Commit Graph

22 Commits

Author SHA1 Message Date
zeertzjq
9d7544ac4c vim-patch:9.0.2143: [security]: buffer-overflow in ex_substitute
Problem:  [security]: buffer-overflow in ex_substitute
Solution: clear memory after allocating

When allocating the new_start pointer in ex_substitute() the memory
pointer points to some garbage that the following for loop in
ex_cmds.c:4743 confuses and causes it to accessing the new_start pointer
beyond it's size, leading to a buffer-overlow.

So fix this by using alloc_clear() instead of alloc(), which will
clear the memory by NUL and therefore cause the loop to terminate
correctly.

Reported by @henices, thanks!

closes: vim/vim#13596

abfa13ebe9

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-12-02 10:41:31 +08:00
zeertzjq
9cc346119b vim-patch:9.0.2142: [security]: stack-buffer-overflow in option callback functions
Problem:  [security]: stack-buffer-overflow in option callback functions
Solution: pass size of errbuf down the call stack, use snprintf()
          instead of sprintf()

We pass the error buffer down to the option callback functions, but in
some parts of the code, we simply use sprintf(buf) to write into the error
buffer, which can overflow.

So let's pass down the length of the error buffer and use sprintf(buf, size)
instead.

Reported by @henices, thanks!

b39b240c38

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-12-02 10:41:31 +08:00
zeertzjq
01edcd6db8 vim-patch:9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Problem:  [security]: buffer-overflow in suggest_trie_walk
Solution: Check n before using it as index into byts array

Basically, n as an index into the byts array, can point to beyond the byts
array. So let's double check, that n is within the expected range after
incrementing it from sp->ts_curi and bail out if it would be invalid.

Reported by @henices, thanks!

0fb375aae6

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-12-02 10:41:31 +08:00
zeertzjq
7402655132 vim-patch:9.0.2140: [security]: use-after-free in win-enter
Problem:  [security]: use-after-free in win-enter
Solution: validate window pointer before calling win_enter()

win_goto() may stop visual mode, if it is active. However, this may in
turn trigger the ModeChanged autocommand, which could potentially free
the wp pointer which was valid before now became stale and points to now
freed memory.

So before calling win_enter(), let's verify one more time, that the
wp pointer still points to a valid window structure.

Reported by @henices, thanks!

eec0c2b3a4

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-12-02 10:41:31 +08:00
zeertzjq
790bd4d585 vim-patch:9.0.2106: [security]: Use-after-free in win_close()
Problem:  [security]: Use-after-free in win_close()
Solution: Check window is valid, before accessing it

If the current window structure is no longer valid (because a previous
autocommand has already freed this window), fail and return before
attempting to set win->w_closing variable.

Add a test to trigger ASAN in CI

25aabc2b8e

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:59:22 +08:00
zeertzjq
d49be1cd28 vim-patch:9.0.2010: [security] use-after-free from buf_contents_changed()
Problem:  [security] use-after-free from buf_contents_changed()
Solution: block autocommands

41e6f7d6ba

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:59:22 +08:00
zeertzjq
b6200fbdf2 vim-patch:9.0.1992: [security] segfault in exmode
Problem:  segfault in exmode when redrawing
Solution: skip gui_scroll when exmode_active

20d161ace3

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:59:22 +08:00
zeertzjq
3ab0e296c6 vim-patch:9.0.1969: [security] buffer-overflow in trunc_string()
Problem:  buffer-overflow in trunc_string()
Solution: Add NULL at end of buffer

Currently trunc_string() assumes that when the string is too long,
buf[e-1] will always be writeable. But that assumption may not always be
true. The condition currently looks like this

    else if (e + 3 < buflen)
    [...]
    else
    {
	// can't fit in the "...", just truncate it
	buf[e - 1] = NUL;
    }

but this means, we may run into the last else clause with e still being
larger than buflen. So a buffer overflow occurs.

So instead of using `buf[e - 1]`, let's just always
truncate at `buf[buflen - 1]` which should always be writable.

3bd7fa12e1

vim-patch:9.0.2004: Missing test file

Problem:  Missing test file
Solution: git-add the file to the repo

closes: vim/vim#13305

d4afbdd071

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:59:16 +08:00
zeertzjq
5a67878e86 vim-patch:9.0.1882: Trailing white space in tests
Problem:  Trailing white space in tests
Solution: Delete it

This causes test_codestyle to fail, so we need to remove it again.
Hopefully that makes the CI green again.

Note: I will start using annotated tags from now on.

da200c2f78

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
7f62775d5d vim-patch:9.0.1881: Test_crash fails on Mac
Problem:  Test_crash fails on Mac
Solution: Skip test on Mac

5856b07795

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
b5b6e6fb49 vim-patch:9.0.1878: tests running sh have problems
Problem:  tests running sh have problems
Solution: Check that dash is installed

closes: vim/vim#13040

1690ec64ff

Co-authored-by: Philip H <47042125+pheiduck@users.noreply.github.com>
Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
eae10de14e vim-patch:9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Problem:  heap-buffer-overflow in vim_regsub_both
Solution: Disallow exchanging windows when textlock is active

f6d28fe2c9

Cherry-pick test_crash.vim change from patch 9.0.1876.

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
6867d2492c vim-patch:9.0.1872: CI: test_crash() fails on CI
Problem:  CI: test_crash() fails on CI
Solution: Skip test on BSD

d2a08ba0fa

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
0b0df9f5d7 vim-patch:9.0.1868: test_crash still fails for circle ci
Problem:  test_crash still fails for circle ci
Solution: give even more time to complete

59adcb4c20

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
1274380029 vim-patch:9.0.1864: still crash with bt_quickfix1_poc
Problem:  crash with bt_quickfix1_poc when cleaning up
          and EXITFREE is defined
Solution: Test if buffer is valid in a window, else close
          window directly, don't try to access buffer properties

While at it, increase the crash timeout slightly, so that CI has a
chance to finish processing the test_crash() test.

623ba31821

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
2371b9303d vim-patch:9.0.1860: CI: test_crash1() is flaky
Problem:  CI: test_crash1() is flaky
Solution: Wait a bit longer

f44cbe96fa

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
bbb363f4bc vim-patch:partial:9.0.1859: heap-use-after-free in bt_normal()
Problem:  heap-use-after-free in bt_normal()
Solution: check that buffer is still valid

6e60cf444a

Test change only.

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
8dc72789cf vim-patch:9.0.1858: [security] heap use after free in ins_compl_get_exp()
Problem:  heap use after free in ins_compl_get_exp()
Solution: validate buffer before accessing it

ee9166eb3b

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
a589156b4d vim-patch:9.0.1857: [security] heap-use-after-free in is_qf_win()
Problem:  heap-use-after-free in is_qf_win()
Solution: Check buffer is valid before accessing it

fc68299d43

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
748198f5bf vim-patch:9.0.1854: test_crash1() fails on CI
Problem:  test_crash1() fails on CI
Solution: don't run Screendump test, verify that it doesn't crash
          by running it through a shell command line, testing
          the exit value and concatenating success cmd using '&&'

db510ca805

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
bebdf1dab3
vim-patch:9.0.1848: [security] buffer-overflow in vim_regsub_both() (#25001)
Problem:  buffer-overflow in vim_regsub_both()
Solution: Check remaining space

ced2c7394a

The change to do_sub() looks confusing. Maybe it's an overflow check?
Then the crash may not be applicable to Nvim because of different casts.
The test also looks confusing. It seems to source itself recursively.
Also don't call strlen() twice on evaluation result.

N/A patches for version.c:
vim-patch:9.0.1849: CI error on different signedness in ex_cmds.c
vim-patch:9.0.1853: CI error on different signedness in regexp.c

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-09-03 13:47:55 +08:00
zeertzjq
087ef52997
vim-patch:9.0.1840: [security] use-after-free in do_ecmd (#24993)
Problem:  use-after-free in do_ecmd
Solution: Verify oldwin pointer after reset_VIsual()

e1dc9a6275

N/A patches for version.c:
vim-patch:9.0.1841: style: trailing whitespace in ex_cmds.c

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-09-03 11:15:43 +08:00