mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-09-06 03:18:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
30,342 Commits 12 Branches 54 Tags
ac15db4b9c21b51dc1789c4c75bd8cb363c6715d
Commit Graph

7 Commits

Author SHA1 Message Date
zeertzjq
6af359ef4c vim-patch:9.1.0647: [security] use-after-free in tagstack_clear_entry 
Problem:  [security] use-after-free in tagstack_clear_entry
          (Suyue Guo )
Solution: Instead of manually calling vim_free() on each of the tagstack
          entries, let's use tagstack_clear_entry(), which will
          also free the stack, but using the VIM_CLEAR macro,
          which prevents a use-after-free by setting those pointers
          to NULL

This addresses CVE-2024-41957

Github advisory:
https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4

8a0bbe7b8a

Co-authored-by: Christian Brabandt <cb@256bit.org>
 2024-08-02 07:14:42 +08:00
dundargoc
052498ed42 test: improve test conventions 
Specifically, functions that are run in the context of the test runner
are put in module `test/testutil.lua` while the functions that are run
in the context of the test session are put in
`test/functional/testnvim.lua`.

Closes https://github.com/neovim/neovim/issues/27004.
 2024-04-23 18:17:04 +02:00
Lewis Russell
81fc27124b refactor(test): inject after_each differently 2024-04-10 15:53:50 +01:00
dundargoc
7035125b2b test: improve test conventions 
Work on https://github.com/neovim/neovim/issues/27004.
 2024-04-08 22:51:00 +02:00
zeertzjq
9cc346119b vim-patch:9.0.2142: [security]: stack-buffer-overflow in option callback functions 
Problem:  [security]: stack-buffer-overflow in option callback functions
Solution: pass size of errbuf down the call stack, use snprintf()
          instead of sprintf()

We pass the error buffer down to the option callback functions, but in
some parts of the code, we simply use sprintf(buf) to write into the error
buffer, which can overflow.

So let's pass down the length of the error buffer and use sprintf(buf, size)
instead.

Reported by @henices, thanks!

b39b240c38

Co-authored-by: Christian Brabandt <cb@256bit.org>
 2023-12-02 10:41:31 +08:00
zeertzjq
7402655132 vim-patch:9.0.2140: [security]: use-after-free in win-enter 
Problem:  [security]: use-after-free in win-enter
Solution: validate window pointer before calling win_enter()

win_goto() may stop visual mode, if it is active. However, this may in
turn trigger the ModeChanged autocommand, which could potentially free
the wp pointer which was valid before now became stale and points to now
freed memory.

So before calling win_enter(), let's verify one more time, that the
wp pointer still points to a valid window structure.

Reported by @henices, thanks!

eec0c2b3a4

Co-authored-by: Christian Brabandt <cb@256bit.org>
 2023-12-02 10:41:31 +08:00
zeertzjq
087ef52997 vim-patch:9.0.1840: [security] use-after-free in do_ecmd (#24993) 
Problem:  use-after-free in do_ecmd
Solution: Verify oldwin pointer after reset_VIsual()

e1dc9a6275

N/A patches for version.c:
vim-patch:9.0.1841: style: trailing whitespace in ex_cmds.c

Co-authored-by: Christian Brabandt <cb@256bit.org>
 2023-09-03 11:15:43 +08:00