patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Problem: [security]: buffer-overflow in suggest_trie_walk
Solution: Check n before using it as index into byts array
Basically, n as an index into the byts array, can point to beyond the byts
array. So let's double check, that n is within the expected range after
incrementing it from sp->ts_curi and bail out if it would be invalid.
Reported by @henices, thanks!
Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/testdir/crash/poc_suggest_trie_walk b/src/testdir/crash/poc_suggest_trie_walk
new file mode 100644
index 0000000..c79b6ee
--- /dev/null
+++ b/src/testdir/crash/poc_suggest_trie_walk
Binary files differ
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index 11c5f4e..eef1731 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -135,6 +135,13 @@
\ ' && echo "crash 2: [OK]" >> '.. result .. "\<cr>")
call TermWait(buf, 350)
+ let file = 'crash/poc_suggest_trie_walk'
+ let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'"
+ let args = printf(cmn_args, vim, file)
+ call term_sendkeys(buf, args ..
+ \ ' && echo "crash 3: [OK]" >> '.. result .. "\<cr>")
+ call TermWait(buf, 150)
+
" clean up
exe buf .. "bw!"
@@ -143,6 +150,7 @@
let expected = [
\ 'crash 1: [OK]',
\ 'crash 2: [OK]',
+ \ 'crash 3: [OK]',
\ ]
call assert_equal(expected, getline(1, '$'))