Skip to content

Commit ee9166e

Browse files
committed
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Problem: heap use after free in ins_compl_get_exp() Solution: validate buffer before accessing it Signed-off-by: Christian Brabandt <cb@256bit.org>
1 parent fc68299 commit ee9166e

File tree

4 files changed

+17
-3
lines changed

4 files changed

+17
-3
lines changed

Diff for: src/insexpand.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -3850,7 +3850,7 @@ ins_compl_get_exp(pos_T *ini)
38503850
else
38513851
{
38523852
// Mark a buffer scanned when it has been scanned completely
3853-
if (type == 0 || type == CTRL_X_PATH_PATTERNS)
3853+
if (buf_valid(st.ins_buf) && (type == 0 || type == CTRL_X_PATH_PATTERNS))
38543854
st.ins_buf->b_scanned = TRUE;
38553855

38563856
compl_started = FALSE;

Diff for: src/testdir/crash/poc_tagfunc.vim

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
fu Tagfunc(t,f,o)
2+
bw
3+
endf
4+
set tagfunc=Tagfunc
5+
n0
6+
sil0norm0i

Diff for: src/testdir/test_crash.vim

+8-2
Original file line numberDiff line numberDiff line change
@@ -39,12 +39,17 @@ func Test_crash1()
3939
\ ' && echo "crash 4: [OK]" >> X_crash1_result.txt' .. "\<cr>")
4040
" clean up
4141
call delete('Xerr')
42-
4342
" This test takes a bit longer
4443
call TermWait(buf, 200)
4544

45+
let file = 'crash/poc_tagfunc.vim'
46+
let args = printf(cmn_args, vim, file)
47+
call term_sendkeys(buf, args ..
48+
\ ' || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\<cr>")
49+
50+
call TermWait(buf, 100)
51+
4652
" clean up
47-
call delete('Xerr')
4853
exe buf .. "bw!"
4954

5055
sp X_crash1_result.txt
@@ -54,6 +59,7 @@ func Test_crash1()
5459
\ 'crash 2: [OK]',
5560
\ 'crash 3: [OK]',
5661
\ 'crash 4: [OK]',
62+
\ 'crash 5: [OK]',
5763
\ ]
5864

5965
call assert_equal(expected, getline(1, '$'))

Diff for: src/version.c

+2
Original file line numberDiff line numberDiff line change
@@ -699,6 +699,8 @@ static char *(features[]) =
699699

700700
static int included_patches[] =
701701
{ /* Add new patch number below this line */
702+
/**/
703+
1858,
702704
/**/
703705
1857,
704706
/**/

0 commit comments

Comments
 (0)