blob: cbe7a0bfa6d99040921567a75967afbd5bf09c7a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
From: Christian Brabandt <cb@256bit.org>
Date: Wed, 27 Sep 2023 22:42:36 +0000
Subject: CVE-2023-4752: heap use after free in ins_compl_get_exp()
Problem: heap use after free in ins_compl_get_exp()
Solution: validate buffer before accessing it
Signed-off-by: Christian Brabandt <cb@256bit.org>
bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-4752
origin: https://github.com/vim/vim/commit/ee9166eb3b41846661a39b662dc7ebe8b5e15139
bug: https://huntr.dev/bounties/85f62dd7-ed84-4fa2-b265-8a369a318757/
[backport]
ins_compl_get_exp is under sr/edit.c
---
src/edit.c | 2 +-
src/version.c | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/edit.c b/src/edit.c
index f2521e1..428b69c 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -4752,7 +4752,7 @@ ins_compl_get_exp(pos_T *ini)
else
{
/* Mark a buffer scanned when it has been scanned completely */
- if (type == 0 || type == CTRL_X_PATH_PATTERNS)
+ if (buf_valid(ins_buf) && (type == 0 || type == CTRL_X_PATH_PATTERNS))
ins_buf->b_scanned = TRUE;
compl_started = FALSE;
diff --git a/src/version.c b/src/version.c
index a03d79b..d863dd1 100644
--- a/src/version.c
+++ b/src/version.c
@@ -791,6 +791,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1858,
/**/
5126,
/**/
|
