diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2024-04-03 05:53:08 +0800 |
|---|---|---|
| committer | zeertzjq <zeertzjq@outlook.com> | 2024-04-03 05:55:50 +0800 |
| commit | aeabd8e2455b979c70277ea83eb9f3375a37bc6f (patch) | |
| tree | 30681ab75de2001f04f20531b0160f41de5c61ff | |
| parent | a94120752344f04c3f6d7e088026e9a58f46fe64 (diff) | |
| download | rneovim-aeabd8e2455b979c70277ea83eb9f3375a37bc6f.tar.gz rneovim-aeabd8e2455b979c70277ea83eb9f3375a37bc6f.tar.bz2 rneovim-aeabd8e2455b979c70277ea83eb9f3375a37bc6f.zip | |
vim-patch:9.1.0254: [security]: Heap buffer overflow when calling complete_add() in 'cfu'
Problem: [security]: Heap buffer overflow when calling complete_add()
in the first call of 'completefunc'
Solution: Call check_cursor() after calling 'completefunc' (zeertzjq)
closes: vim/vim#14391
https://github.com/vim/vim/commit/0a419e07a705675ac159218f42c1daa151d2ceea
| -rw-r--r-- | src/nvim/insexpand.c | 4 | ||||
| -rw-r--r-- | test/old/testdir/test_ins_complete.vim | 22 |
2 files changed, 25 insertions, 1 deletions
diff --git a/src/nvim/insexpand.c b/src/nvim/insexpand.c index fe5faf8c10..7feb4f6661 100644 --- a/src/nvim/insexpand.c +++ b/src/nvim/insexpand.c @@ -2435,7 +2435,8 @@ static void expand_by_function(int type, char *base) } textlock--; - curwin->w_cursor = pos; // restore the cursor position + curwin->w_cursor = pos; // restore the cursor position + check_cursor(curwin); // make sure cursor position is valid, just in case validate_cursor(curwin); if (!equalpos(curwin->w_cursor, pos)) { emsg(_(e_compldel)); @@ -4059,6 +4060,7 @@ static int get_userdefined_compl_info(colnr_T curs_col) State = save_State; curwin->w_cursor = pos; // restore the cursor position + check_cursor(curwin); // make sure cursor position is valid, just in case validate_cursor(curwin); if (!equalpos(curwin->w_cursor, pos)) { emsg(_(e_compldel)); diff --git a/test/old/testdir/test_ins_complete.vim b/test/old/testdir/test_ins_complete.vim index ac04187a7b..3f67a06999 100644 --- a/test/old/testdir/test_ins_complete.vim +++ b/test/old/testdir/test_ins_complete.vim @@ -2490,4 +2490,26 @@ func Test_complete_changed_complete_info() call StopVimInTerminal(buf) endfunc +func Test_completefunc_first_call_complete_add() + new + + func Complete(findstart, base) abort + if a:findstart + let col = col('.') + call complete_add('#') + return col - 1 + else + return [] + endif + endfunc + + set completeopt=longest completefunc=Complete + " This used to cause heap-buffer-overflow + call assert_fails('call feedkeys("ifoo#\<C-X>\<C-U>", "xt")', 'E840:') + + delfunc Complete + set completeopt& completefunc& + bwipe! +endfunc + " vim: shiftwidth=2 sts=2 expandtab nofoldenable |