-
-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Divide-by-zero vulnerability in function scroll_cursor_bot
#12528
Labels
Comments
A simplified PoC and accompanied text file (20 blank lines) is given, see the |
fullwaywang
pushed a commit
to fullwaywang/vim
that referenced
this issue
Jun 15, 2023
zeertzjq
added a commit
to zeertzjq/vim
that referenced
this issue
Jun 25, 2023
The test for vim#12528 doesn't fail without the fix because the original steps to reproduce run Vim with `-u NONE -i NONE` which puts Vim in Vi-compatible mode where 'cpoptions' contains the "n" flag, whereas RunVimInTerminal() runs Vim with `--clean` which doesn't add the "n" flag to 'cpoptions'. Adding the "n" flag to 'cpoptions' is enough to make the test work properly. The `:winsize` command is also unnecessary as the zero-width window created by `:vsplit` and `:vertical resize 0` is enough.
zeertzjq
added a commit
to zeertzjq/vim
that referenced
this issue
Jun 26, 2023
The test for vim#12528 doesn't fail without the fix because the original steps to reproduce run Vim with `-u NONE -i NONE` which puts Vim in Vi-compatible mode where 'cpoptions' contains the "n" flag, whereas RunVimInTerminal() runs Vim with `--clean` which doesn't add the "n" flag to 'cpoptions'. Adding the "n" flag to 'cpoptions' is enough to make the test work properly. The `:winsize` command is also unnecessary as the zero-width window created by `:vsplit` and `:vertical resize 0` is enough.
zeertzjq
added a commit
to zeertzjq/neovim
that referenced
this issue
Jun 27, 2023
… set Problem: Divide by zero when scrolling with 'smoothscroll' set. Solution: Avoid using a negative width. (closes vim/vim#12540, closes vim/vim#12528) vim/vim@8154e64 Co-authored-by: fullwaywang <fullwaywang@tencent.com>
zeertzjq
added a commit
to zeertzjq/neovim
that referenced
this issue
Jun 27, 2023
Problem: Regression test doesn't fail when fix is reverted. Solution: Add "n" to 'cpoptions' instead of using :winsize. (closes vim/vim#12587, issue vim/vim#12528) vim/vim@e429893 Co-authored-by: zeertzjq <zeertzjq@outlook.com>
zeertzjq
added a commit
to zeertzjq/neovim
that referenced
this issue
Jun 27, 2023
… set Problem: Divide by zero when scrolling with 'smoothscroll' set. Solution: Avoid using a negative width. (closes vim/vim#12540, closes vim/vim#12528) vim/vim@8154e64 Co-authored-by: fullwaywang <fullwaywang@tencent.com>
zeertzjq
added a commit
to zeertzjq/neovim
that referenced
this issue
Jun 27, 2023
Problem: Regression test doesn't fail when fix is reverted. Solution: Add "n" to 'cpoptions' instead of using :winsize. (closes vim/vim#12587, issue vim/vim#12528) vim/vim@e429893
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Recently I have been reviewing CVEs, checking whether there are cognate/recurring bugs as known ones. While reviewing VIM, I found one quite similar to CVE-2023-0512.
The CVE-2023-0512 is an issue where VIM under ex mode falsely caculated the width of current window. In
scroll_cursor_bot
caculates thetopline
andbottomline
likely, only in normal visual mode. In the caculation,width1
is assigned the width of current window minus widths of linenumber and foldcolumn, which can be negative. Iffoldcolumen
is on, thenwidth2
can be assigned0
, resulting in a Divide-by-zero fault in the following division.Version of Vim
Environment
CentOS 8 stream
Logs and stack traces
GDB:
Resolution
All occurences of caculated current window width (minus linenum and foldmark widths) should be checked.
For this bug, a patch is ready: HEAD...fullwaywang:fix-divide-by-zero
Discoverer
fullwaywang from Tencent
The text was updated successfully, but these errors were encountered: