packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vim/backport-CVE-2025-26603.patch
wjiang 6b130b0f8e fix CVE-2025-1215 CVE-2025-26603
2025-02-20 10:21:34 +08:00

63 lines
2.0 KiB
Diff
Raw Blame History

From c0f0e2380e5954f4a52a131bf6b8499838ad1dae Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Sun, 16 Feb 2025 16:06:38 +0100
Subject: [PATCH] patch 9.1.1115: [security]: use-after-free in str_to_reg()
Problem: [security]: use-after-free in str_to_reg()
(fizz-is-on-the-way)
Solution: when redirecting the :display command, check that one
does not output to the register being displayed
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v
Signed-off-by: Christian Brabandt <cb@256bit.org>
---
src/register.c | 3 ++-
src/testdir/test_registers.vim | 20 ++++++++++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/src/register.c b/src/register.c
index 0df05054ca7229..a9630f8ef5db93 100644
--- a/src/register.c
+++ b/src/register.c
@@ -2405,7 +2405,8 @@ ex_display(exarg_T *eap)
#ifdef FEAT_EVAL
if (name == MB_TOLOWER(redir_reg)
- || (redir_reg == '"' && yb == y_previous))
+ || (vim_strchr((char_u *)"\"*+", redir_reg) != NULL &&
+ (yb == y_previous || yb == &y_regs[0])))
continue; // do not list register being written to, the
// pointer can be freed
#endif
diff --git a/src/testdir/test_registers.vim b/src/testdir/test_registers.vim
index 1177c2395d3f09..13127022666e04 100644
--- a/src/testdir/test_registers.vim
+++ b/src/testdir/test_registers.vim
@@ -929,4 +929,24 @@ func Test_register_y_append_reset()
bwipe!
endfunc
+" This caused use-after-free
+func Test_register_redir_display()
+ " don't touch the clipboard, so only perform this, when the clipboard is not working
+ if has("clipboard_working")
+ throw "Skipped: skip touching the clipboard register!"
+ endif
+ let @"=''
+ redir @+>
+ disp +"
+ redir END
+ call assert_equal("\nType Name Content", getreg('+'))
+ let a = [getreg('1'), getregtype('1')]
+ let @1='register 1'
+ redir @+
+ disp 1
+ redir END
+ call assert_equal("register 1", getreg('1'))
+ call setreg(1, a[0], a[1])
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
Reference in New Issue View Git Blame Copy Permalink