patch 9.1.0254: [security]: Heap buffer overflow when calling complete_add() in 'cfu'
Commit: https://github.com/vim/vim/commit/0a419e07a705675ac159218f42c1daa151d2ceea Author: zeertzjq <zeert...@outlook.com> Date: Tue Apr 2 19:01:14 2024 +0200 patch 9.1.0254: [security]: Heap buffer overflow when calling complete_add() in 'cfu' Problem: [security]: Heap buffer overflow when calling complete_add() in the first call of 'completefunc' Solution: Call check_cursor() after calling 'completefunc' (zeertzjq) closes: #14391 Signed-off-by: zeertzjq <zeert...@outlook.com> Signed-off-by: Christian Brabandt <c...@256bit.org> diff --git a/src/insexpand.c b/src/insexpand.c index 9b5e5de64..93a56a8bd 100644 --- a/src/insexpand.c +++ b/src/insexpand.c @@ -2741,6 +2741,7 @@ expand_by_function(int type, char_u *base) --textlock; curwin->w_cursor = pos; // restore the cursor position + check_cursor(); // make sure cursor position is valid, just in case validate_cursor(); if (!EQUAL_POS(curwin->w_cursor, pos)) { @@ -4606,6 +4607,7 @@ get_userdefined_compl_info(colnr_T curs_col UNUSED) State = save_State; curwin->w_cursor = pos; // restore the cursor position + check_cursor(); // make sure cursor position is valid, just in case validate_cursor(); if (!EQUAL_POS(curwin->w_cursor, pos)) { diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim index 376d82ff5..eb89a15c5 100644 --- a/src/testdir/test_ins_complete.vim +++ b/src/testdir/test_ins_complete.vim @@ -2429,4 +2429,26 @@ func Test_complete_changed_complete_info() call StopVimInTerminal(buf) endfunc +func Test_completefunc_first_call_complete_add() + new + + func Complete(findstart, base) abort + if a:findstart + let col = col('.') + call complete_add('#') + return col - 1 + else + return [] + endif + endfunc + + set completeopt=longest completefunc=Complete + " This used to cause heap-buffer-overflow + call assert_fails('call feedkeys("ifoo#\<C-X>\<C-U>", "xt")', 'E840:') + + delfunc Complete + set completeopt& completefunc& + bwipe! +endfunc + " vim: shiftwidth=2 sts=2 expandtab nofoldenable diff --git a/src/version.c b/src/version.c index 4c7ab8436..abb028b6d 100644 --- a/src/version.c +++ b/src/version.c @@ -704,6 +704,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 254, /**/ 253, /**/ -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/vim_dev/E1rrhiw-004FVy-QK%40256bit.org.
