diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2023-11-17 08:56:41 +0800 |
|---|---|---|
| committer | zeertzjq <zeertzjq@outlook.com> | 2023-11-17 09:54:03 +0800 |
| commit | a589156b4d3ea2dc72908b8773c42ad012929c64 (patch) | |
| tree | a8bc739d8872191e67c9a1c6c325f49bfb15343b /test | |
| parent | 748198f5bf3048c06993efe4b048a6e39e4b1658 (diff) | |
| download | rneovim-a589156b4d3ea2dc72908b8773c42ad012929c64.tar.gz rneovim-a589156b4d3ea2dc72908b8773c42ad012929c64.tar.bz2 rneovim-a589156b4d3ea2dc72908b8773c42ad012929c64.zip | |
vim-patch:9.0.1857: [security] heap-use-after-free in is_qf_win()
Problem: heap-use-after-free in is_qf_win()
Solution: Check buffer is valid before accessing it
https://github.com/vim/vim/commit/fc68299d436cf87453e432daa77b6d545df4d7ed
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'test')
| -rw-r--r-- | test/old/testdir/crash/bt_quickfix_poc | 9 | ||||
| -rw-r--r-- | test/old/testdir/test_crash.vim | 34 |
2 files changed, 36 insertions, 7 deletions
diff --git a/test/old/testdir/crash/bt_quickfix_poc b/test/old/testdir/crash/bt_quickfix_poc new file mode 100644 index 0000000000..bf02b4dcb8 --- /dev/null +++ b/test/old/testdir/crash/bt_quickfix_poc @@ -0,0 +1,9 @@ +comman!-narg=* Xexpr <mods>lex<args> +auto BufReadPre * exe"sn" ..expand("<abuf>") +fu Xautocmd_changelist() +cal writefile(['Xtestfile2:4:4'],'Xerr') + sil! edi Xerr +Xexpr 'Xtestfile:4:4' +endf +call Xautocmd_changelist() +call Xautocmd_changelist()
\ No newline at end of file diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index eb3c0a37fb..516d991939 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -5,38 +5,58 @@ source screendump.vim CheckScreendump func Test_crash1() + if !executable('sh') + throw 'Skipped: sh not executable!' + endif " The following used to crash Vim - " let opts = #{wait_for_ruler: 0, rows: 20, cmd: 'sh'} let opts = #{cmd: 'sh'} - let args = 'bash' let vim = GetVimProg() - let buf = RunVimInTerminal(args, opts) + let buf = RunVimInTerminal('sh', opts) let file = 'crash/poc_huaf1' let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" let args = printf(cmn_args, vim, file) call term_sendkeys(buf, args .. - \ ' && echo "crash 1: [OK]" >> X_crash1_result.txt' .. "\<cr>") + \ ' && echo "crash 1: [OK]" > X_crash1_result.txt' .. "\<cr>") + call TermWait(buf, 50) let file = 'crash/poc_huaf2' let args = printf(cmn_args, vim, file) call term_sendkeys(buf, args .. \ ' && echo "crash 2: [OK]" >> X_crash1_result.txt' .. "\<cr>") + call TermWait(buf, 50) let file = 'crash/poc_huaf3' let args = printf(cmn_args, vim, file) call term_sendkeys(buf, args .. \ ' && echo "crash 3: [OK]" >> X_crash1_result.txt' .. "\<cr>") + call TermWait(buf, 100) - call TermWait(buf, 50) + let file = 'crash/bt_quickfix_poc' + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' && echo "crash 4: [OK]" >> X_crash1_result.txt' .. "\<cr>") + " clean up + call delete('Xerr') + + " This test takes a bit longer + call TermWait(buf, 200) " clean up + call delete('Xerr') exe buf .. "bw!" sp X_crash1_result.txt - call assert_equal(['crash 1: [OK]', 'crash 2: [OK]', 'crash 3: [OK]'], - \ getline(1, '$')) + + let expected = [ + \ 'crash 1: [OK]', + \ 'crash 2: [OK]', + \ 'crash 3: [OK]', + \ 'crash 4: [OK]', + \ ] + + call assert_equal(expected, getline(1, '$')) bw! call delete('X_crash1_result.txt') |