vim-patch:9.1.0689: [security]: buffer-overflow in do_search() with 'rightleft'

Problem: buffer-overflow in do_search() with 'rightleft' (SuyueGuo) Solution: after reversing the text (which allocates a new buffer), re-calculate the text length Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm cacb6693c1 Add missing change from patch 8.1.1270. Omit `call delete('Untitled')`: moved again in patch 9.1.0695. Co-authored-by: Christian Brabandt <cb@256bit.org> (cherry picked from commit 69a9a25fcc)
2025-10-04 17:06:30 +00:00 · 2025-10-02 07:50:00 +08:00
parent dd79bc8360
commit 8634a46165
3 changed files with 10 additions and 1 deletions
--- a/test/old/testdir/crash/reverse_text_overflow
+++ b/test/old/testdir/crash/reverse_text_overflow
--- a/test/old/testdir/test_crash.vim
+++ b/test/old/testdir/test_crash.vim
@@ -150,6 +150,13 @@ func Test_crash1_2()
    \ ' ; echo "crash 4: [OK]" >> '.. result .. "\<cr>")
  call TermWait(buf, 150)

+  let file = 'crash/reverse_text_overflow'
+  let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args ..
+    \ ' ; echo "crash 5: [OK]" >> '.. result .. "\<cr>")
+  call TermWait(buf, 150)
+
  " clean up
  exe buf .. "bw!"
  exe "sp " .. result
@@ -158,6 +165,7 @@ func Test_crash1_2()
      \ 'crash 2: [OK]',
      \ 'crash 3: [OK]',
      \ 'crash 4: [OK]',
+      \ 'crash 5: [OK]',
      \ ]

  call assert_equal(expected, getline(1, '$'))