adam/vim
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

patch 9.1.1609: complete: Heap-buffer overflow with complete function

Browse Source 
Problem:  complete: Heap-buffer overflow with complete function
          (zeertzjq)
Solution: Do not let startcol become negative (Girish Palya).

fixes: #17907
closes: #17934

Co-authored-by: zeertzjq <zeertzjq@outlook.com>
Co-authored-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Girish Palya <girishji@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Girish Palya
2025-08-08 15:42:27 +02:00
committed by Christian Brabandt
parent b89ff6c2e1
commit 761ea77670
3 changed files with 34 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/insexpand.c
View File

@ -247,7 +247,6 @@ typedef struct cpt_source_T
#endif #endif
} cpt_source_T; } cpt_source_T;
#define STARTCOL_NONE -9
static cpt_source_T *cpt_sources_array; // Pointer to the array of completion sources static cpt_source_T *cpt_sources_array; // Pointer to the array of completion sources
static int cpt_sources_count; // Total number of completion sources specified in the 'cpt' option static int cpt_sources_count; // Total number of completion sources specified in the 'cpt' option
static int cpt_sources_index = -1; // Index of the current completion source being expanded static int cpt_sources_index = -1; // Index of the current completion source being expanded
@ -5368,10 +5367,12 @@ prepare_cpt_compl_funcs(void)
else else
startcol = -2; startcol = -2;
} }
else if (startcol < 0 || startcol > curwin->w_cursor.col)
startcol = curwin->w_cursor.col;
cpt_sources_array[idx].cs_startcol = startcol; cpt_sources_array[idx].cs_startcol = startcol;
} }
else else
cpt_sources_array[idx].cs_startcol = STARTCOL_NONE; cpt_sources_array[idx].cs_startcol = -3;
(void)copy_option_part(&p, IObuff, IOSIZE, ","); // Advance p (void)copy_option_part(&p, IObuff, IOSIZE, ","); // Advance p
idx++; idx++;
@ -7495,6 +7496,8 @@ cpt_compl_refresh(void)
else else
startcol = -2; startcol = -2;
} }
else if (startcol < 0 || startcol > curwin->w_cursor.col)
startcol = curwin->w_cursor.col;
cpt_sources_array[cpt_sources_index].cs_startcol = startcol; cpt_sources_array[cpt_sources_index].cs_startcol = startcol;
if (ret == OK) if (ret == OK)
{ {
@ -7502,9 +7505,6 @@ cpt_compl_refresh(void)
get_cpt_func_completion_matches(cb); get_cpt_func_completion_matches(cb);
} }
} }
else
cpt_sources_array[cpt_sources_index].cs_startcol
= STARTCOL_NONE;
} }
(void)copy_option_part(&p, IObuff, IOSIZE, ","); // Advance p (void)copy_option_part(&p, IObuff, IOSIZE, ","); // Advance p

27
src/testdir/test_ins_complete.vim
View File

@ -5383,4 +5383,31 @@ func Test_scriplocal_autoload_func()
let &rtp = save_rtp let &rtp = save_rtp
endfunc endfunc
" Issue #17907
func Test_omni_start_invalid_col()
func OmniFunc(startcol, findstart, base)
if a:findstart
return a:startcol
else
return ['foo', 'foobar']
endif
endfunc
new
set complete=o
set omnifunc=funcref('OmniFunc',\ [-1])
call setline(1, ['baz '])
call feedkeys("A\<C-N>\<Esc>0", 'tx!')
call assert_equal('baz foo', getline(1))
set omnifunc=funcref('OmniFunc',\ [1000])
call setline(1, ['bar '])
call feedkeys("A\<C-N>\<Esc>0", 'tx!')
call assert_equal('bar foo', getline(1))
bw!
delfunc OmniFunc
set omnifunc& complete&
endfunc
" vim: shiftwidth=2 sts=2 expandtab nofoldenable " vim: shiftwidth=2 sts=2 expandtab nofoldenable

2
src/version.c
View File

@ -719,6 +719,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
1609,
/**/ /**/
1608, 1608,
/**/ /**/