. "\<cr>") + call TermWait(buf, 150) + " clean up exe buf .. "bw!" @@ -143,6 +150,7 @@ func Test_crash1_2() let expected = [ \ 'crash 1: [OK]', \ 'crash 2: [OK]', + \ 'crash 3: [OK]', \ ] call assert_equal(expected, getline(1, '$')) |