Headline
CVE-2022-0128: patch 8.2.4009: reading one byte beyond the end of the line · vim/vim@d3a1178
vim is vulnerable to Out-of-bounds Read
Permalink
Browse files
patch 8.2.4009: reading one byte beyond the end of the line
Problem: Reading one byte beyond the end of the line. Solution: Check for NUL byte first.
- Loading branch information
1 parent 677658a commit d3a117814d6acbf0dca3eff1a7626843b9b3734a
Showing with 17 additions and 2 deletions.
- +2 −1 src/ex_docmd.c
- +11 −0 src/testdir/test_vim9_func.vim
- +2 −0 src/version.c
- +2 −1 src/vim9compile.c
@@ -3632,7 +3632,8 @@ find_ex_command(
}
// Check for “++nr” and "–nr".
if (p == eap->cmd && p[0] == p[1] && (*p == ‘+’ || *p == '-'))
if (p == eap->cmd && p[0] != NUL && p[0] == p[1]
&& (*p == ‘+’ || *p == '-'))
{
eap->cmdidx = *p == ‘+’ ? CMD_increment : CMD_decrement;
return eap->cmd + 2;
@@ -3537,6 +3537,17 @@ def Test_numbered_function_reference()
unlet g:mydict
enddef
def Test_go_beyond_end_of_cmd()
# this was reading the byte after the end of the line
var lines =<< trim END
def F()
cal
enddef
defcompile
END
CheckScriptFailure(lines, ‘E476:’)
enddef
if has(‘python3’)
def Test_python3_heredoc()
py3 << trim EOF
@@ -750,6 +750,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
4009,
/**/
4008,
/**/
@@ -2781,7 +2781,8 @@ compile_def_function(
cmd = ea.cmd;
if ((*cmd != ‘$’ || starts_with_colon)
&& (starts_with_colon || !(*cmd == ‘\’’
|| (cmd[0] == cmd[1] && (*cmd == ‘+’ || *cmd == '-')))))
|| (cmd[0] != NUL && cmd[0] == cmd[1]
&& (*cmd == ‘+’ || *cmd == '-')))))
{
ea.cmd = skip_range(ea.cmd, TRUE, NULL);
if (ea.cmd > cmd)
0 comments on commit d3a1178
Please sign in to comment.