patch 9.1.1003: [security]: heap-buffer-overflow with visual mode
Commit:
https://github.com/vim/vim/commit/c9a1e257f1630a0866447e53a564f7ff96a80ead
Author: Christian Brabandt <c...@256bit.org>
Date: Sat Jan 11 15:25:00 2025 +0100
patch 9.1.1003: [security]: heap-buffer-overflow with visual mode
Problem: [security]: heap-buffer-overflow with visual mode when
using :all, causing Vim trying to access beyond end-of-line
(gandalf)
Solution: Reset visual mode on :all, validate position in gchar_pos()
and charwise_block_prep()
This fixes CVE-2025-22134
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8
Co-authored-by: zeertzjq <zeert...@outlook.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/arglist.c b/src/arglist.c
index 8825c8e25..4eec079df 100644
--- a/src/arglist.c
+++ b/src/arglist.c
@@ -1258,6 +1258,10 @@ do_arg_all(
tabpage_T *new_lu_tp = curtab;
+ // Stop Visual mode, the cursor and "VIsual" may very well be invalid after
+ // switching to another buffer.
+ reset_VIsual_and_resel();
+
// Try closing all windows that are not in the argument list.
// Also close windows that are not full width;
// When 'hidden' or "forceit" set the buffer becomes hidden.
diff --git a/src/misc1.c b/src/misc1.c
index 90cf91474..142a6161e 100644
--- a/src/misc1.c
+++ b/src/misc1.c
@@ -543,11 +543,15 @@ plines_m_win(win_T *wp, linenr_T first, linenr_T last,
int max)
gchar_pos(pos_T *pos)
{
char_u *ptr;
+ int ptrlen;
// When searching columns is sometimes put at the end of a line.
if (pos->col == MAXCOL)
return NUL;
+ ptrlen = ml_get_len(pos->lnum);
ptr = ml_get_pos(pos);
+ if (pos->col > ptrlen)
+ return NUL;
if (has_mbyte)
return (*mb_ptr2char)(ptr);
return (int)*ptr;
diff --git a/src/ops.c b/src/ops.c
index a75efab59..9efef383d 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -2586,6 +2586,7 @@ charwise_block_prep(
colnr_T startcol = 0, endcol = MAXCOL;
colnr_T cs, ce;
char_u *p;
+ int plen = ml_get_len(lnum);
p = ml_get(lnum);
bdp->startspaces = 0;
@@ -2646,7 +2647,7 @@ charwise_block_prep(
else
bdp->textlen = endcol - startcol + inclusive;
bdp->textcol = startcol;
- bdp->textstart = p + startcol;
+ bdp->textstart = startcol <= plen ? p + startcol : p;
}
/*
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index 0be73ecc1..03335a464 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -470,7 +470,7 @@ func Test_Visual_Block()
\ " {",
\ " }"], getline(1, '$'))
- close!
+ bw!
endfunc
" Test for 'p'ut in visual block mode
@@ -1080,7 +1080,7 @@ func Test_star_register()
delmarks < >
call assert_fails('*yank', 'E20:')
- close!
+ bw!
endfunc
" Test for changing text in visual mode with 'exclusive' selection
@@ -1096,7 +1096,7 @@ func Test_exclusive_selection()
call assert_equal('l one', getline(1))
set virtualedit&
set selection&
- close!
+ bw!
endfunc
" Test for starting linewise visual with a count.
@@ -1153,7 +1153,7 @@ func Test_visual_inner_block()
8,9d
call cursor(5, 1)
call assert_beeps('normal ViBiB')
- close!
+ bw!
endfunc
func Test_visual_put_in_block()
@@ -2760,4 +2760,22 @@ func Test_visual_block_exclusive_selection_adjusted()
set selection&vim
endfunc
+" the following caused a Heap-Overflow, because Vim was accessing outside of a
+" line end
+func Test_visual_pos_buffer_heap_overflow()
+ set virtualedit=all
+ args Xa Xb
+ all
+ call setline(1, ['', '', ''])
+ call cursor(3, 1)
+ wincmd w
+ call setline(1, 'foobar')
+ normal! $lv0
+ all
+ call setreg('"', 'baz')
+ normal! [P
+ set virtualedit=
+ bw! Xa Xb
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index f79eb15f8..0d2189b35 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1003,
/**/
1002,
/**/
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/vim_dev/E1tWcjY-004xFn-IZ%40256bit.org.
