patch 9.1.1003: [security]: heap-buffer-overflow with visual mode Problem: [security]: heap-buffer-overflow with visual mode when using :all, causing Vim trying to access beyond end-of-line (gandalf) Solution: Reset visual mode on :all, validate position in gchar_pos() and charwise_block_prep() This fixes CVE-2025-22134 Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8 Co-authored-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>

commit: c9a1e257f1630a0866447e53a564f7ff96a80ead [log] [tgz]
author: Christian Brabandt <cb@256bit.org> Sat Jan 11 15:25:00 2025 +0100
committer: Christian Brabandt <cb@256bit.org> Sat Jan 11 15:25:00 2025 +0100
tree: 4be912a8bfd7f06bc0b245982e98b44c62199494
parent: 9598a6369bce32d3da831e8968caf4625985ac3c [diff] [blame]
diff --git a/src/ops.c b/src/ops.c
index a75efab..9efef38 100644
--- a/src/ops.c
+++ b/src/ops.c

@@ -2586,6 +2586,7 @@
     colnr_T startcol = 0, endcol = MAXCOL;
     colnr_T cs, ce;
     char_u *p;
+    int	plen = ml_get_len(lnum);
 
     p = ml_get(lnum);
     bdp->startspaces = 0;
@@ -2646,7 +2647,7 @@
     else
 	bdp->textlen = endcol - startcol + inclusive;
     bdp->textcol = startcol;
-    bdp->textstart = p + startcol;
+    bdp->textstart = startcol <= plen ? p + startcol : p;
 }
 
 /*
commit	c9a1e257f1630a0866447e53a564f7ff96a80ead	[log] [tgz]
author	Christian Brabandt <cb@256bit.org>	Sat Jan 11 15:25:00 2025 +0100
committer	Christian Brabandt <cb@256bit.org>	Sat Jan 11 15:25:00 2025 +0100
tree	4be912a8bfd7f06bc0b245982e98b44c62199494
parent	9598a6369bce32d3da831e8968caf4625985ac3c [diff] [blame]