| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem: [security]: Use-after-free in win_close()
Solution: Check window is valid, before accessing it
If the current window structure is no longer valid (because a previous
autocommand has already freed this window), fail and return before
attempting to set win->w_closing variable.
Add a test to trigger ASAN in CI
https://github.com/vim/vim/commit/25aabc2b8ee1e19ced6f4da9d866cf9378fc4c5a
Co-authored-by: Christian Brabandt <cb@256bit.org>
|
| |
|
|
|
|
|
|
|
| |
Problem: [security] use-after-free from buf_contents_changed()
Solution: block autocommands
https://github.com/vim/vim/commit/41e6f7d6ba67b61d911f9b1d76325cd79224753d
Co-authored-by: Christian Brabandt <cb@256bit.org>
|
| |
|
|
|
|
|
|
|
| |
Problem: segfault in exmode when redrawing
Solution: skip gui_scroll when exmode_active
https://github.com/vim/vim/commit/20d161ace307e28690229b68584f2d84556f8960
Co-authored-by: Christian Brabandt <cb@256bit.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem: buffer-overflow in trunc_string()
Solution: Add NULL at end of buffer
Currently trunc_string() assumes that when the string is too long,
buf[e-1] will always be writeable. But that assumption may not always be
true. The condition currently looks like this
else if (e + 3 < buflen)
[...]
else
{
// can't fit in the "...", just truncate it
buf[e - 1] = NUL;
}
but this means, we may run into the last else clause with e still being
larger than buflen. So a buffer overflow occurs.
So instead of using `buf[e - 1]`, let's just always
truncate at `buf[buflen - 1]` which should always be writable.
https://github.com/vim/vim/commit/3bd7fa12e146c6051490d048a4acbfba974eeb04
vim-patch:9.0.2004: Missing test file
Problem: Missing test file
Solution: git-add the file to the repo
closes: vim/vim#13305
https://github.com/vim/vim/commit/d4afbdd0715c722cfc73d3a8ab9e578667615faa
Co-authored-by: Christian Brabandt <cb@256bit.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Problem: heap-use-after-free in bt_normal()
Solution: check that buffer is still valid
https://github.com/vim/vim/commit/6e60cf444a8839ca1694319bf9a82e7b097e5c4d
Test change only.
Co-authored-by: Christian Brabandt <cb@256bit.org>
|
| |
|
|
|
|
|
|
|
| |
Problem: heap use after free in ins_compl_get_exp()
Solution: validate buffer before accessing it
https://github.com/vim/vim/commit/ee9166eb3b41846661a39b662dc7ebe8b5e15139
Co-authored-by: Christian Brabandt <cb@256bit.org>
|
| |
|
|
|
|
|
|
|
| |
Problem: heap-use-after-free in is_qf_win()
Solution: Check buffer is valid before accessing it
https://github.com/vim/vim/commit/fc68299d436cf87453e432daa77b6d545df4d7ed
Co-authored-by: Christian Brabandt <cb@256bit.org>
|
|
|
Problem: buffer-overflow in vim_regsub_both()
Solution: Check remaining space
https://github.com/vim/vim/commit/ced2c7394aafdc90fb7845e09b3a3fee23d48cb1
The change to do_sub() looks confusing. Maybe it's an overflow check?
Then the crash may not be applicable to Nvim because of different casts.
The test also looks confusing. It seems to source itself recursively.
Also don't call strlen() twice on evaluation result.
N/A patches for version.c:
vim-patch:9.0.1849: CI error on different signedness in ex_cmds.c
vim-patch:9.0.1853: CI error on different signedness in regexp.c
Co-authored-by: Christian Brabandt <cb@256bit.org>
|
