diff options
author | Pavel Mayorov <pmayorov@cloudlinux.com> | 2023-02-20 14:35:20 +0000 |
---|---|---|
committer | Bram Moolenaar <Bram@vim.org> | 2023-02-20 14:35:20 +0000 |
commit | e1121b139480f53d1b06f84f3e4574048108fa0b (patch) | |
tree | 7c95e52cbc3b8972a7b5677fbfd53c630c6538ad | |
parent | af93691b53f38784efce0b93fe7644c44a7e382e (diff) | |
download | vim-git-e1121b139480f53d1b06f84f3e4574048108fa0b.tar.gz |
patch 9.0.1331: illegal memory access when using :ball in Visual modev9.0.1331
Problem: Illegal memory access when using :ball in Visual mode.
Solution: Stop Visual mode when using :ball. (Pavel Mayorov, closes #11923)
-rw-r--r-- | src/buffer.c | 4 | ||||
-rw-r--r-- | src/testdir/test_visual.vim | 21 | ||||
-rw-r--r-- | src/version.c | 2 |
3 files changed, 27 insertions, 0 deletions
diff --git a/src/buffer.c b/src/buffer.c index cb7bdf445..ff35729fb 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -5402,6 +5402,10 @@ ex_buffer_all(exarg_T *eap) else all = TRUE; + // Stop Visual mode, the cursor and "VIsual" may very well be invalid after + // switching to another buffer. + reset_VIsual_and_resel(); + setpcmark(); #ifdef FEAT_GUI diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim index 295e16f93..f152e7b79 100644 --- a/src/testdir/test_visual.vim +++ b/src/testdir/test_visual.vim @@ -1534,4 +1534,25 @@ func Test_switch_buffer_ends_visual_mode() exe 'bwipe!' buf2 endfunc +" Check fix for the heap-based buffer overflow bug found in the function +" utfc_ptr2len and reported at +" https://huntr.dev/bounties/ae933869-a1ec-402a-bbea-d51764c6618e +func Test_heap_buffer_overflow() + enew + set updatecount=0 + + norm R0 + split other + norm R000 + exe "norm \<C-V>l" + ball + call assert_equal(getpos("."), getpos("v")) + call assert_equal('n', mode()) + norm zW + + %bwipe! + set updatecount& +endfunc + + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index 63fd78792..4c1282327 100644 --- a/src/version.c +++ b/src/version.c @@ -696,6 +696,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 1331, +/**/ 1330, /**/ 1329, |