Commit Graph

12 Commits

Author SHA1 Message Date
zeertzjq
8d8136bfcf vim-patch:9.0.2121: [security]: use-after-free in ex_substitute
Problem:  [security]: use-after-free in ex_substitute
Solution: always allocate memory

closes: vim/vim#13552

A recursive :substitute command could cause a heap-use-after free in Vim
(CVE-2023-48706).

The whole reproducible test is a bit tricky, I can only reproduce this
reliably when no previous substitution command has been used yet
(which is the reason, the test needs to run as first one in the
test_substitute.vim file) and as a combination of the `:~` command
together with a :s command that contains the special substitution atom `~\=`
which will make use of a sub-replace special atom and calls a vim script
function.

There was a comment in the existing :s code, that already makes the
`sub` variable allocate memory so that a recursive :s call won't be able
to cause any issues here, so this was known as a potential problem
already.  But for the current test-case that one does not work, because
the substitution does not start with `\=` but with `~\=` (and since
there does not yet exist a previous substitution atom, Vim will simply
increment the `sub` pointer (which then was not allocated dynamically)
and later one happily use a sub-replace special expression (which could
then free the `sub` var).

The following commit fixes this, by making the sub var always using
allocated memory, which also means we need to free the pointer whenever
we leave the function. Since sub is now always an allocated variable,
we also do no longer need the sub_copy variable anymore, since this one
was used to indicated when sub pointed to allocated memory (and had
therefore to be freed on exit) and when not.

Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q

26c11c5688

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-23 16:17:37 +08:00
zeertzjq
a4c111ae69 vim-patch:9.0.2108: [security]: overflow with count for :s command
Problem:  [security]: overflow with count for :s command
Solution: Abort the :s command if the count is too large

If the count after the :s command is larger than what fits into a
(signed) long variable, abort with e_value_too_large.

Adds a test with INT_MAX as count and verify it correctly fails.

It seems the return value on Windows using mingw compiler wraps around,
so the initial test using :s/./b/9999999999999999999999999990 doesn't
fail there, since the count is wrapping around several times and finally
is no longer larger than 2147483647. So let's just use 2147483647 in the
test, which hopefully will always cause a failure

ac63787734

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 07:06:52 +08:00
zeertzjq
354b57b01f vim-patch:9.0.1535: test commented out in a wrong way
Problem:    Test commented out in a wrong way.
Solution:   Use legacy script comment character.

a4467c433a

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-17 07:06:52 +08:00
zeertzjq
f6658a1e78 vim-patch:9.0.1534: test for expanding "~" in substitute takes too long
Problem:    Test for expanding "~" in substitute takes too long.
Solution:   Disable the test for now.

916d6dd5b1

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-17 07:06:52 +08:00
zeertzjq
d2f2e2725c vim-patch:9.0.1532: crash when expanding "~" in substitute causes very long text
Problem:    Crash when expanding "~" in substitute causes very long text.
Solution:   Limit the text length to MAXCOL.

ab9a2d884b

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-17 07:06:52 +08:00
zeertzjq
b9d9cd7742 vim-patch:partial:9.0.1886: Various Typos
Problem:  Various Typos
Solution: Fix Typos

This is a collection of typo related commits.

closes: vim/vim#12753
closes: vim/vim#13016

ee17b6f70d

Co-authored-by: Christian Brabandt <cb@256bit.org>
Co-authored-by: Adri Verhoef <a3@a3.xs4all.nl>
Co-authored-by: Viktor Szépe <viktor@szepe.net>
Co-authored-by: nuid64 <lvkuzvesov@proton.me>
Co-authored-by: Meng Xiangzhuo <aumo@foxmail.com>
Co-authored-by: Dominique Pellé <dominique.pelle@gmail.com>
2023-09-09 17:58:32 +08:00
zeertzjq
bc09fc04b8 vim-patch:9.0.1877: missing test for patch 9.0.1873
Problem:  missing test for patch 9.0.1873
Solution: add a test trying to exchange windows

Add a test, making sure that switching windows is not allowed when
textlock is active, e.g. when running `:s/<pat>/\=func()/`

18d2709aa1

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-09-09 17:53:01 +08:00
Sean Dewar
7f8c1e53a6 vim-patch:8.2.2948: substitute() accepts a number but not a float expression
Problem:    Substitute() accepts a number but not a float expression.
Solution:   Also accept a float. (closes vim/vim#8331)

7a2217bedd

Vim9script is N/A. No need to port the strict argument and
tv_get_string_buf_chk_strict(), as it's only used for Vim9script.

Like the patch, use vim_snprintf over snprintf, as the "%g" specifier in
snprintf removes the ".0" from integer floats.

This means similiar to numbers, floats are (mostly) convertable to
strings.

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-06-12 13:27:07 +08:00
zeertzjq
3c4890d1ef
test(old): reorder test_substitute.vim to match upstream (#23994) 2023-06-12 11:44:01 +08:00
zeertzjq
227f06b7df
vim-patch:9.0.1145: invalid memory access with recursive substitute expression (#23132)
Problem:    Invalid memory access with recursive substitute expression.
Solution:   Check the return value of vim_regsub().

3ac1d97a1d

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-04-16 18:43:15 +08:00
zeertzjq
b28683d252
vim-patch:9.0.0947: invalid memory access in substitute with function (#23126)
Problem:    Invalid memory access in substitute with function that goes to
            another file.
Solution:   Check for text locked in CTRL-W gf.

cc762a48d4

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-04-16 17:44:14 +08:00
dundargoc
af23d17388
test: move oldtests to test directory (#22536)
The new oldtest directory is in test/old/testdir. The reason for this is
that many tests have hardcoded the parent directory name to be
'testdir'.
2023-03-07 11:13:04 +08:00