From 087ef5299789123aa40e44937ef9bc31d49fd085 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Sun, 3 Sep 2023 11:15:43 +0800 Subject: vim-patch:9.0.1840: [security] use-after-free in do_ecmd (#24993) Problem: use-after-free in do_ecmd Solution: Verify oldwin pointer after reset_VIsual() https://github.com/vim/vim/commit/e1dc9a627536304bc4f738c21e909ad9fcf3974c N/A patches for version.c: vim-patch:9.0.1841: style: trailing whitespace in ex_cmds.c Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 test/old/testdir/test_crash.vim (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim new file mode 100644 index 0000000000..0dea3c2cb1 --- /dev/null +++ b/test/old/testdir/test_crash.vim @@ -0,0 +1,25 @@ +" Some tests, that used to crash Vim +source check.vim +source screendump.vim + +CheckScreendump + +func Test_crash1() + " The following used to crash Vim + let opts = #{wait_for_ruler: 0} + let args = ' -u NONE -i NONE -n -e -s -S ' + let buf = RunVimInTerminal(args .. ' crash/poc_huaf1', opts) + call VerifyScreenDump(buf, 'Test_crash_01', {}) + exe buf .. "bw!" + + let buf = RunVimInTerminal(args .. ' crash/poc_huaf2', opts) + call VerifyScreenDump(buf, 'Test_crash_01', {}) + exe buf .. "bw!" + + let buf = RunVimInTerminal(args .. ' crash/poc_huaf3', opts) + call VerifyScreenDump(buf, 'Test_crash_01', {}) + exe buf .. "bw!" + +endfunc + +" vim: shiftwidth=2 sts=2 expandtab -- cgit From bebdf1dab345471222f6755c574d04596fea92fd Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Sun, 3 Sep 2023 13:47:55 +0800 Subject: vim-patch:9.0.1848: [security] buffer-overflow in vim_regsub_both() (#25001) Problem: buffer-overflow in vim_regsub_both() Solution: Check remaining space https://github.com/vim/vim/commit/ced2c7394aafdc90fb7845e09b3a3fee23d48cb1 The change to do_sub() looks confusing. Maybe it's an overflow check? Then the crash may not be applicable to Nvim because of different casts. The test also looks confusing. It seems to source itself recursively. Also don't call strlen() twice on evaluation result. N/A patches for version.c: vim-patch:9.0.1849: CI error on different signedness in ex_cmds.c vim-patch:9.0.1853: CI error on different signedness in regexp.c Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index 0dea3c2cb1..445fe8d5a7 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -6,7 +6,7 @@ CheckScreendump func Test_crash1() " The following used to crash Vim - let opts = #{wait_for_ruler: 0} + let opts = #{wait_for_ruler: 0, rows: 20} let args = ' -u NONE -i NONE -n -e -s -S ' let buf = RunVimInTerminal(args .. ' crash/poc_huaf1', opts) call VerifyScreenDump(buf, 'Test_crash_01', {}) @@ -22,4 +22,13 @@ func Test_crash1() endfunc +func Test_crash2() + " The following used to crash Vim + let opts = #{wait_for_ruler: 0, rows: 20} + let args = ' -u NONE -i NONE -n -e -s -S ' + let buf = RunVimInTerminal(args .. ' crash/vim_regsub_both', opts) + call VerifyScreenDump(buf, 'Test_crash_01', {}) + exe buf .. "bw!" +endfunc + " vim: shiftwidth=2 sts=2 expandtab -- cgit From 748198f5bf3048c06993efe4b048a6e39e4b1658 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 08:55:36 +0800 Subject: vim-patch:9.0.1854: test_crash1() fails on CI Problem: test_crash1() fails on CI Solution: don't run Screendump test, verify that it doesn't crash by running it through a shell command line, testing the exit value and concatenating success cmd using '&&' https://github.com/vim/vim/commit/db510ca8052884fd260f425025bacf44f6c92fa9 Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 40 ++++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 10 deletions(-) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index 445fe8d5a7..eb3c0a37fb 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -6,20 +6,40 @@ CheckScreendump func Test_crash1() " The following used to crash Vim - let opts = #{wait_for_ruler: 0, rows: 20} - let args = ' -u NONE -i NONE -n -e -s -S ' - let buf = RunVimInTerminal(args .. ' crash/poc_huaf1', opts) - call VerifyScreenDump(buf, 'Test_crash_01', {}) - exe buf .. "bw!" + " let opts = #{wait_for_ruler: 0, rows: 20, cmd: 'sh'} + let opts = #{cmd: 'sh'} + let args = 'bash' + let vim = GetVimProg() - let buf = RunVimInTerminal(args .. ' crash/poc_huaf2', opts) - call VerifyScreenDump(buf, 'Test_crash_01', {}) - exe buf .. "bw!" + let buf = RunVimInTerminal(args, opts) - let buf = RunVimInTerminal(args .. ' crash/poc_huaf3', opts) - call VerifyScreenDump(buf, 'Test_crash_01', {}) + let file = 'crash/poc_huaf1' + let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' && echo "crash 1: [OK]" >> X_crash1_result.txt' .. "\") + + let file = 'crash/poc_huaf2' + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' && echo "crash 2: [OK]" >> X_crash1_result.txt' .. "\") + + let file = 'crash/poc_huaf3' + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' && echo "crash 3: [OK]" >> X_crash1_result.txt' .. "\") + + call TermWait(buf, 50) + + " clean up exe buf .. "bw!" + sp X_crash1_result.txt + call assert_equal(['crash 1: [OK]', 'crash 2: [OK]', 'crash 3: [OK]'], + \ getline(1, '$')) + bw! + + call delete('X_crash1_result.txt') endfunc func Test_crash2() -- cgit From a589156b4d3ea2dc72908b8773c42ad012929c64 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 08:56:41 +0800 Subject: vim-patch:9.0.1857: [security] heap-use-after-free in is_qf_win() Problem: heap-use-after-free in is_qf_win() Solution: Check buffer is valid before accessing it https://github.com/vim/vim/commit/fc68299d436cf87453e432daa77b6d545df4d7ed Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index eb3c0a37fb..516d991939 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -5,38 +5,58 @@ source screendump.vim CheckScreendump func Test_crash1() + if !executable('sh') + throw 'Skipped: sh not executable!' + endif " The following used to crash Vim - " let opts = #{wait_for_ruler: 0, rows: 20, cmd: 'sh'} let opts = #{cmd: 'sh'} - let args = 'bash' let vim = GetVimProg() - let buf = RunVimInTerminal(args, opts) + let buf = RunVimInTerminal('sh', opts) let file = 'crash/poc_huaf1' let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" let args = printf(cmn_args, vim, file) call term_sendkeys(buf, args .. - \ ' && echo "crash 1: [OK]" >> X_crash1_result.txt' .. "\") + \ ' && echo "crash 1: [OK]" > X_crash1_result.txt' .. "\") + call TermWait(buf, 50) let file = 'crash/poc_huaf2' let args = printf(cmn_args, vim, file) call term_sendkeys(buf, args .. \ ' && echo "crash 2: [OK]" >> X_crash1_result.txt' .. "\") + call TermWait(buf, 50) let file = 'crash/poc_huaf3' let args = printf(cmn_args, vim, file) call term_sendkeys(buf, args .. \ ' && echo "crash 3: [OK]" >> X_crash1_result.txt' .. "\") + call TermWait(buf, 100) - call TermWait(buf, 50) + let file = 'crash/bt_quickfix_poc' + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' && echo "crash 4: [OK]" >> X_crash1_result.txt' .. "\") + " clean up + call delete('Xerr') + + " This test takes a bit longer + call TermWait(buf, 200) " clean up + call delete('Xerr') exe buf .. "bw!" sp X_crash1_result.txt - call assert_equal(['crash 1: [OK]', 'crash 2: [OK]', 'crash 3: [OK]'], - \ getline(1, '$')) + + let expected = [ + \ 'crash 1: [OK]', + \ 'crash 2: [OK]', + \ 'crash 3: [OK]', + \ 'crash 4: [OK]', + \ ] + + call assert_equal(expected, getline(1, '$')) bw! call delete('X_crash1_result.txt') -- cgit From 8dc72789cfad630c2f2da572916490a32d5155e6 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 09:12:01 +0800 Subject: vim-patch:9.0.1858: [security] heap use after free in ins_compl_get_exp() Problem: heap use after free in ins_compl_get_exp() Solution: validate buffer before accessing it https://github.com/vim/vim/commit/ee9166eb3b41846661a39b662dc7ebe8b5e15139 Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index 516d991939..27bf7b55d4 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -39,12 +39,17 @@ func Test_crash1() \ ' && echo "crash 4: [OK]" >> X_crash1_result.txt' .. "\") " clean up call delete('Xerr') - " This test takes a bit longer call TermWait(buf, 200) + let file = 'crash/poc_tagfunc.vim' + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\") + + call TermWait(buf, 100) + " clean up - call delete('Xerr') exe buf .. "bw!" sp X_crash1_result.txt @@ -54,6 +59,7 @@ func Test_crash1() \ 'crash 2: [OK]', \ 'crash 3: [OK]', \ 'crash 4: [OK]', + \ 'crash 5: [OK]', \ ] call assert_equal(expected, getline(1, '$')) -- cgit From bbb363f4bcfb56f8e60afff5f6f65cfe9e860252 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 09:15:38 +0800 Subject: vim-patch:partial:9.0.1859: heap-use-after-free in bt_normal() Problem: heap-use-after-free in bt_normal() Solution: check that buffer is still valid https://github.com/vim/vim/commit/6e60cf444a8839ca1694319bf9a82e7b097e5c4d Test change only. Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index 27bf7b55d4..8deb79702b 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -49,6 +49,15 @@ func Test_crash1() call TermWait(buf, 100) + let file = 'crash/bt_quickfix1_poc' + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' && echo "crash 6: [OK]" >> X_crash1_result.txt' .. "\") + " clean up + call delete('X') + " This test takes a bit longer + call TermWait(buf, 200) + " clean up exe buf .. "bw!" @@ -60,6 +69,7 @@ func Test_crash1() \ 'crash 3: [OK]', \ 'crash 4: [OK]', \ 'crash 5: [OK]', + \ 'crash 6: [OK]', \ ] call assert_equal(expected, getline(1, '$')) -- cgit From 2371b9303d6b724c0e8c057239d00575c96d51f6 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 09:18:42 +0800 Subject: vim-patch:9.0.1860: CI: test_crash1() is flaky Problem: CI: test_crash1() is flaky Solution: Wait a bit longer https://github.com/vim/vim/commit/f44cbe96fa44d10d6dd717e0a9f6ef0f104ee98a Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index 8deb79702b..b997cc1d29 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -40,7 +40,7 @@ func Test_crash1() " clean up call delete('Xerr') " This test takes a bit longer - call TermWait(buf, 200) + call TermWait(buf, 500) let file = 'crash/poc_tagfunc.vim' let args = printf(cmn_args, vim, file) @@ -55,7 +55,6 @@ func Test_crash1() \ ' && echo "crash 6: [OK]" >> X_crash1_result.txt' .. "\") " clean up call delete('X') - " This test takes a bit longer call TermWait(buf, 200) " clean up -- cgit From 1274380029313d820c9a0c28d10d606ddb27aacd Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 09:19:01 +0800 Subject: vim-patch:9.0.1864: still crash with bt_quickfix1_poc Problem: crash with bt_quickfix1_poc when cleaning up and EXITFREE is defined Solution: Test if buffer is valid in a window, else close window directly, don't try to access buffer properties While at it, increase the crash timeout slightly, so that CI has a chance to finish processing the test_crash() test. https://github.com/vim/vim/commit/623ba31821a41acee7e948794e84867680b97885 Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index b997cc1d29..8c79d3abd6 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -40,7 +40,7 @@ func Test_crash1() " clean up call delete('Xerr') " This test takes a bit longer - call TermWait(buf, 500) + call TermWait(buf, 1000) let file = 'crash/poc_tagfunc.vim' let args = printf(cmn_args, vim, file) @@ -55,7 +55,7 @@ func Test_crash1() \ ' && echo "crash 6: [OK]" >> X_crash1_result.txt' .. "\") " clean up call delete('X') - call TermWait(buf, 200) + call TermWait(buf, 1000) " clean up exe buf .. "bw!" -- cgit From 0b0df9f5d7035a3ce90ea5c1bbd7737293a26414 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 09:21:54 +0800 Subject: vim-patch:9.0.1868: test_crash still fails for circle ci Problem: test_crash still fails for circle ci Solution: give even more time to complete https://github.com/vim/vim/commit/59adcb4c203371258c72e76011da93eac8540317 Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index 8c79d3abd6..781f810ef7 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -55,7 +55,7 @@ func Test_crash1() \ ' && echo "crash 6: [OK]" >> X_crash1_result.txt' .. "\") " clean up call delete('X') - call TermWait(buf, 1000) + call TermWait(buf, 3000) " clean up exe buf .. "bw!" -- cgit From 6867d2492c1788dfab0a40d0fe453c4a3ce52e28 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 09:22:09 +0800 Subject: vim-patch:9.0.1872: CI: test_crash() fails on CI Problem: CI: test_crash() fails on CI Solution: Skip test on BSD https://github.com/vim/vim/commit/d2a08ba0fa4a25f31cee9d9f33b0aa8237227387 Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 2 ++ 1 file changed, 2 insertions(+) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index 781f810ef7..e0884e5a05 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -5,6 +5,8 @@ source screendump.vim CheckScreendump func Test_crash1() + CheckNotBSD + if !executable('sh') throw 'Skipped: sh not executable!' endif -- cgit From eae10de14e8584b8c6c2b7b8255c8191b969698d Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 09:22:30 +0800 Subject: vim-patch:9.0.1873: [security] heap-buffer-overflow in vim_regsub_both Problem: heap-buffer-overflow in vim_regsub_both Solution: Disallow exchanging windows when textlock is active https://github.com/vim/vim/commit/f6d28fe2c95c678cc3202cc5dc825a3fcc709e93 Cherry-pick test_crash.vim change from patch 9.0.1876. Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index e0884e5a05..aa30684291 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -46,6 +46,7 @@ func Test_crash1() let file = 'crash/poc_tagfunc.vim' let args = printf(cmn_args, vim, file) + " using || because this poc causes vim to exit with exitstatus != 0 call term_sendkeys(buf, args .. \ ' || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\") @@ -59,6 +60,12 @@ func Test_crash1() call delete('X') call TermWait(buf, 3000) + let file = 'crash/vim_regsub_both_poc' + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' && echo "crash 7: [OK]" >> X_crash1_result.txt' .. "\") + call TermWait(buf, 1000) + " clean up exe buf .. "bw!" @@ -71,6 +78,7 @@ func Test_crash1() \ 'crash 4: [OK]', \ 'crash 5: [OK]', \ 'crash 6: [OK]', + \ 'crash 7: [OK]', \ ] call assert_equal(expected, getline(1, '$')) -- cgit From b5b6e6fb496df3dccf6f14f6f816b48b99dca000 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 09:31:50 +0800 Subject: vim-patch:9.0.1878: tests running sh have problems Problem: tests running sh have problems Solution: Check that dash is installed closes: vim/vim#13040 https://github.com/vim/vim/commit/1690ec64ffd784cddddb937870f5891adbb21986 Co-authored-by: Philip H <47042125+pheiduck@users.noreply.github.com> Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index aa30684291..b6ae4d2153 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -6,10 +6,8 @@ CheckScreendump func Test_crash1() CheckNotBSD + CheckExecutable dash - if !executable('sh') - throw 'Skipped: sh not executable!' - endif " The following used to crash Vim let opts = #{cmd: 'sh'} let vim = GetVimProg() @@ -64,7 +62,7 @@ func Test_crash1() let args = printf(cmn_args, vim, file) call term_sendkeys(buf, args .. \ ' && echo "crash 7: [OK]" >> X_crash1_result.txt' .. "\") - call TermWait(buf, 1000) + call TermWait(buf, 3000) " clean up exe buf .. "bw!" -- cgit From 7f62775d5da3c67fe626f74ac7aad4e001428d3f Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 09:32:13 +0800 Subject: vim-patch:9.0.1881: Test_crash fails on Mac Problem: Test_crash fails on Mac Solution: Skip test on Mac https://github.com/vim/vim/commit/5856b07795dff69e3bac57deb5033b5839c1dfb8 Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 2 ++ 1 file changed, 2 insertions(+) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index b6ae4d2153..b841ccb052 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -7,6 +7,8 @@ CheckScreendump func Test_crash1() CheckNotBSD CheckExecutable dash + " Test 7 fails on Mac ... + CheckNotMac " The following used to crash Vim let opts = #{cmd: 'sh'} -- cgit From 5a67878e8684e02caf853137aae1dc367a77b48f Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 09:32:30 +0800 Subject: vim-patch:9.0.1882: Trailing white space in tests Problem: Trailing white space in tests Solution: Delete it This causes test_codestyle to fail, so we need to remove it again. Hopefully that makes the CI green again. Note: I will start using annotated tags from now on. https://github.com/vim/vim/commit/da200c2f78ef3c91557a2b484d284eb0c1c62776 Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index b841ccb052..a1da68ed4c 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -7,7 +7,7 @@ CheckScreendump func Test_crash1() CheckNotBSD CheckExecutable dash - " Test 7 fails on Mac ... + " Test 7 fails on Mac ... CheckNotMac " The following used to crash Vim -- cgit From 3ab0e296c674a6846512df24a0a70199bba8c59a Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 09:33:54 +0800 Subject: vim-patch:9.0.1969: [security] buffer-overflow in trunc_string() Problem: buffer-overflow in trunc_string() Solution: Add NULL at end of buffer Currently trunc_string() assumes that when the string is too long, buf[e-1] will always be writeable. But that assumption may not always be true. The condition currently looks like this else if (e + 3 < buflen) [...] else { // can't fit in the "...", just truncate it buf[e - 1] = NUL; } but this means, we may run into the last else clause with e still being larger than buflen. So a buffer overflow occurs. So instead of using `buf[e - 1]`, let's just always truncate at `buf[buflen - 1]` which should always be writable. https://github.com/vim/vim/commit/3bd7fa12e146c6051490d048a4acbfba974eeb04 vim-patch:9.0.2004: Missing test file Problem: Missing test file Solution: git-add the file to the repo closes: vim/vim#13305 https://github.com/vim/vim/commit/d4afbdd0715c722cfc73d3a8ab9e578667615faa Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index a1da68ed4c..5c83e3a2f5 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -66,6 +66,12 @@ func Test_crash1() \ ' && echo "crash 7: [OK]" >> X_crash1_result.txt' .. "\") call TermWait(buf, 3000) + let file = 'crash/vim_msg_trunc_poc' + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' || echo "crash 8: [OK]" >> X_crash1_result.txt' .. "\") + call TermWait(buf, 3000) + " clean up exe buf .. "bw!" @@ -79,6 +85,7 @@ func Test_crash1() \ 'crash 5: [OK]', \ 'crash 6: [OK]', \ 'crash 7: [OK]', + \ 'crash 8: [OK]', \ ] call assert_equal(expected, getline(1, '$')) -- cgit From b6200fbdf2035b09abfc0f94fba9c432bc0b9245 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 09:42:10 +0800 Subject: vim-patch:9.0.1992: [security] segfault in exmode Problem: segfault in exmode when redrawing Solution: skip gui_scroll when exmode_active https://github.com/vim/vim/commit/20d161ace307e28690229b68584f2d84556f8960 Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index 5c83e3a2f5..9a80340c28 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -72,6 +72,12 @@ func Test_crash1() \ ' || echo "crash 8: [OK]" >> X_crash1_result.txt' .. "\") call TermWait(buf, 3000) + let file = 'crash/crash_scrollbar' + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' && echo "crash 9: [OK]" >> X_crash1_result.txt' .. "\") + call TermWait(buf, 1000) + " clean up exe buf .. "bw!" @@ -86,6 +92,7 @@ func Test_crash1() \ 'crash 6: [OK]', \ 'crash 7: [OK]', \ 'crash 8: [OK]', + \ 'crash 9: [OK]', \ ] call assert_equal(expected, getline(1, '$')) -- cgit From d49be1cd2893ad583361ac058279a471ad7877e5 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 09:42:59 +0800 Subject: vim-patch:9.0.2010: [security] use-after-free from buf_contents_changed() Problem: [security] use-after-free from buf_contents_changed() Solution: block autocommands https://github.com/vim/vim/commit/41e6f7d6ba67b61d911f9b1d76325cd79224753d Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index 9a80340c28..5cd07e2a3f 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -78,6 +78,14 @@ func Test_crash1() \ ' && echo "crash 9: [OK]" >> X_crash1_result.txt' .. "\") call TermWait(buf, 1000) + let file = 'crash/editing_arg_idx_POC_1' + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' || echo "crash 10: [OK]" >> X_crash1_result.txt' .. "\") + call TermWait(buf, 1000) + call delete('Xerr') + call delete('@') + " clean up exe buf .. "bw!" @@ -93,6 +101,7 @@ func Test_crash1() \ 'crash 7: [OK]', \ 'crash 8: [OK]', \ 'crash 9: [OK]', + \ 'crash 10: [OK]', \ ] call assert_equal(expected, getline(1, '$')) -- cgit From 790bd4d5858713e8503825892c7d08340d189370 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 09:47:04 +0800 Subject: vim-patch:9.0.2106: [security]: Use-after-free in win_close() Problem: [security]: Use-after-free in win_close() Solution: Check window is valid, before accessing it If the current window structure is no longer valid (because a previous autocommand has already freed this window), fail and return before attempting to set win->w_closing variable. Add a test to trigger ASAN in CI https://github.com/vim/vim/commit/25aabc2b8ee1e19ced6f4da9d866cf9378fc4c5a Co-authored-by: Christian Brabandt --- test/old/testdir/test_crash.vim | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) (limited to 'test/old/testdir/test_crash.vim') diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index 5cd07e2a3f..b093b053c5 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -110,6 +110,39 @@ func Test_crash1() call delete('X_crash1_result.txt') endfunc +func Test_crash1_2() + CheckNotBSD + CheckExecutable dash + + " The following used to crash Vim + let opts = #{cmd: 'sh'} + let vim = GetVimProg() + let result = 'X_crash1_1_result.txt' + + let buf = RunVimInTerminal('sh', opts) + + let file = 'crash/poc1' + let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' && echo "crash 1: [OK]" > '.. result .. "\") + call TermWait(buf, 150) + + " clean up + exe buf .. "bw!" + + exe "sp " .. result + + let expected = [ + \ 'crash 1: [OK]', + \ ] + + call assert_equal(expected, getline(1, '$')) + bw! + + call delete(result) +endfunc + func Test_crash2() " The following used to crash Vim let opts = #{wait_for_ruler: 0, rows: 20} -- cgit