Projects
Mega:23.09
vim
_service:tar_scm:backport-CVE-2023-46246.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-CVE-2023-46246.patch of Package vim
From 9198c1f2b1ddecde22af918541e0de2a32f0f45a Mon Sep 17 00:00:00 2001 From: Christian Brabandt <cb@256bit.org> Date: Thu, 26 Oct 2023 21:29:32 +0200 Subject: [PATCH] patch 9.0.2068: [security] overflow in :history Problem: [security] overflow in :history Solution: Check that value fits into int The get_list_range() function, used to parse numbers for the :history and :clist command internally uses long variables to store the numbers. However function arguments are integer pointers, which can then overflow. Check that the return value from the vim_str2nr() function is not larger than INT_MAX and if yes, bail out with an error. I guess nobody uses a cmdline/clist history that needs so many entries... (famous last words). It is only a moderate vulnerability, so impact should be low. Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm Signed-off-by: Christian Brabandt <cb@256bit.org> --- src/cmdhist.c | 5 ++++- src/errors.h | 2 ++ src/ex_getln.c | 10 +++++++++- src/testdir/test_history.vim | 8 ++++++++ 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/src/cmdhist.c b/src/cmdhist.c index d398ca7a687b5..96a9b3e95b86f 100644 --- a/src/cmdhist.c +++ b/src/cmdhist.c @@ -740,7 +740,10 @@ ex_history(exarg_T *eap) end = arg; if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL) { - semsg(_(e_trailing_characters_str), end); + if (*end != NUL) + semsg(_(e_trailing_characters_str), end); + else + semsg(_(e_val_too_large), arg); return; } diff --git a/src/errors.h b/src/errors.h index 79a785e1e2953..72957d8b93bdc 100644 --- a/src/errors.h +++ b/src/errors.h @@ -3306,3 +3306,5 @@ EXTERN char e_substitute_nesting_too_deep[] #endif EXTERN char e_window_unexpectedly_close_while_searching_for_tags[] INIT(= N_("E1299: Window unexpectedly closed while searching for tags")); +EXTERN char e_val_too_large[] + INIT(= N_("E1510: Value too large: %s")); diff --git a/src/ex_getln.c b/src/ex_getln.c index 9683e2ebd5af5..8f0be520886be 100644 --- a/src/ex_getln.c +++ b/src/ex_getln.c @@ -4326,6 +4326,10 @@ get_list_range(char_u **str, int *num1, int *num2) { vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE); *str += len; + // overflow + if (num > INT_MAX) + return FAIL; + *num1 = (int)num; first = TRUE; } @@ -4336,8 +4340,12 @@ get_list_range(char_u **str, int *num1, int *num2) vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE); if (len > 0) { - *num2 = (int)num; *str = skipwhite(*str + len); + // overflow + if (num > INT_MAX) + return FAIL; + + *num2 = (int)num; } else if (!first) // no number given at all return FAIL; diff --git a/src/testdir/test_history.vim b/src/testdir/test_history.vim index bb6d67172585e..482328ab4aaef 100644 --- a/src/testdir/test_history.vim +++ b/src/testdir/test_history.vim @@ -249,4 +249,12 @@ func Test_history_crypt_key() set key& bs& ts& endfunc +" The following used to overflow and causing an use-after-free +func Test_history_max_val() + + set history=10 + call assert_fails(':history 2147483648', 'E1510:') + set history& +endfunc + " vim: shiftwidth=2 sts=2 expandtab
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2