46 lines
1.4 KiB
Diff
46 lines
1.4 KiB
Diff
From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001
|
|
From: Christian Brabandt <cb@256bit.org>
|
|
Date: Sun, 25 Aug 2024 21:33:03 +0200
|
|
Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in
|
|
ins_typebuf
|
|
|
|
Problem: heap-buffer-overflow in ins_typebuf
|
|
(SuyueGuo)
|
|
Solution: When flushing the typeahead buffer, validate that there
|
|
is enough space left
|
|
|
|
Github Advisory:
|
|
https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh
|
|
|
|
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
|
---
|
|
src/getchar.c | 15 ++++++++++++---
|
|
1 files changed, 12 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/getchar.c b/src/getchar.c
|
|
index 29323fa328bd1..96e180f4ae1a9 100644
|
|
--- a/src/getchar.c
|
|
+++ b/src/getchar.c
|
|
@@ -438,9 +438,18 @@ flush_buffers(flush_buffers_T flush_typeahead)
|
|
|
|
if (flush_typeahead == FLUSH_MINIMAL)
|
|
{
|
|
- // remove mapped characters at the start only
|
|
- typebuf.tb_off += typebuf.tb_maplen;
|
|
- typebuf.tb_len -= typebuf.tb_maplen;
|
|
+ // remove mapped characters at the start only,
|
|
+ // but only when enough space left in typebuf
|
|
+ if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
|
|
+ {
|
|
+ typebuf.tb_off = MAXMAPLEN;
|
|
+ typebuf.tb_len = 0;
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ typebuf.tb_off += typebuf.tb_maplen;
|
|
+ typebuf.tb_len -= typebuf.tb_maplen;
|
|
+ }
|
|
#if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
|
|
if (typebuf.tb_len == 0)
|
|
typebuf_was_filled = FALSE;
|