Headline
CVE-2021-4193: patch 8.2.3950: going beyond the end of the line with /\%V · vim/vim@94f3192
vim is vulnerable to Out-of-bounds Read
Permalink
Browse files
patch 8.2.3950: going beyond the end of the line with /\%V
Problem: Going beyond the end of the line with /\%V. Solution: Check for valid column in getvcol().
- Loading branch information
1 parent 4c13e5e commit 94f3192b03ed27474db80b4d3a409e107140738b
Showing with 19 additions and 4 deletions.
- +9 −4 src/charset.c
- +8 −0 src/testdir/test_regexp_latin.vim
- +2 −0 src/version.c
@@ -1240,10 +1240,15 @@ getvcol(
posptr = NULL; // continue until the NUL
else
{
// Special check for an empty line, which can happen on exit, when
// ml_get_buf() always returns an empty string.
if (*ptr == NUL)
pos->col = 0;
colnr_T i;
// In a few cases the position can be beyond the end of the line.
for (i = 0; i < pos->col; ++i)
if (ptr[i] == NUL)
{
pos->col = i;
break;
}
posptr = ptr + pos->col;
if (has_mbyte)
// always start on the first byte
@@ -1053,4 +1053,12 @@ func Test_using_visual_position()
bwipe!
endfunc
func Test_using_invalid_visual_position()
" this was going beyond the end of the line
new
exe “norm 0o000\<Esc>0\<C-V>$s0”
/\%V
bwipe!
endfunc
" vim: shiftwidth=2 sts=2 expandtab
@@ -749,6 +749,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
3950,
/**/
3949,
/**/
0 comments on commit 94f3192
Please sign in to comment.