mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-09-29 06:28:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:9.1.1003: [security]: heap-buffer-overflow with visual mode (#31971)

Browse Source 
Problem:  [security]: heap-buffer-overflow with visual mode when
          using :all, causing Vim trying to access beyond end-of-line
          (gandalf)
Solution: Reset visual mode on :all, validate position in gchar_pos()
          and charwise_block_prep()

This fixes CVE-2025-22134

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8

c9a1e257f1

Co-authored-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
zeertzjq
2025-01-12 08:25:57 +08:00
committed by GitHub
parent 37316fbac6
commit 1a8a48d7e5
4 changed files with 30 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/nvim/ops.c
View File

@@ -4345,6 +4345,7 @@ void charwise_block_prep(pos_T start, pos_T end, struct block_def *bdp, linenr_T
colnr_T endcol = MAXCOL;
colnr_T cs, ce;
char *p = ml_get(lnum);
int plen = ml_get_len(lnum);
bdp->startspaces = 0;
bdp->endspaces = 0;
@@ -4394,7 +4395,7 @@ void charwise_block_prep(pos_T start, pos_T end, struct block_def *bdp, linenr_T
bdp->textlen = endcol - startcol + inclusive;
}
bdp->textcol = startcol;
bdp->textstart = p + startcol;
bdp->textstart = startcol <= plen ? p + startcol : p;
}
/// Handle the add/subtract operator.