| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem: [security] double-free in dialog_changed()
(SuyueGuo)
Solution: Only clear pointer b_sfname pointer, if it is different
than the b_ffname pointer. Don't try to free b_fname,
set it to NULL instead.
fixes: vim/vim#15403
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-46pw-v7qw-xc2f
https://github.com/vim/vim/commit/b29f4abcd4b3382fa746edd1d0562b7b48c9de60
Co-authored-by: Christian Brabandt <cb@256bit.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem: [security] use-after-free in tagstack_clear_entry
(Suyue Guo )
Solution: Instead of manually calling vim_free() on each of the tagstack
entries, let's use tagstack_clear_entry(), which will
also free the stack, but using the VIM_CLEAR macro,
which prevents a use-after-free by setting those pointers
to NULL
This addresses CVE-2024-41957
Github advisory:
https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4
https://github.com/vim/vim/commit/8a0bbe7b8aad6f8da28dee218c01bc8a0185a2d5
Co-authored-by: Christian Brabandt <cb@256bit.org>
|
| |
|
|
|
|
|
|
|
| |
Specifically, functions that are run in the context of the test runner
are put in module `test/testutil.lua` while the functions that are run
in the context of the test session are put in
`test/functional/testnvim.lua`.
Closes https://github.com/neovim/neovim/issues/27004.
|
| | |
|
| |
|
|
| |
Work on https://github.com/neovim/neovim/issues/27004.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
functions
Problem: [security]: stack-buffer-overflow in option callback functions
Solution: pass size of errbuf down the call stack, use snprintf()
instead of sprintf()
We pass the error buffer down to the option callback functions, but in
some parts of the code, we simply use sprintf(buf) to write into the error
buffer, which can overflow.
So let's pass down the length of the error buffer and use sprintf(buf, size)
instead.
Reported by @henices, thanks!
https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47
Co-authored-by: Christian Brabandt <cb@256bit.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem: [security]: use-after-free in win-enter
Solution: validate window pointer before calling win_enter()
win_goto() may stop visual mode, if it is active. However, this may in
turn trigger the ModeChanged autocommand, which could potentially free
the wp pointer which was valid before now became stale and points to now
freed memory.
So before calling win_enter(), let's verify one more time, that the
wp pointer still points to a valid window structure.
Reported by @henices, thanks!
https://github.com/vim/vim/commit/eec0c2b3a4cfab93dd8d4adaa60638d47a2bbc8a
Co-authored-by: Christian Brabandt <cb@256bit.org>
|
|
|
Problem: use-after-free in do_ecmd
Solution: Verify oldwin pointer after reset_VIsual()
https://github.com/vim/vim/commit/e1dc9a627536304bc4f738c21e909ad9fcf3974c
N/A patches for version.c:
vim-patch:9.0.1841: style: trailing whitespace in ex_cmds.c
Co-authored-by: Christian Brabandt <cb@256bit.org>
|
