diff options
| author | Jan Edmund Lazo <janedmundlazo@hotmail.com> | 2026-01-15 00:35:21 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-01-15 13:35:21 +0800 |
| commit | 50423942418bbf6019fdd30d7d8779ddcaee2b2d (patch) | |
| tree | 226af663cc066d6ac027ba5e6ce094431791ef21 | |
| parent | 86c939ba91e97f0364bf5ba877a0fb4f45309c35 (diff) | |
vim-patch:9.1.0697: [security]: heap-buffer-overflow in ins_typebuf (#37372)
Problem: heap-buffer-overflow in ins_typebuf
(SuyueGuo)
Solution: When flushing the typeahead buffer, validate that there
is enough space left
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh
https://github.com/vim/vim/commit/322ba9108612bead5eb7731ccb66763dec69ef1b
Co-authored-by: Christian Brabandt <cb@256bit.org>
| -rw-r--r-- | scripts/vim_na_files.txt | 1 | ||||
| -rw-r--r-- | src/nvim/getchar.c | 12 | ||||
| -rw-r--r-- | test/old/testdir/test_crash.vim | 7 |
3 files changed, 17 insertions, 3 deletions
diff --git a/scripts/vim_na_files.txt b/scripts/vim_na_files.txt index 70d7cefcc3..5e0ef395fd 100644 --- a/scripts/vim_na_files.txt +++ b/scripts/vim_na_files.txt @@ -83,6 +83,7 @@ src/terminal.c src/termlib.c src/testdir/Make_amiga.mak src/testdir/Make_dos.mak +src/testdir/crash/heap_overflow3 src/testdir/keycode_check.vim src/testdir/lsan-suppress.txt src/testdir/samples/crypt_sodium_invalid.txt diff --git a/src/nvim/getchar.c b/src/nvim/getchar.c index 36a47ae036..e824d1fcc1 100644 --- a/src/nvim/getchar.c +++ b/src/nvim/getchar.c @@ -449,9 +449,15 @@ void flush_buffers(flush_buffers_T flush_typeahead) while (read_readbuffers(true) != NUL) {} if (flush_typeahead == FLUSH_MINIMAL) { - // remove mapped characters at the start only - typebuf.tb_off += typebuf.tb_maplen; - typebuf.tb_len -= typebuf.tb_maplen; + // remove mapped characters at the start only, + // but only when enough space left in typebuf + if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen) { + typebuf.tb_off = MAXMAPLEN; + typebuf.tb_len = 0; + } else { + typebuf.tb_off += typebuf.tb_maplen; + typebuf.tb_len -= typebuf.tb_maplen; + } } else { // remove typeahead if (flush_typeahead == FLUSH_INPUT) { diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index 47fc9740a6..80b0d3f722 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -220,6 +220,13 @@ func Test_crash1_3() call term_sendkeys(buf, args) call TermWait(buf, 150) + let file = 'crash/heap_overflow3' + let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'" + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args) + call TermWait(buf, 150) + + " clean up exe buf .. "bw!" bw! |