mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2026-05-02 20:15:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:9.1.0697: [security]: heap-buffer-overflow in ins_typebuf (#37372)

Browse Source 
Problem:  heap-buffer-overflow in ins_typebuf
          (SuyueGuo)
Solution: When flushing the typeahead buffer, validate that there
          is enough space left

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh

322ba91086

Co-authored-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Jan Edmund Lazo
2026-01-15 00:35:21 -05:00
committed by GitHub
parent 86c939ba91
commit 5042394241
3 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/nvim/getchar.c
View File

@@ -449,9 +449,15 @@ void flush_buffers(flush_buffers_T flush_typeahead)
while (read_readbuffers(true) != NUL) {}
if (flush_typeahead == FLUSH_MINIMAL) {
// remove mapped characters at the start only
typebuf.tb_off += typebuf.tb_maplen;
typebuf.tb_len -= typebuf.tb_maplen;
// remove mapped characters at the start only,
// but only when enough space left in typebuf
if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen) {
typebuf.tb_off = MAXMAPLEN;
typebuf.tb_len = 0;
} else {
typebuf.tb_off += typebuf.tb_maplen;
typebuf.tb_len -= typebuf.tb_maplen;
}
} else {
// remove typeahead
if (flush_typeahead == FLUSH_INPUT) {