Headline
CVE-2022-0128: patch 8.2.4009: reading one byte beyond the end of the line · vim/vim@d3a1178
vim is vulnerable to Out-of-bounds Read
Permalink
Browse files
patch 8.2.4009: reading one byte beyond the end of the line
Problem: Reading one byte beyond the end of the line. Solution: Check for NUL byte first.
- Loading branch information
1 parent 677658a commit d3a117814d6acbf0dca3eff1a7626843b9b3734a
Showing with 17 additions and 2 deletions.
- +2 −1 src/ex_docmd.c
- +11 −0 src/testdir/test_vim9_func.vim
- +2 −0 src/version.c
- +2 −1 src/vim9compile.c
@@ -3632,7 +3632,8 @@ find_ex_command(
}
// Check for “++nr” and "–nr".
if (p == eap->cmd && p[0] == p[1] && (*p == ‘+’ || *p == '-'))
if (p == eap->cmd && p[0] != NUL && p[0] == p[1]
&& (*p == ‘+’ || *p == '-'))
{
eap->cmdidx = *p == ‘+’ ? CMD_increment : CMD_decrement;
return eap->cmd + 2;
@@ -3537,6 +3537,17 @@ def Test_numbered_function_reference()
unlet g:mydict
enddef
def Test_go_beyond_end_of_cmd()
# this was reading the byte after the end of the line
var lines =<< trim END
def F()
cal
enddef
defcompile
END
CheckScriptFailure(lines, ‘E476:’)
enddef
if has(‘python3’)
def Test_python3_heredoc()
py3 << trim EOF
@@ -750,6 +750,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
4009,
/**/
4008,
/**/
@@ -2781,7 +2781,8 @@ compile_def_function(
cmd = ea.cmd;
if ((*cmd != ‘$’ || starts_with_colon)
&& (starts_with_colon || !(*cmd == ‘\’’
|| (cmd[0] == cmd[1] && (*cmd == ‘+’ || *cmd == '-')))))
|| (cmd[0] != NUL && cmd[0] == cmd[1]
&& (*cmd == ‘+’ || *cmd == '-')))))
{
ea.cmd = skip_range(ea.cmd, TRUE, NULL);
if (ea.cmd > cmd)
0 comments on commit d3a1178
Please sign in to comment.
Related news
Ubuntu Security Notice 6195-1 - It was discovered that Vim contained an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim did not properly manage memory when freeing allocated memory. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim contained a heap-based buffer overflow vulnerability. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Gentoo Linux Security Advisory 202208-32 - Multiple vulnerabilities have been discovered in Vim, the worst of which could result in denial of service. Versions less than 9.0.0060 are affected.
Apple Security Advisory 2022-07-20-4 - Security Update 2022-005 Catalina addresses code execution, information leakage, null pointer, out of bounds read, and out of bounds write vulnerabilities.
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.3.1, iOS 15.4.1 and iPadOS 15.4.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..
Apple Security Advisory 2022-05-16-3 - macOS Big Sur 11.6.6 addresses bypass, code execution, denial of service, out of bounds access, out of bounds read, out of bounds write, and use-after-free vulnerabilities.
A logic issue was addressed with improved validation. This issue is fixed in macOS Monterey 12.3. A malicious application may be able to gain root privileges.