Headline
CVE-2022-1616: patch 8.2.4895: buffer overflow with invalid command with composing c… · vim/vim@d889344
Use after free in append_command in GitHub repository vim/vim prior to 8.2. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
Permalink
Browse files
patch 8.2.4895: buffer overflow with invalid command with composing c…
…hars
Problem: Buffer overflow with invalid command with composing chars. Solution: Check that the whole character fits in the buffer.
- Loading branch information
1 parent 5a7b6dc commit d88934406c5375d88f8f1b65331c9f0cab68cc6c
Showing with 16 additions and 1 deletion.
- +3 −1 src/ex_docmd.c
- +11 −0 src/testdir/test_cmdline.vim
- +2 −0 src/version.c
@@ -3435,14 +3435,16 @@ append_command(char_u *cmd)
STRCAT(IObuff, ": ");
d = IObuff + STRLEN(IObuff);
while (*s != NUL && d - IObuff < IOSIZE - 7)
while (*s != NUL && d - IObuff + 5 < IOSIZE)
{
if (enc_utf8 ? (s[0] == 0xc2 && s[1] == 0xa0) : *s == 0xa0)
{
s += enc_utf8 ? 2 : 1;
STRCPY(d, “<a0>”);
d += 4;
}
else if (d - IObuff + (*mb_ptr2len)(s) + 1 >= IOSIZE)
break;
else
MB_COPY_CHAR(s, d);
}
@@ -3353,6 +3353,17 @@ func Test_cmdline_complete_scriptnames()
set wildmenu&
endfunc
" this was going over the end of IObuff
func Test_report_error_with_composing()
let caught = ‘no’
try
exe repeat('0’, 987) … “0\xdd\x80\xdd\x80\xdd\x80\xdd\x80”
catch /E492:/
let caught = ‘yes’
endtry
call assert_equal('yes’, caught)
endfunc
" Test for expanding 2-letter and 3-letter :substitute command arguments.
" These commands don’t accept an argument.
func Test_cmdline_complete_substitute_short()
@@ -746,6 +746,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
4895,
/**/
4894,
/**/
0 comments on commit d889344
Please sign in to comment.