commit eae10de14e8584b8c6c2b7b8255c8191b969698d
parent 6867d2492c1788dfab0a40d0fe453c4a3ce52e28
Author: zeertzjq <zeertzjq@outlook.com>
Date: Fri, 17 Nov 2023 09:22:30 +0800
vim-patch:9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Problem: heap-buffer-overflow in vim_regsub_both
Solution: Disallow exchanging windows when textlock is active
https://github.com/vim/vim/commit/f6d28fe2c95c678cc3202cc5dc825a3fcc709e93
Cherry-pick test_crash.vim change from patch 9.0.1876.
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat:
1 file changed, 8 insertions(+), 0 deletions(-)
diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim
@@ -46,6 +46,7 @@ func Test_crash1()
let file = 'crash/poc_tagfunc.vim'
let args = printf(cmn_args, vim, file)
+ " using || because this poc causes vim to exit with exitstatus != 0
call term_sendkeys(buf, args ..
\ ' || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\<cr>")
@@ -59,6 +60,12 @@ func Test_crash1()
call delete('X')
call TermWait(buf, 3000)
+ let file = 'crash/vim_regsub_both_poc'
+ let args = printf(cmn_args, vim, file)
+ call term_sendkeys(buf, args ..
+ \ ' && echo "crash 7: [OK]" >> X_crash1_result.txt' .. "\<cr>")
+ call TermWait(buf, 1000)
+
" clean up
exe buf .. "bw!"
@@ -71,6 +78,7 @@ func Test_crash1()
\ 'crash 4: [OK]',
\ 'crash 5: [OK]',
\ 'crash 6: [OK]',
+ \ 'crash 7: [OK]',
\ ]
call assert_equal(expected, getline(1, '$'))
