aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorzeertzjq <zeertzjq@outlook.com>2023-11-17 09:12:01 +0800
committerzeertzjq <zeertzjq@outlook.com>2023-11-17 09:54:03 +0800
commit8dc72789cfad630c2f2da572916490a32d5155e6 (patch)
tree8dc7184ee0f1a2394861b144051f573fc83b0441
parenta589156b4d3ea2dc72908b8773c42ad012929c64 (diff)
downloadrneovim-8dc72789cfad630c2f2da572916490a32d5155e6.tar.gz
rneovim-8dc72789cfad630c2f2da572916490a32d5155e6.tar.bz2
rneovim-8dc72789cfad630c2f2da572916490a32d5155e6.zip
vim-patch:9.0.1858: [security] heap use after free in ins_compl_get_exp()
Problem: heap use after free in ins_compl_get_exp() Solution: validate buffer before accessing it https://github.com/vim/vim/commit/ee9166eb3b41846661a39b662dc7ebe8b5e15139 Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat
-rw-r--r--src/nvim/insexpand.c2
-rw-r--r--test/old/testdir/crash/poc_tagfunc.vim6
-rw-r--r--test/old/testdir/test_crash.vim10
3 files changed, 15 insertions, 3 deletions
diff --git a/src/nvim/insexpand.c b/src/nvim/insexpand.c
index 28d1c8216e..f565d5b9e8 100644
--- a/src/nvim/insexpand.c
+++ b/src/nvim/insexpand.c
@@ -3435,7 +3435,7 @@ static int ins_compl_get_exp(pos_T *ini)
compl_started = true;
} else {
// Mark a buffer scanned when it has been scanned completely
- if (type == 0 || type == CTRL_X_PATH_PATTERNS) {
+ if (buf_valid(st.ins_buf) && (type == 0 || type == CTRL_X_PATH_PATTERNS)) {
assert(st.ins_buf);
st.ins_buf->b_scanned = true;
}
diff --git a/test/old/testdir/crash/poc_tagfunc.vim b/test/old/testdir/crash/poc_tagfunc.vim
new file mode 100644
index 0000000000..49d9b6f719
--- /dev/null
+++ b/test/old/testdir/crash/poc_tagfunc.vim
@@ -0,0 +1,6 @@
+fu Tagfunc(t,f,o)
+ bw
+endf
+set tagfunc=Tagfunc
+n0
+sil0norm0i
diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim
index 516d991939..27bf7b55d4 100644
--- a/test/old/testdir/test_crash.vim
+++ b/test/old/testdir/test_crash.vim
@@ -39,12 +39,17 @@ func Test_crash1()
\ ' && echo "crash 4: [OK]" >> X_crash1_result.txt' .. "\<cr>")
" clean up
call delete('Xerr')
-
" This test takes a bit longer
call TermWait(buf, 200)
+ let file = 'crash/poc_tagfunc.vim'
+ let args = printf(cmn_args, vim, file)
+ call term_sendkeys(buf, args ..
+ \ ' || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\<cr>")
+
+ call TermWait(buf, 100)
+
" clean up
- call delete('Xerr')
exe buf .. "bw!"
sp X_crash1_result.txt
@@ -54,6 +59,7 @@ func Test_crash1()
\ 'crash 2: [OK]',
\ 'crash 3: [OK]',
\ 'crash 4: [OK]',
+ \ 'crash 5: [OK]',
\ ]
call assert_equal(expected, getline(1, '$'))
generated by cgit (git 2.34.1) at 2025-04-28 19:29:16 +0000