patch 9.1.1115: [security]: use-after-free in str_to_reg()
Problem:  [security]: use-after-free in str_to_reg()
          (fizz-is-on-the-way)
Solution: when redirecting the :display command, check that one
          does not output to the register being displayed
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v
Signed-off-by: Christian Brabandt <cb@256bit.org>
			
			
This commit is contained in:
		| @ -2420,7 +2420,8 @@ ex_display(exarg_T *eap) | |||||||
|  |  | ||||||
| #ifdef FEAT_EVAL | #ifdef FEAT_EVAL | ||||||
| 	if (name == MB_TOLOWER(redir_reg) | 	if (name == MB_TOLOWER(redir_reg) | ||||||
| 		|| (redir_reg == '"' && yb == y_previous)) | 		|| (vim_strchr((char_u *)"\"*+", redir_reg) != NULL && | ||||||
|  | 		    (yb == y_previous || yb == &y_regs[0]))) | ||||||
| 	    continue;	    // do not list register being written to, the | 	    continue;	    // do not list register being written to, the | ||||||
| 			    // pointer can be freed | 			    // pointer can be freed | ||||||
| #endif | #endif | ||||||
|  | |||||||
| @ -1102,4 +1102,24 @@ func Test_clipboard_regs_not_working2() | |||||||
|   let $DISPLAY=display |   let $DISPLAY=display | ||||||
| endfunc | endfunc | ||||||
|  |  | ||||||
|  | " This caused use-after-free | ||||||
|  | func Test_register_redir_display() | ||||||
|  |   " don't touch the clipboard, so only perform this, when the clipboard is not working | ||||||
|  |   if has("clipboard_working") | ||||||
|  |     throw "Skipped: skip touching the clipboard register!" | ||||||
|  |   endif | ||||||
|  |   let @"='' | ||||||
|  |   redir @+> | ||||||
|  |   disp +" | ||||||
|  |   redir END | ||||||
|  |   call assert_equal("\nType Name Content", getreg('+')) | ||||||
|  |   let a = [getreg('1'), getregtype('1')] | ||||||
|  |   let @1='register 1' | ||||||
|  |   redir @+ | ||||||
|  |   disp 1 | ||||||
|  |   redir END | ||||||
|  |   call assert_equal("register 1", getreg('1')) | ||||||
|  |   call setreg(1, a[0], a[1]) | ||||||
|  | endfunc | ||||||
|  |  | ||||||
| " vim: shiftwidth=2 sts=2 expandtab | " vim: shiftwidth=2 sts=2 expandtab | ||||||
|  | |||||||
| @ -704,6 +704,8 @@ static char *(features[]) = | |||||||
|  |  | ||||||
| static int included_patches[] = | static int included_patches[] = | ||||||
| {   /* Add new patch number below this line */ | {   /* Add new patch number below this line */ | ||||||
|  | /**/ | ||||||
|  |     1115, | ||||||
| /**/ | /**/ | ||||||
|     1114, |     1114, | ||||||
| /**/ | /**/ | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user