patch 9.1.0689: [security]: buffer-overflow in do_search() with 'rightleft' Problem: buffer-overflow in do_search() with 'rightleft' (SuyueGuo) Solution: after reversing the text (which allocates a new buffer), re-calculate the text length Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm Signed-off-by: Christian Brabandt <cb@256bit.org>

commit: cacb6693c10bb19f28a50eca47bc4bc33eccbae3 [log] [tgz]
author: Christian Brabandt <cb@256bit.org> Thu Aug 22 21:40:14 2024 +0200
committer: Christian Brabandt <cb@256bit.org> Thu Aug 22 21:40:14 2024 +0200
tree: 2eeb32f04fc39ff7a9cbaadcff92337c79713266
parent: 95e90781a4c92b7b061213cfa38b35bdbf719cc1 [diff] [blame]
diff --git a/src/search.c b/src/search.c
index 01c143f..e5936d8 100644
--- a/src/search.c
+++ b/src/search.c

@@ -1548,6 +1548,7 @@
 			{
 			    vim_free(msgbuf);
 			    msgbuf = r;
+			    msgbuflen = STRLEN(msgbuf);
 			    // move reversed text to beginning of buffer
 			    while (*r != NUL && *r == ' ')
 				r++;
commit	cacb6693c10bb19f28a50eca47bc4bc33eccbae3	[log] [tgz]
author	Christian Brabandt <cb@256bit.org>	Thu Aug 22 21:40:14 2024 +0200
committer	Christian Brabandt <cb@256bit.org>	Thu Aug 22 21:40:14 2024 +0200
tree	2eeb32f04fc39ff7a9cbaadcff92337c79713266
parent	95e90781a4c92b7b061213cfa38b35bdbf719cc1 [diff] [blame]