Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_vim / 0fb375aae608d7306b4baf9c1f906961f32e2abf^! / . / src
commit0fb375aae608d7306b4baf9c1f906961f32e2abf[log] [tgz]
authorChristian Brabandt <cb@256bit.org>Wed Nov 29 10:23:39 2023 +0100
committerChristian Brabandt <cb@256bit.org>Fri Dec 01 18:58:50 2023 +0100
tree10a990e59a5b11b65536b3ad9a482e0a26a9d584
parenteec0c2b3a4cfab93dd8d4adaa60638d47a2bbc8a [diff]
patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk

Problem:  [security]: buffer-overflow in suggest_trie_walk
Solution: Check n before using it as index into byts array

Basically, n as an index into the byts array, can point to beyond the byts
array. So let's double check, that n is within the expected range after
incrementing it from sp->ts_curi and bail out if it would be invalid.

Reported by @henices, thanks!

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/spellsuggest.c b/src/spellsuggest.c
index e1c303a..ecc0a74 100644
--- a/src/spellsuggest.c
+++ b/src/spellsuggest.c

@@ -2175,6 +2175,13 @@
 	    // - Skip the byte if it's equal to the byte in the word,
 	    //   accepting that byte is always better.
 	    n += sp->ts_curi++;
+
+	    // break out, if we would be accessing byts buffer out of bounds
+	    if (byts == slang->sl_fbyts && n >= slang->sl_fbyts_len)
+	    {
+		got_int = TRUE;
+		break;
+	    }
 	    c = byts[n];
 	    if (soundfold && sp->ts_twordlen == 0 && c == '*')
 		// Inserting a vowel at the start of a word counts less,

diff --git a/src/testdir/crash/poc_suggest_trie_walk b/src/testdir/crash/poc_suggest_trie_walk
new file mode 100644
index 0000000..c79b6ee
--- /dev/null
+++ b/src/testdir/crash/poc_suggest_trie_walk
Binary files differ

diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index 11c5f4e..eef1731 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim

@@ -135,6 +135,13 @@
     \ '  && echo "crash 2: [OK]" >> '.. result .. "\<cr>")
   call TermWait(buf, 350)
 
+  let file = 'crash/poc_suggest_trie_walk'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args ..
+    \ '  && echo "crash 3: [OK]" >> '.. result .. "\<cr>")
+  call TermWait(buf, 150)
+
   " clean up
   exe buf .. "bw!"
 
@@ -143,6 +150,7 @@
   let expected = [
       \ 'crash 1: [OK]',
       \ 'crash 2: [OK]',
+      \ 'crash 3: [OK]',
       \ ]
 
   call assert_equal(expected, getline(1, '$'))

diff --git a/src/version.c b/src/version.c
index e32e5c0..ecb5c22 100644
--- a/src/version.c
+++ b/src/version.c

@@ -705,6 +705,8 @@
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    2141,
+/**/
     2140,
 /**/
     2139,