mirror of
https://github.com/neovim/neovim.git
synced 2024-12-26 14:11:15 -07:00
bebdf1dab3
Problem: buffer-overflow in vim_regsub_both()
Solution: Check remaining space
ced2c7394a
The change to do_sub() looks confusing. Maybe it's an overflow check?
Then the crash may not be applicable to Nvim because of different casts.
The test also looks confusing. It seems to source itself recursively.
Also don't call strlen() twice on evaluation result.
N/A patches for version.c:
vim-patch:9.0.1849: CI error on different signedness in ex_cmds.c
vim-patch:9.0.1853: CI error on different signedness in regexp.c
Co-authored-by: Christian Brabandt <cb@256bit.org>
35 lines
973 B
VimL
35 lines
973 B
VimL
" Some tests, that used to crash Vim
|
|
source check.vim
|
|
source screendump.vim
|
|
|
|
CheckScreendump
|
|
|
|
func Test_crash1()
|
|
" The following used to crash Vim
|
|
let opts = #{wait_for_ruler: 0, rows: 20}
|
|
let args = ' -u NONE -i NONE -n -e -s -S '
|
|
let buf = RunVimInTerminal(args .. ' crash/poc_huaf1', opts)
|
|
call VerifyScreenDump(buf, 'Test_crash_01', {})
|
|
exe buf .. "bw!"
|
|
|
|
let buf = RunVimInTerminal(args .. ' crash/poc_huaf2', opts)
|
|
call VerifyScreenDump(buf, 'Test_crash_01', {})
|
|
exe buf .. "bw!"
|
|
|
|
let buf = RunVimInTerminal(args .. ' crash/poc_huaf3', opts)
|
|
call VerifyScreenDump(buf, 'Test_crash_01', {})
|
|
exe buf .. "bw!"
|
|
|
|
endfunc
|
|
|
|
func Test_crash2()
|
|
" The following used to crash Vim
|
|
let opts = #{wait_for_ruler: 0, rows: 20}
|
|
let args = ' -u NONE -i NONE -n -e -s -S '
|
|
let buf = RunVimInTerminal(args .. ' crash/vim_regsub_both', opts)
|
|
call VerifyScreenDump(buf, 'Test_crash_01', {})
|
|
exe buf .. "bw!"
|
|
endfunc
|
|
|
|
" vim: shiftwidth=2 sts=2 expandtab
|