mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-10-09 19:36:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:9.1.0689: [security]: buffer-overflow in do_search() with 'rightleft'

Browse Source 
Problem:  buffer-overflow in do_search() with 'rightleft'
          (SuyueGuo)
Solution: after reversing the text (which allocates a new buffer),
          re-calculate the text length

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm

cacb6693c1

Add missing change from patch 8.1.1270.
Omit `call delete('Untitled')`: moved again in patch 9.1.0695.

Co-authored-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
zeertzjq
2025-10-02 07:50:00 +08:00
parent 43f7434bd5
commit 69a9a25fcc
3 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/nvim/search.c
View File

@@ -1282,9 +1282,10 @@ int do_search(oparg_T *oap, int dirc, int search_delim, char *pat, size_t patlen
// it would be blanked out again very soon. Show it on the
// left, but do reverse the text.
if (curwin->w_p_rl && *curwin->w_p_rlc == 's') {
char *r = reverse_text(trunc != NULL ? trunc : msgbuf);
char *r = reverse_text(msgbuf);
xfree(msgbuf);
msgbuf = r;
msgbuflen = strlen(msgbuf);
// move reversed text to beginning of buffer
while (*r == ' ') {
r++;