thac0/vim
1
0
Fork 0
forked from aniani/vim
Code Activity

patch 9.1.1003: [security]: heap-buffer-overflow with visual mode

Browse Source 
Problem:  [security]: heap-buffer-overflow with visual mode when
          using :all, causing Vim trying to access beyond end-of-line
          (gandalf)
Solution: Reset visual mode on :all, validate position in gchar_pos()
          and charwise_block_prep()

This fixes CVE-2025-22134

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8

Co-authored-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2025-01-11 15:25:00 +01:00
parent 9598a6369b
commit c9a1e257f1
5 changed files with 34 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/ops.c
View File

@@ -2586,6 +2586,7 @@ charwise_block_prep(
colnr_T startcol = 0, endcol = MAXCOL;
colnr_T cs, ce;
char_u *p;
int plen = ml_get_len(lnum);
p = ml_get(lnum);
bdp->startspaces = 0;
@@ -2646,7 +2647,7 @@ charwise_block_prep(
else
bdp->textlen = endcol - startcol + inclusive;
bdp->textcol = startcol;
bdp->textstart = p + startcol;
bdp->textstart = startcol <= plen ? p + startcol : p;
}
/*