Problem: [security]: use-after-free in ex_substitute
Solution: always allocate memory
closes: vim/vim#13552
A recursive :substitute command could cause a heap-use-after free in Vim
(CVE-2023-48706).
The whole reproducible test is a bit tricky, I can only reproduce this
reliably when no previous substitution command has been used yet
(which is the reason, the test needs to run as first one in the
test_substitute.vim file) and as a combination of the `:~` command
together with a :s command that contains the special substitution atom `~\=`
which will make use of a sub-replace special atom and calls a vim script
function.
There was a comment in the existing :s code, that already makes the
`sub` variable allocate memory so that a recursive :s call won't be able
to cause any issues here, so this was known as a potential problem
already. But for the current test-case that one does not work, because
the substitution does not start with `\=` but with `~\=` (and since
there does not yet exist a previous substitution atom, Vim will simply
increment the `sub` pointer (which then was not allocated dynamically)
and later one happily use a sub-replace special expression (which could
then free the `sub` var).
The following commit fixes this, by making the sub var always using
allocated memory, which also means we need to free the pointer whenever
we leave the function. Since sub is now always an allocated variable,
we also do no longer need the sub_copy variable anymore, since this one
was used to indicated when sub pointed to allocated memory (and had
therefore to be freed on exit) and when not.
Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q26c11c5688
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem: [security]: overflow with count for :s command
Solution: Abort the :s command if the count is too large
If the count after the :s command is larger than what fits into a
(signed) long variable, abort with e_value_too_large.
Adds a test with INT_MAX as count and verify it correctly fails.
It seems the return value on Windows using mingw compiler wraps around,
so the initial test using :s/./b/9999999999999999999999999990 doesn't
fail there, since the count is wrapping around several times and finally
is no longer larger than 2147483647. So let's just use 2147483647 in the
test, which hopefully will always cause a failure
ac63787734
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem: Test for expanding "~" in substitute takes too long.
Solution: Disable the test for now.
916d6dd5b1
Co-authored-by: Bram Moolenaar <Bram@vim.org>
Problem: Crash when expanding "~" in substitute causes very long text.
Solution: Limit the text length to MAXCOL.
ab9a2d884b
Co-authored-by: Bram Moolenaar <Bram@vim.org>
Problem: Various Typos
Solution: Fix Typos
This is a collection of typo related commits.
closes: vim/vim#12753closes: vim/vim#13016ee17b6f70d
Co-authored-by: Christian Brabandt <cb@256bit.org>
Co-authored-by: Adri Verhoef <a3@a3.xs4all.nl>
Co-authored-by: Viktor Szépe <viktor@szepe.net>
Co-authored-by: nuid64 <lvkuzvesov@proton.me>
Co-authored-by: Meng Xiangzhuo <aumo@foxmail.com>
Co-authored-by: Dominique Pellé <dominique.pelle@gmail.com>
Problem: missing test for patch 9.0.1873
Solution: add a test trying to exchange windows
Add a test, making sure that switching windows is not allowed when
textlock is active, e.g. when running `:s/<pat>/\=func()/`
18d2709aa1
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem: Substitute() accepts a number but not a float expression.
Solution: Also accept a float. (closesvim/vim#8331)
7a2217bedd
Vim9script is N/A. No need to port the strict argument and
tv_get_string_buf_chk_strict(), as it's only used for Vim9script.
Like the patch, use vim_snprintf over snprintf, as the "%g" specifier in
snprintf removes the ".0" from integer floats.
This means similiar to numbers, floats are (mostly) convertable to
strings.
Co-authored-by: Bram Moolenaar <Bram@vim.org>
Problem: Invalid memory access with recursive substitute expression.
Solution: Check the return value of vim_regsub().
3ac1d97a1d
Co-authored-by: Bram Moolenaar <Bram@vim.org>
Problem: Invalid memory access in substitute with function that goes to
another file.
Solution: Check for text locked in CTRL-W gf.
cc762a48d4
Co-authored-by: Bram Moolenaar <Bram@vim.org>