mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-10-17 07:16:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:9.1.1003: [security]: heap-buffer-overflow with visual mode (#31971)

Browse Source 
Problem:  [security]: heap-buffer-overflow with visual mode when
          using :all, causing Vim trying to access beyond end-of-line
          (gandalf)
Solution: Reset visual mode on :all, validate position in gchar_pos()
          and charwise_block_prep()

This fixes CVE-2025-22134

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8

c9a1e257f1

Co-authored-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
zeertzjq
2025-01-12 08:25:57 +08:00
committed by GitHub
parent 37316fbac6
commit 1a8a48d7e5
4 changed files with 30 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/nvim/arglist.c
View File

@@ -31,6 +31,7 @@
#include "nvim/memline_defs.h"
#include "nvim/memory.h"
#include "nvim/message.h"
#include "nvim/normal.h"
#include "nvim/option.h"
#include "nvim/option_vars.h"
#include "nvim/os/input.h"
@@ -1096,6 +1097,10 @@ static void do_arg_all(int count, int forceit, int keep_tabs)
tabpage_T *const new_lu_tp = curtab;
// Stop Visual mode, the cursor and "VIsual" may very well be invalid after
// switching to another buffer.
reset_VIsual_and_resel();
// Try closing all windows that are not in the argument list.
// Also close windows that are not full width;
// When 'hidden' or "forceit" set the buffer becomes hidden.

2
src/nvim/memline.c
View File

@@ -1860,7 +1860,7 @@ int gchar_pos(pos_T *pos)
FUNC_ATTR_NONNULL_ARG(1)
{
// When searching columns is sometimes put at the end of a line.
if (pos->col == MAXCOL) {
if (pos->col == MAXCOL || pos->col > ml_get_len(pos->lnum)) {
return NUL;
}
return utf_ptr2char(ml_get_pos(pos));

3
src/nvim/ops.c
View File

@@ -4345,6 +4345,7 @@ void charwise_block_prep(pos_T start, pos_T end, struct block_def *bdp, linenr_T
colnr_T endcol = MAXCOL;
colnr_T cs, ce;
char *p = ml_get(lnum);
int plen = ml_get_len(lnum);
bdp->startspaces = 0;
bdp->endspaces = 0;
@@ -4394,7 +4395,7 @@ void charwise_block_prep(pos_T start, pos_T end, struct block_def *bdp, linenr_T
bdp->textlen = endcol - startcol + inclusive;
}
bdp->textcol = startcol;
bdp->textstart = p + startcol;
bdp->textstart = startcol <= plen ? p + startcol : p;
}
/// Handle the add/subtract operator.