diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2024-09-01 05:07:17 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-01 05:07:17 +0800 |
| commit | 6f167fcae9fb47f4b03e2b2ae6732540aa409454 (patch) | |
| tree | ccd4a81639be4fd4b0061b5d275076324ae8ba95 /src | |
| parent | 4ee65484b16da9c51e6e1fc3b0d31f74259894f4 (diff) | |
| download | rneovim-6f167fcae9fb47f4b03e2b2ae6732540aa409454.tar.gz rneovim-6f167fcae9fb47f4b03e2b2ae6732540aa409454.tar.bz2 rneovim-6f167fcae9fb47f4b03e2b2ae6732540aa409454.zip | |
vim-patch:9.1.0707: [security]: invalid cursor position may cause a crash (#30204)
Problem: [security]: invalid cursor position may cause a crash
(after v9.1.0038)
Solution: Set cursor to the last character in a line, if it would
otherwise point to beyond the line; no tests added, as it
is unclear how to reproduce this.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh
https://github.com/vim/vim/commit/396fd1ec2956307755392a1c61f55d5c1847f308
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/nvim/plines.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/nvim/plines.c b/src/nvim/plines.c index ae6d16b0cd..9bf486fb06 100644 --- a/src/nvim/plines.c +++ b/src/nvim/plines.c @@ -516,7 +516,7 @@ static int virt_text_cursor_off(const CharsizeArg *csarg, bool on_NUL) void getvcol(win_T *wp, pos_T *pos, colnr_T *start, colnr_T *cursor, colnr_T *end) { char *const line = ml_get_buf(wp->w_buffer, pos->lnum); // start of the line - int const end_col = pos->col; + colnr_T const end_col = pos->col; CharsizeArg csarg; bool on_NUL = false; @@ -560,6 +560,10 @@ void getvcol(win_T *wp, pos_T *pos, colnr_T *start, colnr_T *cursor, colnr_T *en } } + if (*ci.ptr == NUL && end_col < MAXCOL && end_col > ci.ptr - line) { + pos->col = (colnr_T)(ci.ptr - line); + } + int head = char_size.head; int incr = char_size.width; |