vim-patch:9.0.2141: [security]: buffer-overflow in suggest_trie_walk

Problem: [security]: buffer-overflow in suggest_trie_walk Solution: Check n before using it as index into byts array Basically, n as an index into the byts array, can point to beyond the byts array. So let's double check, that n is within the expected range after incrementing it from sp->ts_curi and bail out if it would be invalid. Reported by @henices, thanks! 0fb375aae6 Co-authored-by: Christian Brabandt <cb@256bit.org>
2025-09-26 04:58:33 +00:00 · 2023-12-02 10:07:13 +08:00
parent 7402655132
commit 01edcd6db8
3 changed files with 14 additions and 0 deletions
--- a/test/old/testdir/crash/poc_suggest_trie_walk
+++ b/test/old/testdir/crash/poc_suggest_trie_walk
--- a/test/old/testdir/test_crash.vim
+++ b/test/old/testdir/test_crash.vim
@@ -135,6 +135,13 @@ func Test_crash1_2()
    \ '  && echo "crash 2: [OK]" >> '.. result .. "\<cr>")
  call TermWait(buf, 350)

+  let file = 'crash/poc_suggest_trie_walk'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args ..
+    \ '  && echo "crash 3: [OK]" >> '.. result .. "\<cr>")
+  call TermWait(buf, 150)
+
  " clean up
  exe buf .. "bw!"

@@ -143,6 +150,7 @@ func Test_crash1_2()
  let expected = [
      \ 'crash 1: [OK]',
      \ 'crash 2: [OK]',
+      \ 'crash 3: [OK]',
      \ ]

  call assert_equal(expected, getline(1, '$'))