103 lines
3.2 KiB
Diff
103 lines
3.2 KiB
Diff
From 9198c1f2b1ddecde22af918541e0de2a32f0f45a Mon Sep 17 00:00:00 2001
|
|
From: Christian Brabandt <cb@256bit.org>
|
|
Date: Thu, 26 Oct 2023 21:29:32 +0200
|
|
Subject: [PATCH] patch 9.0.2068: [security] overflow in :history
|
|
|
|
Problem: [security] overflow in :history
|
|
Solution: Check that value fits into int
|
|
|
|
The get_list_range() function, used to parse numbers for the :history
|
|
and :clist command internally uses long variables to store the numbers.
|
|
However function arguments are integer pointers, which can then
|
|
overflow.
|
|
|
|
Check that the return value from the vim_str2nr() function is not larger
|
|
than INT_MAX and if yes, bail out with an error. I guess nobody uses a
|
|
cmdline/clist history that needs so many entries... (famous last words).
|
|
|
|
It is only a moderate vulnerability, so impact should be low.
|
|
|
|
Github Advisory:
|
|
https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm
|
|
|
|
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
|
---
|
|
src/cmdhist.c | 5 ++++-
|
|
src/errors.h | 2 ++
|
|
src/ex_getln.c | 10 +++++++++-
|
|
src/testdir/test_history.vim | 8 ++++++++
|
|
4 files changed, 23 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/cmdhist.c b/src/cmdhist.c
|
|
index d398ca7a687b5..96a9b3e95b86f 100644
|
|
--- a/src/cmdhist.c
|
|
+++ b/src/cmdhist.c
|
|
@@ -740,7 +740,10 @@ ex_history(exarg_T *eap)
|
|
end = arg;
|
|
if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL)
|
|
{
|
|
- semsg(_(e_trailing_characters_str), end);
|
|
+ if (*end != NUL)
|
|
+ semsg(_(e_trailing_characters_str), end);
|
|
+ else
|
|
+ semsg(_(e_val_too_large), arg);
|
|
return;
|
|
}
|
|
|
|
diff --git a/src/errors.h b/src/errors.h
|
|
index 79a785e1e2953..72957d8b93bdc 100644
|
|
--- a/src/errors.h
|
|
+++ b/src/errors.h
|
|
@@ -3306,3 +3306,5 @@ EXTERN char e_substitute_nesting_too_deep[]
|
|
#endif
|
|
EXTERN char e_window_unexpectedly_close_while_searching_for_tags[]
|
|
INIT(= N_("E1299: Window unexpectedly closed while searching for tags"));
|
|
+EXTERN char e_val_too_large[]
|
|
+ INIT(= N_("E1510: Value too large: %s"));
|
|
diff --git a/src/ex_getln.c b/src/ex_getln.c
|
|
index 9683e2ebd5af5..8f0be520886be 100644
|
|
--- a/src/ex_getln.c
|
|
+++ b/src/ex_getln.c
|
|
@@ -4326,6 +4326,10 @@ get_list_range(char_u **str, int *num1, int *num2)
|
|
{
|
|
vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE);
|
|
*str += len;
|
|
+ // overflow
|
|
+ if (num > INT_MAX)
|
|
+ return FAIL;
|
|
+
|
|
*num1 = (int)num;
|
|
first = TRUE;
|
|
}
|
|
@@ -4336,8 +4340,12 @@ get_list_range(char_u **str, int *num1, int *num2)
|
|
vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE);
|
|
if (len > 0)
|
|
{
|
|
- *num2 = (int)num;
|
|
*str = skipwhite(*str + len);
|
|
+ // overflow
|
|
+ if (num > INT_MAX)
|
|
+ return FAIL;
|
|
+
|
|
+ *num2 = (int)num;
|
|
}
|
|
else if (!first) // no number given at all
|
|
return FAIL;
|
|
diff --git a/src/testdir/test_history.vim b/src/testdir/test_history.vim
|
|
index bb6d67172585e..482328ab4aaef 100644
|
|
--- a/src/testdir/test_history.vim
|
|
+++ b/src/testdir/test_history.vim
|
|
@@ -249,4 +249,12 @@ func Test_history_crypt_key()
|
|
set key& bs& ts&
|
|
endfunc
|
|
|
|
+" The following used to overflow and causing an use-after-free
|
|
+func Test_history_max_val()
|
|
+
|
|
+ set history=10
|
|
+ call assert_fails(':history 2147483648', 'E1510:')
|
|
+ set history&
|
|
+endfunc
|
|
+
|
|
" vim: shiftwidth=2 sts=2 expandtab
|