patch 9.1.0697: [security]: heap-buffer-overflow in ins_typebuf

Problem: heap-buffer-overflow in ins_typebuf (SuyueGuo) Solution: When flushing the typeahead buffer, validate that there is enough space left Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh Signed-off-by: Christian Brabandt <cb@256bit.org>
2025-07-26 11:04:33 -04:00 · 2024-08-25 21:33:03 +02:00 · 2024-08-25 21:33:03 +02:00 · 322ba91086
commit 322ba91086
parent 663950d700
4 changed files with 21 additions and 3 deletions
--- a/src/getchar.c
+++ b/src/getchar.c
@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_typeahead)

    if (flush_typeahead == FLUSH_MINIMAL)
    {
-	// remove mapped characters at the start only
-	typebuf.tb_off += typebuf.tb_maplen;
-	typebuf.tb_len -= typebuf.tb_maplen;
+	// remove mapped characters at the start only,
+	// but only when enough space left in typebuf
+	if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
+	{
+	    typebuf.tb_off = MAXMAPLEN;
+	    typebuf.tb_len = 0;
+	}
+	else
+	{
+	    typebuf.tb_off += typebuf.tb_maplen;
+	    typebuf.tb_len -= typebuf.tb_maplen;
+	}
 #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
 	if (typebuf.tb_len == 0)
 	    typebuf_was_filled = FALSE;
--- a/src/testdir/crash/heap_overflow3
+++ b/src/testdir/crash/heap_overflow3
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@ -216,6 +216,13 @@ func Test_crash1_3()
  call term_sendkeys(buf, args)
  call TermWait(buf, 50)

+  let file = 'crash/heap_overflow3'
+  let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 150)
+
+
  " clean up
  exe buf .. "bw!"
  bw!
--- a/src/version.c
+++ b/src/version.c
@ -704,6 +704,8 @@ static char *(features[]) =

 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    697,
 /**/
    696,
 /**/