From 50423942418bbf6019fdd30d7d8779ddcaee2b2d Mon Sep 17 00:00:00 2001 From: Jan Edmund Lazo Date: Thu, 15 Jan 2026 00:35:21 -0500 Subject: [PATCH] vim-patch:9.1.0697: [security]: heap-buffer-overflow in ins_typebuf (#37372) Problem: heap-buffer-overflow in ins_typebuf (SuyueGuo) Solution: When flushing the typeahead buffer, validate that there is enough space left Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh https://github.com/vim/vim/commit/322ba9108612bead5eb7731ccb66763dec69ef1b Co-authored-by: Christian Brabandt --- scripts/vim_na_files.txt | 1 + src/nvim/getchar.c | 12 +++++++++--- test/old/testdir/test_crash.vim | 7 +++++++ 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/scripts/vim_na_files.txt b/scripts/vim_na_files.txt index 70d7cefcc3..5e0ef395fd 100644 --- a/scripts/vim_na_files.txt +++ b/scripts/vim_na_files.txt @@ -83,6 +83,7 @@ src/terminal.c src/termlib.c src/testdir/Make_amiga.mak src/testdir/Make_dos.mak +src/testdir/crash/heap_overflow3 src/testdir/keycode_check.vim src/testdir/lsan-suppress.txt src/testdir/samples/crypt_sodium_invalid.txt diff --git a/src/nvim/getchar.c b/src/nvim/getchar.c index 36a47ae036..e824d1fcc1 100644 --- a/src/nvim/getchar.c +++ b/src/nvim/getchar.c @@ -449,9 +449,15 @@ void flush_buffers(flush_buffers_T flush_typeahead) while (read_readbuffers(true) != NUL) {} if (flush_typeahead == FLUSH_MINIMAL) { - // remove mapped characters at the start only - typebuf.tb_off += typebuf.tb_maplen; - typebuf.tb_len -= typebuf.tb_maplen; + // remove mapped characters at the start only, + // but only when enough space left in typebuf + if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen) { + typebuf.tb_off = MAXMAPLEN; + typebuf.tb_len = 0; + } else { + typebuf.tb_off += typebuf.tb_maplen; + typebuf.tb_len -= typebuf.tb_maplen; + } } else { // remove typeahead if (flush_typeahead == FLUSH_INPUT) { diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index 47fc9740a6..80b0d3f722 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -220,6 +220,13 @@ func Test_crash1_3() call term_sendkeys(buf, args) call TermWait(buf, 150) + let file = 'crash/heap_overflow3' + let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'" + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args) + call TermWait(buf, 150) + + " clean up exe buf .. "bw!" bw!