patch 9.1.1003: [security]: heap-buffer-overflow with visual mode Problem: [security]: heap-buffer-overflow with visual mode when using :all, causing Vim trying to access beyond end-of-line (gandalf) Solution: Reset visual mode on :all, validate position in gchar_pos() and charwise_block_prep() This fixes CVE-2025-22134 Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8 Co-authored-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>

commit: c9a1e257f1630a0866447e53a564f7ff96a80ead [log] [tgz]
author: Christian Brabandt <cb@256bit.org> Sat Jan 11 15:25:00 2025 +0100
committer: Christian Brabandt <cb@256bit.org> Sat Jan 11 15:25:00 2025 +0100
tree: 4be912a8bfd7f06bc0b245982e98b44c62199494
parent: 9598a6369bce32d3da831e8968caf4625985ac3c [diff] [blame]
diff --git a/src/arglist.c b/src/arglist.c
index 8825c8e..4eec079 100644
--- a/src/arglist.c
+++ b/src/arglist.c

@@ -1258,6 +1258,10 @@
 
     tabpage_T *new_lu_tp = curtab;
 
+    // Stop Visual mode, the cursor and "VIsual" may very well be invalid after
+    // switching to another buffer.
+    reset_VIsual_and_resel();
+
     // Try closing all windows that are not in the argument list.
     // Also close windows that are not full width;
     // When 'hidden' or "forceit" set the buffer becomes hidden.
commit	c9a1e257f1630a0866447e53a564f7ff96a80ead	[log] [tgz]
author	Christian Brabandt <cb@256bit.org>	Sat Jan 11 15:25:00 2025 +0100
committer	Christian Brabandt <cb@256bit.org>	Sat Jan 11 15:25:00 2025 +0100
tree	4be912a8bfd7f06bc0b245982e98b44c62199494
parent	9598a6369bce32d3da831e8968caf4625985ac3c [diff] [blame]