vim-patch:9.1.1003: [security]: heap-buffer-overflow with visual mode (#31971)

Problem: [security]: heap-buffer-overflow with visual mode when using :all, causing Vim trying to access beyond end-of-line (gandalf) Solution: Reset visual mode on :all, validate position in gchar_pos() and charwise_block_prep() This fixes CVE-2025-22134 Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8 https://github.com/vim/vim/commit/c9a1e257f1630a0866447e53a564f7ff96a80ead Co-authored-by: Christian Brabandt <cb@256bit.org>
author: zeertzjq <zeertzjq@outlook.com> 2025-01-12 08:25:57 +0800
committer: GitHub <noreply@github.com> 2025-01-12 00:25:57 +0000
commit: 1a8a48d7e5f8243aff0253a82f4214241eb877d6 (patch)
tree: 3c264ae8974a9fa4862a44329fdf919e9fefccb9 /src/nvim/memline.c
parent: 37316fbac641ecafde29fd750a08ece490d209c1 (diff)
download: rneovim-1a8a48d7e5f8243aff0253a82f4214241eb877d6.tar.gz
rneovim-1a8a48d7e5f8243aff0253a82f4214241eb877d6.tar.bz2
rneovim-1a8a48d7e5f8243aff0253a82f4214241eb877d6.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/src/nvim/memline.c b/src/nvim/memline.c
index ce04362a3e..fb7fdfb8b2 100644
--- a/src/nvim/memline.c
+++ b/src/nvim/memline.c
@@ -1860,7 +1860,7 @@ int gchar_pos(pos_T *pos)
   FUNC_ATTR_NONNULL_ARG(1)
 {
   // When searching columns is sometimes put at the end of a line.
-  if (pos->col == MAXCOL) {
+  if (pos->col == MAXCOL || pos->col > ml_get_len(pos->lnum)) {
     return NUL;
   }
   return utf_ptr2char(ml_get_pos(pos));
author	zeertzjq <zeertzjq@outlook.com>	2025-01-12 08:25:57 +0800
committer	GitHub <noreply@github.com>	2025-01-12 00:25:57 +0000
commit	1a8a48d7e5f8243aff0253a82f4214241eb877d6 (patch)
tree	3c264ae8974a9fa4862a44329fdf919e9fefccb9 /src/nvim/memline.c
parent	37316fbac641ecafde29fd750a08ece490d209c1 (diff)
download	rneovim-1a8a48d7e5f8243aff0253a82f4214241eb877d6.tar.gz rneovim-1a8a48d7e5f8243aff0253a82f4214241eb877d6.tar.bz2 rneovim-1a8a48d7e5f8243aff0253a82f4214241eb877d6.zip