Commit Graph

607 Commits

Author SHA1 Message Date
zeertzjq
8d8136bfcf vim-patch:9.0.2121: [security]: use-after-free in ex_substitute
Problem:  [security]: use-after-free in ex_substitute
Solution: always allocate memory

closes: vim/vim#13552

A recursive :substitute command could cause a heap-use-after free in Vim
(CVE-2023-48706).

The whole reproducible test is a bit tricky, I can only reproduce this
reliably when no previous substitution command has been used yet
(which is the reason, the test needs to run as first one in the
test_substitute.vim file) and as a combination of the `:~` command
together with a :s command that contains the special substitution atom `~\=`
which will make use of a sub-replace special atom and calls a vim script
function.

There was a comment in the existing :s code, that already makes the
`sub` variable allocate memory so that a recursive :s call won't be able
to cause any issues here, so this was known as a potential problem
already.  But for the current test-case that one does not work, because
the substitution does not start with `\=` but with `~\=` (and since
there does not yet exist a previous substitution atom, Vim will simply
increment the `sub` pointer (which then was not allocated dynamically)
and later one happily use a sub-replace special expression (which could
then free the `sub` var).

The following commit fixes this, by making the sub var always using
allocated memory, which also means we need to free the pointer whenever
we leave the function. Since sub is now always an allocated variable,
we also do no longer need the sub_copy variable anymore, since this one
was used to indicated when sub pointed to allocated memory (and had
therefore to be freed on exit) and when not.

Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q

26c11c5688

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-23 16:17:37 +08:00
luukvbaal
d667e0e414
vim-patch:9.0.2116: No test for defining sign without attribute (#26115)
Problem:  No test for defining sign without attribute
Solution: Add test for defining sign without attributes

closes: vim/vim#13544

e670d17342
2023-11-20 10:25:14 +08:00
bfredl
df87266b23
Merge pull request #25724 from luukvbaal/signmerge
refactor(sign): move legacy signs to extmarks
2023-11-18 15:04:14 +01:00
Luuk van Baal
c4afb9788c refactor(sign): move legacy signs to extmarks
Problem:  The legacy signlist data structures and associated functions are
          redundant since the introduction of extmark signs.
Solution: Store signs defined through the legacy commands in a hashmap, placed
          signs in the extmark tree. Replace signlist associated functions.

Usage of the legacy sign commands should yield no change in behavior with the
exception of:
  - "orphaned signs" are now always removed when the line it is placed on is
    deleted. This used to depend on the value of 'signcolumn'.
  - It is no longer possible to place multiple signs with the same identifier
    in a single group on multiple lines. This will now move the sign instead.

Moreover, both signs placed through the legacy sign commands and through
|nvim_buf_set_extmark()|:
  - Will show up in both |sign-place| and |nvim_buf_get_extmarks()|.
  - Are displayed by increasing sign identifier, left to right.
    Extmark signs used to be ordered decreasingly as opposed to legacy signs.
2023-11-17 15:10:15 +01:00
zeertzjq
790bd4d585 vim-patch:9.0.2106: [security]: Use-after-free in win_close()
Problem:  [security]: Use-after-free in win_close()
Solution: Check window is valid, before accessing it

If the current window structure is no longer valid (because a previous
autocommand has already freed this window), fail and return before
attempting to set win->w_closing variable.

Add a test to trigger ASAN in CI

25aabc2b8e

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:59:22 +08:00
zeertzjq
d49be1cd28 vim-patch:9.0.2010: [security] use-after-free from buf_contents_changed()
Problem:  [security] use-after-free from buf_contents_changed()
Solution: block autocommands

41e6f7d6ba

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:59:22 +08:00
zeertzjq
b6200fbdf2 vim-patch:9.0.1992: [security] segfault in exmode
Problem:  segfault in exmode when redrawing
Solution: skip gui_scroll when exmode_active

20d161ace3

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:59:22 +08:00
zeertzjq
3ab0e296c6 vim-patch:9.0.1969: [security] buffer-overflow in trunc_string()
Problem:  buffer-overflow in trunc_string()
Solution: Add NULL at end of buffer

Currently trunc_string() assumes that when the string is too long,
buf[e-1] will always be writeable. But that assumption may not always be
true. The condition currently looks like this

    else if (e + 3 < buflen)
    [...]
    else
    {
	// can't fit in the "...", just truncate it
	buf[e - 1] = NUL;
    }

but this means, we may run into the last else clause with e still being
larger than buflen. So a buffer overflow occurs.

So instead of using `buf[e - 1]`, let's just always
truncate at `buf[buflen - 1]` which should always be writable.

3bd7fa12e1

vim-patch:9.0.2004: Missing test file

Problem:  Missing test file
Solution: git-add the file to the repo

closes: vim/vim#13305

d4afbdd071

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:59:16 +08:00
zeertzjq
5a67878e86 vim-patch:9.0.1882: Trailing white space in tests
Problem:  Trailing white space in tests
Solution: Delete it

This causes test_codestyle to fail, so we need to remove it again.
Hopefully that makes the CI green again.

Note: I will start using annotated tags from now on.

da200c2f78

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
7f62775d5d vim-patch:9.0.1881: Test_crash fails on Mac
Problem:  Test_crash fails on Mac
Solution: Skip test on Mac

5856b07795

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
b5b6e6fb49 vim-patch:9.0.1878: tests running sh have problems
Problem:  tests running sh have problems
Solution: Check that dash is installed

closes: vim/vim#13040

1690ec64ff

Co-authored-by: Philip H <47042125+pheiduck@users.noreply.github.com>
Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
eae10de14e vim-patch:9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Problem:  heap-buffer-overflow in vim_regsub_both
Solution: Disallow exchanging windows when textlock is active

f6d28fe2c9

Cherry-pick test_crash.vim change from patch 9.0.1876.

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
6867d2492c vim-patch:9.0.1872: CI: test_crash() fails on CI
Problem:  CI: test_crash() fails on CI
Solution: Skip test on BSD

d2a08ba0fa

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
0b0df9f5d7 vim-patch:9.0.1868: test_crash still fails for circle ci
Problem:  test_crash still fails for circle ci
Solution: give even more time to complete

59adcb4c20

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
1274380029 vim-patch:9.0.1864: still crash with bt_quickfix1_poc
Problem:  crash with bt_quickfix1_poc when cleaning up
          and EXITFREE is defined
Solution: Test if buffer is valid in a window, else close
          window directly, don't try to access buffer properties

While at it, increase the crash timeout slightly, so that CI has a
chance to finish processing the test_crash() test.

623ba31821

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
2371b9303d vim-patch:9.0.1860: CI: test_crash1() is flaky
Problem:  CI: test_crash1() is flaky
Solution: Wait a bit longer

f44cbe96fa

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
bbb363f4bc vim-patch:partial:9.0.1859: heap-use-after-free in bt_normal()
Problem:  heap-use-after-free in bt_normal()
Solution: check that buffer is still valid

6e60cf444a

Test change only.

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
8dc72789cf vim-patch:9.0.1858: [security] heap use after free in ins_compl_get_exp()
Problem:  heap use after free in ins_compl_get_exp()
Solution: validate buffer before accessing it

ee9166eb3b

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
a589156b4d vim-patch:9.0.1857: [security] heap-use-after-free in is_qf_win()
Problem:  heap-use-after-free in is_qf_win()
Solution: Check buffer is valid before accessing it

fc68299d43

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
748198f5bf vim-patch:9.0.1854: test_crash1() fails on CI
Problem:  test_crash1() fails on CI
Solution: don't run Screendump test, verify that it doesn't crash
          by running it through a shell command line, testing
          the exit value and concatenating success cmd using '&&'

db510ca805

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 09:54:03 +08:00
zeertzjq
6952b1951b
vim-patch:9.0.2107: [security]: FPE in adjust_plines_for_skipcol (#26082)
Problem:  [security]: FPE in adjust_plines_for_skipcol
Solution: don't divide by zero, return zero

Prevent a floating point exception when calculating w_skipcol (which can
happen with a small window when the number option is set and cpo+=n).

Add a test to verify

cb0b99f067

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 08:40:02 +08:00
zeertzjq
9d39ad6318 vim-patch:9.0.2111: [security]: overflow in get_number
Problem:  [security]: overflow in get_number
Solution: Return 0 when the count gets too large

[security]: overflow in get_number

When using the z= command, we may overflow the count with values larger
than MAX_INT. So verify that we do not overflow and in case when an
overflow is detected, simply return 0

73b2d3790c

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 07:19:14 +08:00
zeertzjq
809b05bf27 vim-patch:9.0.2110: [security]: overflow in ex address parsing
Problem:  [security]: overflow in ex address parsing
Solution: Verify that lnum is positive, before substracting from
          LONG_MAX

[security]: overflow in ex address parsing

When parsing relative ex addresses one may unintentionally cause an
overflow (because LONG_MAX - lnum will overflow for negative addresses).

So verify that lnum is actually positive before doing the overflow
check.

060623e4a3

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 07:16:04 +08:00
zeertzjq
016c6fae27 vim-patch:9.0.2109: [security]: overflow in nv_z_get_count
Problem:  [security]: overflow in nv_z_get_count
Solution: break out, if count is too large

When getting the count for a normal z command, it may overflow for large
counts given. So verify, that we can safely store the result in a long.

58f9befca1

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 07:13:49 +08:00
zeertzjq
a4c111ae69 vim-patch:9.0.2108: [security]: overflow with count for :s command
Problem:  [security]: overflow with count for :s command
Solution: Abort the :s command if the count is too large

If the count after the :s command is larger than what fits into a
(signed) long variable, abort with e_value_too_large.

Adds a test with INT_MAX as count and verify it correctly fails.

It seems the return value on Windows using mingw compiler wraps around,
so the initial test using :s/./b/9999999999999999999999999990 doesn't
fail there, since the count is wrapping around several times and finally
is no longer larger than 2147483647. So let's just use 2147483647 in the
test, which hopefully will always cause a failure

ac63787734

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-17 07:06:52 +08:00
zeertzjq
354b57b01f vim-patch:9.0.1535: test commented out in a wrong way
Problem:    Test commented out in a wrong way.
Solution:   Use legacy script comment character.

a4467c433a

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-17 07:06:52 +08:00
zeertzjq
f6658a1e78 vim-patch:9.0.1534: test for expanding "~" in substitute takes too long
Problem:    Test for expanding "~" in substitute takes too long.
Solution:   Disable the test for now.

916d6dd5b1

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-17 07:06:52 +08:00
zeertzjq
d2f2e2725c vim-patch:9.0.1532: crash when expanding "~" in substitute causes very long text
Problem:    Crash when expanding "~" in substitute causes very long text.
Solution:   Limit the text length to MAXCOL.

ab9a2d884b

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-17 07:06:52 +08:00
luukvbaal
f4d95c05b9
vim-patch:9.0.2105: skipcol not reset when topline changed (#26042)
Problem:  Skipcol is not reset when topline changed scrolling cursor to top
Solution: reset skipcol

closes: vim/vim#13528

bb800a7907
2023-11-15 06:28:56 +08:00
Christian Clason
9e2248ab58 vim-patch:9.0.2104: wast filetype should be replaced by wat filetype
Problem:  wast filetype should be replaced by wat filetype
Solution: start using the official wat filetype name

runtime: rename `wast` filetype to `wat` (Wasm text format)

The problem is the name of the current filetype wast. When the plugin
was initially created, the file extension for Wasm text format was not
fixed and .wast was more popular.

However, recently .wat became the official file extension for
WebAssembly text (WAT) format and .wast is now a file extension for the
unofficial WAST format, which is a superset of .wat for the convenience
to describe the Wasm specification conformance tests.

https://webassembly.js.org/docs/contrib-wat-vs-wast.html

However for now, let's keep using the `wat` filetype even for the .wast
extension, so that we at least do not lose the filetype settings and
syntax highlighting. This can be adjusted later, if it turns out to have
a separate need for.

closes: vim/vim#13533

bc8f79d36a

Co-authored-by: rhysd <lin90162@yahoo.co.jp>
2023-11-14 21:51:28 +01:00
zeertzjq
91872d7712
vim-patch:8.1.0970: text properties test fails when 'encoding' is not utf-8 (#26023)
Problem:    Text properties test fails when 'encoding' is not utf-8.
Solution:   Compare with original value of 'encoding'. (Christian Brabandt,
            closes vim/vim#3986)

ed79d1e348

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-13 15:01:40 +08:00
zeertzjq
c23c44f845 vim-patch:8.2.4850: mksession mixes up "tabpages" and "curdir" arguments
Problem:    Mksession mixes up "tabpages" and "curdir" arguments.
Solution:   Correct logic for storing tabpage in session. (closes vim/vim#10312)

d7c9564d8d

Co-authored-by: LemonBoy <thatlemon@gmail.com>
2023-11-13 13:58:32 +08:00
zeertzjq
3d9593523d vim-patch:8.2.2112: running tests may leave some files behind
Problem:    Running tests may leave some files behind.
Solution:   Delete the right files.  Fix a few typos. (Dominique Pellé,
            closes vim/vim#7436

ac665c24c9

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-13 13:50:43 +08:00
zeertzjq
0ff3187fb8 vim-patch:8.1.2373: cannot build with +popupwin but without +quickfix
Problem:    Cannot build with +popupwin but without +quickfix. (John Marriott)
Solution:   Adjust #ifdefs.

5a4c3082d7

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-13 13:50:43 +08:00
zeertzjq
30d09d8258 vim-patch:8.1.2276: MS-Windows: session test leaves files behind
Problem:    MS-Windows: session test leaves files behind.
Solution:   Wipe out buffers before deleting the directory. (closes vim/vim#5187)

5bf46e9786

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-13 13:50:43 +08:00
zeertzjq
bcac7674f7 vim-patch:8.1.1581: shared functions for testing are disorganised
Problem:    Shared functions for testing are disorganised.
Solution:   Group finctions in script files. (Ozaki Kiichi, closes vim/vim#4573)

7a39dd7f00

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-13 13:50:43 +08:00
zeertzjq
538749410b vim-patch:partial:8.1.1218: cannot set a directory for a tab page
Problem:    Cannot set a directory for a tab page.
Solution:   Add the tab-local directory. (Yegappan Lakshmanan, closes vim/vim#4212)

00aa069db8

Session-related changes only.

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-13 13:29:57 +08:00
zeertzjq
36ce30be20 vim-patch:8.1.0870: Vim doesn't use the new ConPTY support in Windows 10
Problem:    Vim doesn't use the new ConPTY support in Windows 10.
Solution:   Use ConPTY support, if available. (Nobuhiro Takasaki, closes vim/vim#3794)

aa5df7e312

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-13 13:24:51 +08:00
zeertzjq
4872e2da3c vim-patch:partial:8.0.1592: terminal windows in a session are not properly restored
Problem:    Terminal windows in a session are not properly restored.
Solution:   Add "terminal" in 'sessionoptions'.  When possible restore the
            command running in a terminal.

4d8bac8bf5

Tests only. Nvim has no equivalent to "norestore" yet.

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-13 13:22:54 +08:00
zeertzjq
748eae6bb5
test(old): reorder test_mksession.vim to match upstream (#26021) 2023-11-13 12:34:49 +08:00
zeertzjq
2a58aa5709
vim-patch:9.0.2102: matchparen highlight not cleared in completion mode (#26019)
Problem:  matchparen highlight not cleared in completion mode
Solution: Clear matchparen highlighting in completion mode

Remove hard-coded hack in insexpand.c to clear the :3match before
displaying the completion menu.

Add a test for matchparen highlighting. While at it, move all test tests
related to the matchparen plugin into a separate test file.

closes: vim/vim#13493
closes: vim/vim#13524

9588666360

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-11-13 10:47:12 +08:00
zeertzjq
629f117945 vim-patch:9.0.0525: manually deleting temp test files
Problem:    Manually deleting temp test files.
Solution:   Add the 'D' flag to writefile().

5917341f65

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-13 09:34:39 +08:00
zeertzjq
b9cffe40fa vim-patch:9.0.0336: tests are flaky because of using a common file name
Problem:    Tests are flaky because of using a common file name.
Solution:   Rename files and directories to be more unique.

61abe7d8f8

Cherry-pick Test_custom_complete_autoload() from patch 8.2.4584.
Cherry-pick test_delete.vim & test_edit.vim changes from patch 9.0.0323.
Cherry-pick test_edit.vim changes from patch 8.2.3637.

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-13 09:26:59 +08:00
zeertzjq
5c69f8569a vim-patch:9.0.0137: debugger test may fail when $CWD is very long
Problem:    Debugger test may fail when $CWD is very long.
Solution:   Skip the test if the directory name is too long. (James McCoy,
            closes vim/vim#10837)

db7a88db8b

Co-authored-by: James McCoy <jamessan@jamessan.com>
2023-11-13 08:58:48 +08:00
zeertzjq
1fd0ded080
vim-patch:8.2.4809: various things no6 properly tested (#26017)
Problem:    Various things no6 properly tested.
Solution:   Add various test cases. (Yegappan Lakshmanan, closes vim/vim#10259)

885de449c0

Co-authored-by: Yegappan Lakshmanan <yegappan@yahoo.com>
2023-11-13 08:55:25 +08:00
zeertzjq
d064f55704 vim-patch:8.2.4541: Crash in debugger when a variable is not available
Problem:    Crash in debugger when a variable is not available in the current
            block.
Solution:   Check for a NULL name. (closes vim/vim#9926)

e406ff87c8

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-13 07:00:56 +08:00
zeertzjq
c5d4d1cc0d vim-patch:8.2.4020: debugger test fails
Problem:    Debugger test fails.
Solution:   Fix import statement.

84c62d59a3

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-13 06:59:40 +08:00
zeertzjq
2503de4c92 vim-patch:8.2.3984: debugger test fails
Problem:    Debugger test fails.
Solution:   Adjust the test for modified debugging of a for loop.

3d0da09bb2

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-13 06:59:10 +08:00
zeertzjq
331d213c0b vim-patch:8.2.3395: Vim9: expression breakpoint not checked in :def function
Problem:    Vim9: expression breakpoint not checked in :def function.
Solution:   Always compile a function for debugging if there is an expression
            breakpoint. (closes vim/vim#8803)

26a4484da2

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-13 06:55:58 +08:00
zeertzjq
49d126e005 vim-patch:8.2.3138: debugger test fails
Problem:    Debugger test fails.
Solution:   Adjust eval command.

31e21766d6

Co-authored-by: Bram Moolenaar <Bram@vim.org>
2023-11-13 06:49:57 +08:00