Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_vim / c9a1e257f1630a0866447e53a564f7ff96a80ead^! / . / src / misc1.c
commitc9a1e257f1630a0866447e53a564f7ff96a80ead[log] [tgz]
authorChristian Brabandt <cb@256bit.org>Sat Jan 11 15:25:00 2025 +0100
committerChristian Brabandt <cb@256bit.org>Sat Jan 11 15:25:00 2025 +0100
tree4be912a8bfd7f06bc0b245982e98b44c62199494
parent9598a6369bce32d3da831e8968caf4625985ac3c [diff] [blame]
patch 9.1.1003: [security]: heap-buffer-overflow with visual mode

Problem:  [security]: heap-buffer-overflow with visual mode when
          using :all, causing Vim trying to access beyond end-of-line
          (gandalf)
Solution: Reset visual mode on :all, validate position in gchar_pos()
          and charwise_block_prep()

This fixes CVE-2025-22134

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8

Co-authored-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/misc1.c b/src/misc1.c
index 90cf914..142a616 100644
--- a/src/misc1.c
+++ b/src/misc1.c

@@ -543,11 +543,15 @@
 gchar_pos(pos_T *pos)
 {
     char_u	*ptr;
+    int		ptrlen;
 
     // When searching columns is sometimes put at the end of a line.
     if (pos->col == MAXCOL)
 	return NUL;
+    ptrlen = ml_get_len(pos->lnum);
     ptr = ml_get_pos(pos);
+    if (pos->col > ptrlen)
+	return NUL;
     if (has_mbyte)
 	return (*mb_ptr2char)(ptr);
     return (int)*ptr;