shqking wrote: > One null pointer dereference vulnerability is found in src/undo.c > (https://github.com/vim/vim/blob/master/src/undo.c) > > The code snippet is as follows. > > 1383 static u_entry_T * > 1384 unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name) > 1385 { > ... > 1402 uep->ue_size = undo_read_4c(bi); > 1403 if (uep->ue_size > 0) > 1404 { > 1405 array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size); > 1406 if (array == NULL) > 1407 { > 1408 *error = TRUE; > 1409 return uep; > 1410 } > 1411 vim_memset(array, 0, sizeof(char_u *) * uep->ue_size); > 1412 } > 1413 else > 1414 array = NULL; > 1415 uep->ue_array = array; > 1416 > 1417 for (i = 0; i < uep->ue_size; ++i) > .... > 1434 return uep; > 1435 } > > Variable uep->ue_size is read from user file at line 1402,so its value can be > controlled by users. Null pointer is assigned to array at line 1414 if > uep->ue_size is not positive, then uep->ue_array is also null at line 1415. > After that, uep is returned from this function. > > Since no error code is set along this ELSE branch, the calling function > unserialize_uhp() will link uep into the list uhp through the while-loop at > line 1332. After that, uhp will be store into uhp_table at line 1991 in > function u_read_undo, and uhp_table is referred via global pointer > curbuf->b_u_curhead (at line 2085). > > As a result, null pointer dereference vulnerability would occur if the > program reads the uhp_table and uses uep->ue_array, which might be null > pointer. For example, one usage place is at line 2680 in function u_undoredo. > > One possible workaround is to return an error code for the ELSE branch at > line 1413, just as line 1406 does. Attached please find the patch.
It is OK for ue_array to be NULL if the size is zero (or negative). All places where ue_array is accessed should check the value of ue_size. I don't see such a place. Thus I don't think there is a problem. -- How To Keep A Healthy Level Of Insanity: 7. Finish all your sentences with "in accordance with the prophecy". /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
