patch 9.1.1003: [security]: heap-buffer-overflow with visual mode
Problem: [security]: heap-buffer-overflow with visual mode when
using :all, causing Vim trying to access beyond end-of-line
(gandalf)
Solution: Reset visual mode on :all, validate position in gchar_pos()
and charwise_block_prep()
This fixes CVE-2025-22134
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8
Co-authored-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index 0be73ec..03335a4 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -470,7 +470,7 @@
\ "\t{",
\ "\t}"], getline(1, '$'))
- close!
+ bw!
endfunc
" Test for 'p'ut in visual block mode
@@ -1080,7 +1080,7 @@
delmarks < >
call assert_fails('*yank', 'E20:')
- close!
+ bw!
endfunc
" Test for changing text in visual mode with 'exclusive' selection
@@ -1096,7 +1096,7 @@
call assert_equal('l one', getline(1))
set virtualedit&
set selection&
- close!
+ bw!
endfunc
" Test for starting linewise visual with a count.
@@ -1153,7 +1153,7 @@
8,9d
call cursor(5, 1)
call assert_beeps('normal ViBiB')
- close!
+ bw!
endfunc
func Test_visual_put_in_block()
@@ -2760,4 +2760,22 @@
set selection&vim
endfunc
+" the following caused a Heap-Overflow, because Vim was accessing outside of a
+" line end
+func Test_visual_pos_buffer_heap_overflow()
+ set virtualedit=all
+ args Xa Xb
+ all
+ call setline(1, ['', '', ''])
+ call cursor(3, 1)
+ wincmd w
+ call setline(1, 'foobar')
+ normal! $lv0
+ all
+ call setreg('"', 'baz')
+ normal! [P
+ set virtualedit=
+ bw! Xa Xb
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab