rneovim.git/test/old/testdir/crash, branch aucmd_textputpost Neovim fork with Rahm's personal hacks. vim-patch:9.0.2106: [security]: Use-after-free in win_close() 2023-11-17T01:59:22+00:00 zeertzjq zeertzjq@outlook.com 2023-11-17T01:47:04+00:00 790bd4d5858713e8503825892c7d08340d189370 Problem: [security]: Use-after-free in win_close() Solution: Check window is valid, before accessing it If the current window structure is no longer valid (because a previous autocommand has already freed this window), fail and return before attempting to set win->w_closing variable. Add a test to trigger ASAN in CI https://github.com/vim/vim/commit/25aabc2b8ee1e19ced6f4da9d866cf9378fc4c5a Co-authored-by: Christian Brabandt <cb@256bit.org> 
Problem:  [security]: Use-after-free in win_close()
Solution: Check window is valid, before accessing it

If the current window structure is no longer valid (because a previous
autocommand has already freed this window), fail and return before
attempting to set win->w_closing variable.

Add a test to trigger ASAN in CI

https://github.com/vim/vim/commit/25aabc2b8ee1e19ced6f4da9d866cf9378fc4c5a

Co-authored-by: Christian Brabandt <cb@256bit.org>
vim-patch:9.0.2010: [security] use-after-free from buf_contents_changed() 2023-11-17T01:59:22+00:00 zeertzjq zeertzjq@outlook.com 2023-11-17T01:42:59+00:00 d49be1cd2893ad583361ac058279a471ad7877e5 Problem: [security] use-after-free from buf_contents_changed() Solution: block autocommands https://github.com/vim/vim/commit/41e6f7d6ba67b61d911f9b1d76325cd79224753d Co-authored-by: Christian Brabandt <cb@256bit.org> 
Problem:  [security] use-after-free from buf_contents_changed()
Solution: block autocommands

https://github.com/vim/vim/commit/41e6f7d6ba67b61d911f9b1d76325cd79224753d

Co-authored-by: Christian Brabandt <cb@256bit.org>
vim-patch:9.0.1992: [security] segfault in exmode 2023-11-17T01:59:22+00:00 zeertzjq zeertzjq@outlook.com 2023-11-17T01:42:10+00:00 b6200fbdf2035b09abfc0f94fba9c432bc0b9245 Problem: segfault in exmode when redrawing Solution: skip gui_scroll when exmode_active https://github.com/vim/vim/commit/20d161ace307e28690229b68584f2d84556f8960 Co-authored-by: Christian Brabandt <cb@256bit.org> 
Problem:  segfault in exmode when redrawing
Solution: skip gui_scroll when exmode_active

https://github.com/vim/vim/commit/20d161ace307e28690229b68584f2d84556f8960

Co-authored-by: Christian Brabandt <cb@256bit.org>
vim-patch:9.0.1969: [security] buffer-overflow in trunc_string() 2023-11-17T01:59:16+00:00 zeertzjq zeertzjq@outlook.com 2023-11-17T01:33:54+00:00 3ab0e296c674a6846512df24a0a70199bba8c59a Problem: buffer-overflow in trunc_string() Solution: Add NULL at end of buffer Currently trunc_string() assumes that when the string is too long, buf[e-1] will always be writeable. But that assumption may not always be true. The condition currently looks like this else if (e + 3 < buflen) [...] else { // can't fit in the "...", just truncate it buf[e - 1] = NUL; } but this means, we may run into the last else clause with e still being larger than buflen. So a buffer overflow occurs. So instead of using `buf[e - 1]`, let's just always truncate at `buf[buflen - 1]` which should always be writable. https://github.com/vim/vim/commit/3bd7fa12e146c6051490d048a4acbfba974eeb04 vim-patch:9.0.2004: Missing test file Problem: Missing test file Solution: git-add the file to the repo closes: vim/vim#13305 https://github.com/vim/vim/commit/d4afbdd0715c722cfc73d3a8ab9e578667615faa Co-authored-by: Christian Brabandt <cb@256bit.org> 
Problem:  buffer-overflow in trunc_string()
Solution: Add NULL at end of buffer

Currently trunc_string() assumes that when the string is too long,
buf[e-1] will always be writeable. But that assumption may not always be
true. The condition currently looks like this

    else if (e + 3 < buflen)
    [...]
    else
    {
	// can't fit in the "...", just truncate it
	buf[e - 1] = NUL;
    }

but this means, we may run into the last else clause with e still being
larger than buflen. So a buffer overflow occurs.

So instead of using `buf[e - 1]`, let's just always
truncate at `buf[buflen - 1]` which should always be writable.

https://github.com/vim/vim/commit/3bd7fa12e146c6051490d048a4acbfba974eeb04

vim-patch:9.0.2004: Missing test file

Problem:  Missing test file
Solution: git-add the file to the repo

closes: vim/vim#13305

https://github.com/vim/vim/commit/d4afbdd0715c722cfc73d3a8ab9e578667615faa

Co-authored-by: Christian Brabandt <cb@256bit.org>
vim-patch:partial:9.0.1859: heap-use-after-free in bt_normal() 2023-11-17T01:54:03+00:00 zeertzjq zeertzjq@outlook.com 2023-11-17T01:15:38+00:00 bbb363f4bcfb56f8e60afff5f6f65cfe9e860252 Problem: heap-use-after-free in bt_normal() Solution: check that buffer is still valid https://github.com/vim/vim/commit/6e60cf444a8839ca1694319bf9a82e7b097e5c4d Test change only. Co-authored-by: Christian Brabandt <cb@256bit.org> 
Problem:  heap-use-after-free in bt_normal()
Solution: check that buffer is still valid

https://github.com/vim/vim/commit/6e60cf444a8839ca1694319bf9a82e7b097e5c4d

Test change only.

Co-authored-by: Christian Brabandt <cb@256bit.org>
vim-patch:9.0.1858: [security] heap use after free in ins_compl_get_exp() 2023-11-17T01:54:03+00:00 zeertzjq zeertzjq@outlook.com 2023-11-17T01:12:01+00:00 8dc72789cfad630c2f2da572916490a32d5155e6 Problem: heap use after free in ins_compl_get_exp() Solution: validate buffer before accessing it https://github.com/vim/vim/commit/ee9166eb3b41846661a39b662dc7ebe8b5e15139 Co-authored-by: Christian Brabandt <cb@256bit.org> 
Problem:  heap use after free in ins_compl_get_exp()
Solution: validate buffer before accessing it

https://github.com/vim/vim/commit/ee9166eb3b41846661a39b662dc7ebe8b5e15139

Co-authored-by: Christian Brabandt <cb@256bit.org>
vim-patch:9.0.1857: [security] heap-use-after-free in is_qf_win() 2023-11-17T01:54:03+00:00 zeertzjq zeertzjq@outlook.com 2023-11-17T00:56:41+00:00 a589156b4d3ea2dc72908b8773c42ad012929c64 Problem: heap-use-after-free in is_qf_win() Solution: Check buffer is valid before accessing it https://github.com/vim/vim/commit/fc68299d436cf87453e432daa77b6d545df4d7ed Co-authored-by: Christian Brabandt <cb@256bit.org> 
Problem:  heap-use-after-free in is_qf_win()
Solution: Check buffer is valid before accessing it

https://github.com/vim/vim/commit/fc68299d436cf87453e432daa77b6d545df4d7ed

Co-authored-by: Christian Brabandt <cb@256bit.org>
vim-patch:9.0.1848: [security] buffer-overflow in vim_regsub_both() (#25001) 2023-09-03T05:47:55+00:00 zeertzjq zeertzjq@outlook.com 2023-09-03T05:47:55+00:00 bebdf1dab345471222f6755c574d04596fea92fd Problem: buffer-overflow in vim_regsub_both() Solution: Check remaining space https://github.com/vim/vim/commit/ced2c7394aafdc90fb7845e09b3a3fee23d48cb1 The change to do_sub() looks confusing. Maybe it's an overflow check? Then the crash may not be applicable to Nvim because of different casts. The test also looks confusing. It seems to source itself recursively. Also don't call strlen() twice on evaluation result. N/A patches for version.c: vim-patch:9.0.1849: CI error on different signedness in ex_cmds.c vim-patch:9.0.1853: CI error on different signedness in regexp.c Co-authored-by: Christian Brabandt <cb@256bit.org> 
Problem:  buffer-overflow in vim_regsub_both()
Solution: Check remaining space

https://github.com/vim/vim/commit/ced2c7394aafdc90fb7845e09b3a3fee23d48cb1

The change to do_sub() looks confusing. Maybe it's an overflow check?
Then the crash may not be applicable to Nvim because of different casts.
The test also looks confusing. It seems to source itself recursively.
Also don't call strlen() twice on evaluation result.

N/A patches for version.c:
vim-patch:9.0.1849: CI error on different signedness in ex_cmds.c
vim-patch:9.0.1853: CI error on different signedness in regexp.c

Co-authored-by: Christian Brabandt <cb@256bit.org>