代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/vim 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From 9198c1f2b1ddecde22af918541e0de2a32f0f45a Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Thu, 26 Oct 2023 21:29:32 +0200
Subject: [PATCH] patch 9.0.2068: [security] overflow in :history
Problem: [security] overflow in :history
Solution: Check that value fits into int
The get_list_range() function, used to parse numbers for the :history
and :clist command internally uses long variables to store the numbers.
However function arguments are integer pointers, which can then
overflow.
Check that the return value from the vim_str2nr() function is not larger
than INT_MAX and if yes, bail out with an error. I guess nobody uses a
cmdline/clist history that needs so many entries... (famous last words).
It is only a moderate vulnerability, so impact should be low.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm
Signed-off-by: Christian Brabandt <cb@256bit.org>
---
src/cmdhist.c | 5 ++++-
src/errors.h | 2 ++
src/ex_getln.c | 10 +++++++++-
src/testdir/test_history.vim | 8 ++++++++
4 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/src/cmdhist.c b/src/cmdhist.c
index d398ca7a687b5..96a9b3e95b86f 100644
--- a/src/cmdhist.c
+++ b/src/cmdhist.c
@@ -740,7 +740,10 @@ ex_history(exarg_T *eap)
end = arg;
if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL)
{
- semsg(_(e_trailing_characters_str), end);
+ if (*end != NUL)
+ semsg(_(e_trailing_characters_str), end);
+ else
+ semsg(_(e_val_too_large), arg);
return;
}
diff --git a/src/errors.h b/src/errors.h
index 79a785e1e2953..72957d8b93bdc 100644
--- a/src/errors.h
+++ b/src/errors.h
@@ -3306,3 +3306,5 @@ EXTERN char e_substitute_nesting_too_deep[]
#endif
EXTERN char e_window_unexpectedly_close_while_searching_for_tags[]
INIT(= N_("E1299: Window unexpectedly closed while searching for tags"));
+EXTERN char e_val_too_large[]
+ INIT(= N_("E1510: Value too large: %s"));
diff --git a/src/ex_getln.c b/src/ex_getln.c
index 9683e2ebd5af5..8f0be520886be 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -4326,6 +4326,10 @@ get_list_range(char_u **str, int *num1, int *num2)
{
vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE);
*str += len;
+ // overflow
+ if (num > INT_MAX)
+ return FAIL;
+
*num1 = (int)num;
first = TRUE;
}
@@ -4336,8 +4340,12 @@ get_list_range(char_u **str, int *num1, int *num2)
vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE);
if (len > 0)
{
- *num2 = (int)num;
*str = skipwhite(*str + len);
+ // overflow
+ if (num > INT_MAX)
+ return FAIL;
+
+ *num2 = (int)num;
}
else if (!first) // no number given at all
return FAIL;
diff --git a/src/testdir/test_history.vim b/src/testdir/test_history.vim
index bb6d67172585e..482328ab4aaef 100644
--- a/src/testdir/test_history.vim
+++ b/src/testdir/test_history.vim
@@ -249,4 +249,12 @@ func Test_history_crypt_key()
set key& bs& ts&
endfunc
+" The following used to overflow and causing an use-after-free
+func Test_history_max_val()
+
+ set history=10
+ call assert_fails(':history 2147483648', 'E1510:')
+ set history&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手