From baad3ef1eeaad75fa5337b0527ec9ede8c3e5446 Mon Sep 17 00:00:00 2001
From: CH3GREEN <yebj721@bupt.edu.cn>
Date: Sun, 29 Dec 2024 02:21:56 +0800
Subject: [PATCH 1/2] fix CVE-2024-43802

---
 src/getchar.c                    |  15 ++++++++++++---
 src/testdir/crash/heap_overflow3 | Bin 0 -> 700 bytes
 src/testdir/test_crash.vim       |   6 ++++++
 src/version.c                    |   2 ++
 4 files changed, 20 insertions(+), 3 deletions(-)
 create mode 100644 src/testdir/crash/heap_overflow3

diff --git a/src/getchar.c b/src/getchar.c
index 3427a9f..5184263 100644
--- a/src/getchar.c
+++ b/src/getchar.c
@@ -438,9 +438,18 @@ flush_buffers(flush_buffers_T flush_typeahead)
 
     if (flush_typeahead == FLUSH_MINIMAL)
     {
-	// remove mapped characters at the start only
-	typebuf.tb_off += typebuf.tb_maplen;
-	typebuf.tb_len -= typebuf.tb_maplen;
+	// remove mapped characters at the start only,
+	// but only when enough space left in typebuf
+	if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
+	{
+	    typebuf.tb_off = MAXMAPLEN;
+	    typebuf.tb_len = 0;
+	}
+	else
+	{
+	    typebuf.tb_off += typebuf.tb_maplen;
+	    typebuf.tb_len -= typebuf.tb_maplen;
+	}
 #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
 	if (typebuf.tb_len == 0)
 	    typebuf_was_filled = FALSE;
diff --git a/src/testdir/crash/heap_overflow3 b/src/testdir/crash/heap_overflow3
new file mode 100644
index 0000000000000000000000000000000000000000..c40adbec4d07a66bcc9aa51e40dbbb90fdc36623
GIT binary patch
literal 700
zcmZ{hO=}ZD7{@174?bQz$Wq8<gm_8Fn-(=~NE8jF#rP5`N;9UN%}kmlo7uWE2{zd^
zff_tk=uM~;^wx{Vo&-OEpoiZ2B_zkX&ZaLY;*WWGn0aRY&-}-{?D=qG`hmkNksw|*
zo6Nm9A6dQ)!g1TQHp`m6VcZOiXfA3P#3QVqt#gh|f@dy8^g@5Xe?mY&QGZPzgg5Xb
z2Gq^VhGp}DcP+f@G_9XqoMn!0M61_t&CSf^a<2_dbQlCd*<s3h>~blwYI0mDEj_I~
z#4Wyom4oY!P?qTMHvg-P`?`z?XefMGSG^v1AIK`kUr&%+VYMPErTK+N)J-JP>G^aT
zAZ{Y$4E~`YaRD~2pecm*%CU(Fe%tiJC@&{d=*n|%Iir2jcC<KOZ&P81)@3ZyrlPf|
z-rvC(5yW4~RVo!p3{gu>0(~G8oP(})q<t(%fMYq2S#KMmu*9j9S<RRv>g5n(t`-d4
zkb2NTN-_lOVrS`Y1Znh89(*pxrqJZ4dI$ffVRxx=12p{UwvU2fK<ye%2BS!gAO-->
zL=pVy065g2)SJ{@p<Qa(4NlgMnYelqpH0Gzn*^kz+u^_?o?s=`*98}gMH4{MU-vEm
zjI>g|BdnJlURZ#nqNaXvTnpKCo#R~9`EqA#^V7G{Xf)9MjP&=9<L#XY+J3jSIs9|=
PaCh&^{;u8|j}LwWP8A7n

literal 0
HcmV?d00001

diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index fd786e5..0f494cf 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -190,6 +190,12 @@ func Test_crash1_3()
   call term_sendkeys(buf, args)
   call TermWait(buf, 150)
 
+  let file = 'crash/heap_overflow3'
+  let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 150)
+
   " clean up
   exe buf .. "bw!"
   bw!
diff --git a/src/version.c b/src/version.c
index 2e178f3..f440140 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    17,
 /**/
     16,
 /**/
-- 
Gitee


From ceba673ca3983e716c2c3366d06dcc2ea615ed5a Mon Sep 17 00:00:00 2001
From: CH3GREEN <yebj721@bupt.edu.cn>
Date: Fri, 3 Jan 2025 11:28:30 +0000
Subject: [PATCH 2/2] update src/version.c.

Signed-off-by: CH3GREEN <yebj721@bupt.edu.cn>
---
 src/version.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/version.c b/src/version.c
index f440140..2e178f3 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,8 +704,6 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
-/**/
-    17,
 /**/
     16,
 /**/
-- 
Gitee