From 56dc8b9212ef3a1eebe8e32266d4b6735b3c557b Mon Sep 17 00:00:00 2001 From: "Justin M. Keyes" Date: Fri, 6 Oct 2023 13:43:17 +0200 Subject: [PATCH] fix: heap-buffer-overflow in file_name_in_line heap-buffer-overflow on address 0x6020000079cf at pc 0x563e98bd70b6 bp 0x7ffc52efc430 sp 0x7ffc52efbbf8 = READ of size 1 at 0x6020000079cf thread T0 = 0 0x563e98bd70b5 in strlen (/home/runner/work/neovim/neovim/build/bin/nvim+0xc7b0b5) (BuildId: e40ec79ca4eae53c0155aeb03de88ddd5d29c5d2) = 1 0x563e99da4f45 in path_has_drive_letter /home/runner/work/neovim/neovim/src/nvim/path.c:1754:10 = 2 0x563e9a610d81 in file_name_in_line /home/runner/work/neovim/neovim/src/nvim/window.c:6951:49 = 3 0x563e9a61066f in file_name_at_cursor /home/runner/work/neovim/neovim/src/nvim/window.c:6917:10 = 4 0x563e995a08d6 in eval_vars /home/runner/work/neovim/neovim/src/nvim/ex_docmd.c:6903:16 = 5 0x563e9937c648 in f_expand /home/runner/work/neovim/neovim/src/nvim/eval/funcs.c:1754:20 = 6 0x563e99357819 in call_internal_func /home/runner/work/neovim/neovim/src/nvim/eval/funcs.c:273:3 = 7 0x563e994656de in call_func /home/runner/work/neovim/neovim/src/nvim/eval/userfunc.c:1719:15 = 8 0x563e99461ae6 in get_func_tv /home/runner/work/neovim/neovim/src/nvim/eval/userfunc.c:557:11 = 9 0x563e992c7c5d in eval_func /home/runner/work/neovim/neovim/src/nvim/eval.c:2281:13 = 10 0x563e992bf708 in eval7 /home/runner/work/neovim/neovim/src/nvim/eval.c:3208:15 = 11 0x563e992bbda9 in eval6 /home/runner/work/neovim/neovim/src/nvim/eval.c:2935:7 = 12 0x563e992b9e8d in eval5 /home/runner/work/neovim/neovim/src/nvim/eval.c:2791:7 = 13 0x563e992b87e2 in eval4 /home/runner/work/neovim/neovim/src/nvim/eval.c:2666:7 = 14 0x563e992b758d in eval3 /home/runner/work/neovim/neovim/src/nvim/eval.c:2575:7 = 15 0x563e9926299d in eval2 /home/runner/work/neovim/neovim/src/nvim/eval.c:2497:7 = 16 0x563e99250b0c in eval1 /home/runner/work/neovim/neovim/src/nvim/eval.c:2401:7 = 17 0x563e9924d68a in eval0 /home/runner/work/neovim/neovim/src/nvim/eval.c:2346:9 = 18 0x563e98f17315 in nvim_eval /home/runner/work/neovim/neovim/src/nvim/api/vimscript.c:170:3 = 19 0x563e98e7bb5e in handle_nvim_eval /home/runner/work/neovim/neovim/build/src/nvim/auto/api/private/dispatch_wrappers.generated.h:8953:15 = 20 0x563e99b62f59 in request_event /home/runner/work/neovim/neovim/src/nvim/msgpack_rpc/channel.c:444:19 = 21 0x563e9a1dcdc9 in state_handle_k_event /home/runner/work/neovim/neovim/src/nvim/state.c:115:7 = 22 0x563e99bf0718 in nv_event /home/runner/work/neovim/neovim/src/nvim/normal.c:6623:3 = 23 0x563e99bb4069 in normal_execute /home/runner/work/neovim/neovim/src/nvim/normal.c:1227:3 = 24 0x563e9a1dcb8d in state_enter /home/runner/work/neovim/neovim/src/nvim/state.c:97:26 = 25 0x563e99b9673c in normal_enter /home/runner/work/neovim/neovim/src/nvim/normal.c:516:3 = 26 0x563e98c82e0d in main /home/runner/work/neovim/neovim/src/nvim/main.c:643:3 = 27 0x7fcb81429d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 229b7dc509053fe4df5e29e8629911f0c3bc66dd) = 28 0x7fcb81429e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 229b7dc509053fe4df5e29e8629911f0c3bc66dd) = 29 0x563e98bc0f74 in _start (/home/runner/work/neovim/neovim/build/bin/nvim+0xc64f74) (BuildId: e40ec79ca4eae53c0155aeb03de88ddd5d29c5d2) = = 0x6020000079cf is located 1 bytes to the left of 9-byte region [0x6020000079d0,0x6020000079d9) = allocated by thread T0 here: = 0 0x563e98c43dbe in __interceptor_malloc (/home/runner/work/neovim/neovim/build/bin/nvim+0xce7dbe) (BuildId: e40ec79ca4eae53c0155aeb03de88ddd5d29c5d2) = 1 0x563e99a7b6f6 in try_malloc /home/runner/work/neovim/neovim/src/nvim/memory.c:89:15 = 2 0x563e99a7b8dc in xmalloc /home/runner/work/neovim/neovim/src/nvim/memory.c:123:15 = 3 0x563e9901ace2 in ins_str /home/runner/work/neovim/neovim/src/nvim/change.c:801:16 = 4 0x563e99208133 in insertchar /home/runner/work/neovim/neovim/src/nvim/edit.c:2172:5 = 5 0x563e9921936c in insert_special /home/runner/work/neovim/neovim/src/nvim/edit.c:1995:5 = 6 0x563e99218e9f in insert_handle_key /home/runner/work/neovim/neovim/src/nvim/edit.c:1173:7 = 7 0x563e991f0f1d in insert_execute /home/runner/work/neovim/neovim/src/nvim/edit.c:671:10 = 8 0x563e9a1dcb8d in state_enter /home/runner/work/neovim/neovim/src/nvim/state.c:97:26 = 9 0x563e991f8c75 in insert_enter /home/runner/work/neovim/neovim/src/nvim/edit.c:338:5 = 10 0x563e991ed4e2 in edit /home/runner/work/neovim/neovim/src/nvim/edit.c:1270:3 = 11 0x563e99bf6007 in invoke_edit /home/runner/work/neovim/neovim/src/nvim/normal.c:6269:7 = 12 0x563e99bcb665 in nv_edit /home/runner/work/neovim/neovim/src/nvim/normal.c:6246:5 = 13 0x563e99bb4069 in normal_execute /home/runner/work/neovim/neovim/src/nvim/normal.c:1227:3 = 14 0x563e9a1dcb8d in state_enter /home/runner/work/neovim/neovim/src/nvim/state.c:97:26 = 15 0x563e99b9673c in normal_enter /home/runner/work/neovim/neovim/src/nvim/normal.c:516:3 = 16 0x563e98c82e0d in main /home/runner/work/neovim/neovim/src/nvim/main.c:643:3 = 17 0x7fcb81429d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 229b7dc509053fe4df5e29e8629911f0c3bc66dd) --- src/nvim/window.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/nvim/window.c b/src/nvim/window.c index ef6d3fd4a9..16bb7f5df7 100644 --- a/src/nvim/window.c +++ b/src/nvim/window.c @@ -6948,7 +6948,8 @@ char *file_name_in_line(char *line, int col, int options, int count, char *rel_f while (ptr > line) { if ((len = (size_t)(utf_head_off(line, ptr - 1))) > 0) { ptr -= len + 1; - } else if (vim_isfilec((uint8_t)ptr[-1]) || path_has_drive_letter(ptr - 2) + } else if (vim_isfilec((uint8_t)ptr[-1]) + || (len >= 2 && path_has_drive_letter(ptr - 2)) || ((options & FNAME_HYP) && path_is_url(ptr - 1))) { ptr--; } else {