diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2025-01-12 08:25:57 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-01-12 00:25:57 +0000 |
| commit | 1a8a48d7e5f8243aff0253a82f4214241eb877d6 (patch) | |
| tree | 3c264ae8974a9fa4862a44329fdf919e9fefccb9 /src/nvim/ops.c | |
| parent | 37316fbac641ecafde29fd750a08ece490d209c1 (diff) | |
| download | rneovim-1a8a48d7e5f8243aff0253a82f4214241eb877d6.tar.gz rneovim-1a8a48d7e5f8243aff0253a82f4214241eb877d6.tar.bz2 rneovim-1a8a48d7e5f8243aff0253a82f4214241eb877d6.zip | |
vim-patch:9.1.1003: [security]: heap-buffer-overflow with visual mode (#31971)
Problem: [security]: heap-buffer-overflow with visual mode when
using :all, causing Vim trying to access beyond end-of-line
(gandalf)
Solution: Reset visual mode on :all, validate position in gchar_pos()
and charwise_block_prep()
This fixes CVE-2025-22134
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8
https://github.com/vim/vim/commit/c9a1e257f1630a0866447e53a564f7ff96a80ead
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src/nvim/ops.c')
| -rw-r--r-- | src/nvim/ops.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/nvim/ops.c b/src/nvim/ops.c index 476c7ee8a4..d51b4cc88b 100644 --- a/src/nvim/ops.c +++ b/src/nvim/ops.c @@ -4345,6 +4345,7 @@ void charwise_block_prep(pos_T start, pos_T end, struct block_def *bdp, linenr_T colnr_T endcol = MAXCOL; colnr_T cs, ce; char *p = ml_get(lnum); + int plen = ml_get_len(lnum); bdp->startspaces = 0; bdp->endspaces = 0; @@ -4394,7 +4395,7 @@ void charwise_block_prep(pos_T start, pos_T end, struct block_def *bdp, linenr_T bdp->textlen = endcol - startcol + inclusive; } bdp->textcol = startcol; - bdp->textstart = p + startcol; + bdp->textstart = startcol <= plen ? p + startcol : p; } /// Handle the add/subtract operator. |