diff options
| author | Christian Brabandt <cb@256bit.org> | 2026-04-01 15:03:58 +0000 |
|---|---|---|
| committer | Christian Brabandt <cb@256bit.org> | 2026-04-01 15:06:21 +0000 |
| commit | b2e55ed1d6c9d9af0e1afa6deedf0fec7a49c8c8 (patch) | |
| tree | ae8f5e79bce999a5928f4c2d71e3bfb6b07713cb /src/testdir | |
| parent | 3e60f03d942d6bb0f7eac61b149e83615518cec0 (diff) | |
| download | Project-Tick-b2e55ed1d6c9d9af0e1afa6deedf0fec7a49c8c8.tar.gz Project-Tick-b2e55ed1d6c9d9af0e1afa6deedf0fec7a49c8c8.zip | |
patch 9.2.0278: viminfo: heap buffer overflow when reading viminfo file
Problem: Reading a crafted viminfo file can cause a heap buffer
overflow because the length value from getdigits() is cast to
int, truncating large size_t values
Solution: Remove the (int) cast when calling alloc() (sentinel404)
Signed-off-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src/testdir')
| -rw-r--r-- | src/testdir/test_viminfo.vim | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/src/testdir/test_viminfo.vim b/src/testdir/test_viminfo.vim index ff79265f8e..b3a8b91cb1 100644 --- a/src/testdir/test_viminfo.vim +++ b/src/testdir/test_viminfo.vim @@ -1371,4 +1371,24 @@ func Test_viminfo_len_one() let &viminfofile = _viminfofile endfunc +func Test_viminfo_len_overflow() + let _viminfofile = &viminfofile + let &viminfofile='' + let viminfo_file = tempname() + defer delete(viminfo_file) + + " Craft a viminfo entry with size_t length overflow + call writefile(['# Viminfo', + \ '|1,4', '|2,>4294967311', + \ '|<"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA', + \ '|<BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB', + \ '|<CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC', + \ '|<DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD'], viminfo_file, 'b') + + " Should not crash or cause memory errors + exe 'rviminfo! ' .. viminfo_file + + let &viminfofile = _viminfofile +endfunc + " vim: shiftwidth=2 sts=2 expandtab |