patch 9.1.1003: [security]: heap-buffer-overflow with visual mode

Problem: [security]: heap-buffer-overflow with visual mode when using :all, causing Vim trying to access beyond end-of-line (gandalf) Solution: Reset visual mode on :all, validate position in gchar_pos() and charwise_block_prep() This fixes CVE-2025-22134 Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8 Co-authored-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
2025-01-11 15:25:00 +01:00
parent 9598a6369b
commit c9a1e257f1
5 changed files with 34 additions and 5 deletions
--- a/src/misc1.c
+++ b/src/misc1.c
@@ -543,11 +543,15 @@ plines_m_win(win_T *wp, linenr_T first, linenr_T last, int max)
 gchar_pos(pos_T *pos)
 {
    char_u	*ptr;
+    int		ptrlen;

    // When searching columns is sometimes put at the end of a line.
    if (pos->col == MAXCOL)
 	return NUL;
+    ptrlen = ml_get_len(pos->lnum);
    ptr = ml_get_pos(pos);
+    if (pos->col > ptrlen)
+	return NUL;
    if (has_mbyte)
 	return (*mb_ptr2char)(ptr);
    return (int)*ptr;