Headline
CVE-2022-3297: patch 9.0.0579: using freed memory when 'tagfunc' wipes out buffer · vim/vim@0ff0183
Use After Free in GitHub repository vim/vim prior to 9.0.0579.
@@ -2490,7 +2490,8 @@ ins_compl_next_buf(buf_T *buf, int flag)
if (flag == ‘w’) // just windows { if (buf == curbuf || wp == NULL) // first call for this flag/expansion if (buf == curbuf || !win_valid(wp)) // first call for this flag/expansion or window was closed wp = curwin; while ((wp = (wp->w_next != NULL ? wp->w_next : firstwin)) != curwin && wp->w_buffer->b_scanned) @@ -3188,9 +3189,10 @@ enum */ typedef struct { char_u *e_cpt; // current entry in ‘complete’ char_u *e_cpt_copy; // copy of ‘complete’ char_u *e_cpt; // current entry in “e_cpt_copy” buf_T *ins_buf; // buffer being scanned pos_T *cur_match_pos; // current match position pos_T *cur_match_pos; // current match position pos_T prev_match_pos; // previous match position int set_match_pos; // save first_match_pos/last_match_pos pos_T first_match_pos; // first match position @@ -3257,7 +3259,8 @@ process_next_cpt_value( st->set_match_pos = TRUE; } else if (vim_strchr((char_u *)"buwU", *st->e_cpt) != NULL && (st->ins_buf = ins_compl_next_buf(st->ins_buf, *st->e_cpt)) != curbuf) && (st->ins_buf = ins_compl_next_buf( st->ins_buf, *st->e_cpt)) != curbuf) { // Scan a buffer, but not the current one. if (st->ins_buf->b_ml.ml_mfp != NULL) // loaded buffer @@ -3756,19 +3759,30 @@ get_next_completion_match(int type, ins_compl_next_state_T *st, pos_T *ini) static int ins_compl_get_exp(pos_T *ini) { static ins_compl_next_state_T st; static ins_compl_next_state_T st; static int st_cleared = FALSE; int i; int found_new_match; int type = ctrl_x_mode;
if (!compl_started) { FOR_ALL_BUFFERS(st.ins_buf) st.ins_buf->b_scanned = 0; buf_T *buf;
FOR_ALL_BUFFERS(buf) buf->b_scanned = 0; if (!st_cleared) { CLEAR_FIELD(st); st_cleared = TRUE; } st.found_all = FALSE; st.ins_buf = curbuf; st.e_cpt = (compl_cont_status & CONT_LOCAL) ? (char_u *)“.” : curbuf->b_p_cpt; vim_free(st.e_cpt_copy); // Make a copy of 'complete’, if case the buffer is wiped out. st.e_cpt_copy = vim_strsave((compl_cont_status & CONT_LOCAL) ? (char_u *)“.” : curbuf->b_p_cpt); st.e_cpt = st.e_cpt_copy == NULL ? (char_u *)“” : st.e_cpt_copy; st.last_match_pos = st.first_match_pos = *ini; } else if (st.ins_buf != curbuf && !buf_valid(st.ins_buf)) @@ -4112,6 +4126,7 @@ ins_compl_next( int todo = count; int advance; int started = compl_started; buf_T *orig_curbuf = curbuf;
// When user complete function return -1 for findstart which is next // time of 'always’, compl_shown_match become NULL. @@ -4144,6 +4159,13 @@ ins_compl_next( &num_matches) == -1) return -1;
if (curbuf != orig_curbuf) { // In case some completion function switched buffer, don’t want to // insert the completion elsewhere. return -1; }
// Insert the text of the new completion, or the compl_leader. if (compl_no_insert && !started) {
Related news
Ubuntu Security Notice 6420-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
Gentoo Linux Security Advisory 202305-16 - Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service. Versions less than 9.0.1157 are affected.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]