thac0/vim
1
0
Fork 0
forked from aniani/vim
Code Activity

patch 9.0.2068: [security] overflow in :history

Browse Source 
Problem:  [security] overflow in :history
Solution: Check that value fits into int

The get_list_range() function, used to parse numbers for the :history
and :clist command internally uses long variables to store the numbers.
However function arguments are integer pointers, which can then
overflow.

Check that the return value from the vim_str2nr() function is not larger
than INT_MAX and if yes, bail out with an error. I guess nobody uses a
cmdline/clist history that needs so many entries... (famous last words).

It is only a moderate vulnerability, so impact should be low.

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2023-10-26 21:29:32 +02:00
parent 5f5131d775
commit 9198c1f2b1
5 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/cmdhist.c
View File

@@ -742,7 +742,10 @@ ex_history(exarg_T *eap)
end = arg; end = arg;
if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL) if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL)
{ {
if (*end != NUL)
semsg(_(e_trailing_characters_str), end); semsg(_(e_trailing_characters_str), end);
else
semsg(_(e_val_too_large), arg);
return; return;
} }

2
src/errors.h
View File

@@ -3560,3 +3560,5 @@ EXTERN char e_xattr_e2big[]
INIT(= N_("E1508: Size of the extended attribute value is larger than the maximum size allowed")); INIT(= N_("E1508: Size of the extended attribute value is larger than the maximum size allowed"));
EXTERN char e_xattr_other[] EXTERN char e_xattr_other[]
INIT(= N_("E1509: Error occurred when reading or writing extended attribute")); INIT(= N_("E1509: Error occurred when reading or writing extended attribute"));
EXTERN char e_val_too_large[]
INIT(= N_("E1510: Value too large: %s"));

10
src/ex_getln.c
View File

@@ -4377,6 +4377,10 @@ get_list_range(char_u **str, int *num1, int *num2)
{ {
vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE, NULL); vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE, NULL);
*str += len; *str += len;
// overflow
if (num > INT_MAX)
return FAIL;
*num1 = (int)num; *num1 = (int)num;
first = TRUE; first = TRUE;
} }
@@ -4387,8 +4391,12 @@ get_list_range(char_u **str, int *num1, int *num2)
vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE, NULL); vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE, NULL);
if (len > 0) if (len > 0)
{ {
*num2 = (int)num;
*str = skipwhite(*str + len); *str = skipwhite(*str + len);
// overflow
if (num > INT_MAX)
return FAIL;
*num2 = (int)num;
} }
else if (!first) // no number given at all else if (!first) // no number given at all
return FAIL; return FAIL;

8
src/testdir/test_history.vim
View File

@@ -254,4 +254,12 @@ func Test_history_crypt_key()
set key& bs& ts& set key& bs& ts&
endfunc endfunc
" The following used to overflow and causing an use-after-free
func Test_history_max_val()
set history=10
call assert_fails(':history 2147483648', 'E1510:')
set history&
endfunc
" vim: shiftwidth=2 sts=2 expandtab " vim: shiftwidth=2 sts=2 expandtab

2
src/version.c
View File

@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
2068,
/**/ /**/
2067, 2067,
/**/ /**/