)]}' { "log": [ { "commit": "5dd41d4b6370b7b7d09d691f9252b3899c66102a", "tree": "99bcf9a51f84ef73d003206c2d2960b51bd133b3", "parents": [ "1e5d66408ef85c750a5af03bbf5cc19b5de7a6bc" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Mon Dec 04 22:52:23 2023 +0100" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Mon Dec 04 22:54:43 2023 +0100" }, "message": "patch 9.0.2149: [security]: use-after-free in exec_instructions()\n\nProblem: [security]: use-after-free in exec_instructions()\nSolution: get tv pointer again\n\n[security]: use-after-free in exec_instructions()\n\nexec_instructions may access freed memory, if the GA_GROWS_FAILS()\nre-allocates memory. When this happens, the typval tv may still point to\nnow already freed memory. So let\u0027s get that pointer again and compare it\nwith tv. If those two pointers differ, tv is now invalid and we have to\nrefresh the tv pointer.\n\ncloses: #13621\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "abfa13ebe92d81aaf66669c428d767847b577453", "tree": "5b6d87d9c13568960be219188c849a4c41ba315c", "parents": [ "b39b240c386a5a29241415541f1c99e2e6b8ce47" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Thu Nov 30 11:32:18 2023 +0100" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Fri Dec 01 18:58:51 2023 +0100" }, "message": "patch 9.0.2143: [security]: buffer-overflow in ex_substitute\n\nProblem: [security]: buffer-overflow in ex_substitute\nSolution: clear memory after allocating\n\nWhen allocating the new_start pointer in ex_substitute() the memory\npointer points to some garbage that the following for loop in\nex_cmds.c:4743 confuses and causes it to accessing the new_start pointer\nbeyond it\u0027s size, leading to a buffer-overlow.\n\nSo fix this by using alloc_clear() instead of alloc(), which will\nclear the memory by NUL and therefore cause the loop to terminate\ncorrectly.\n\nReported by @henices, thanks!\n\ncloses: #13596\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "b39b240c386a5a29241415541f1c99e2e6b8ce47", "tree": "25ac23d0f18efb91f00bc053d326fa8549e9d484", "parents": [ "0fb375aae608d7306b4baf9c1f906961f32e2abf" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Wed Nov 29 11:34:05 2023 +0100" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Fri Dec 01 18:58:51 2023 +0100" }, "message": "patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions\n\nProblem: [security]: stack-buffer-overflow in option callback functions\nSolution: pass size of errbuf down the call stack, use snprintf()\n instead of sprintf()\n\nWe pass the error buffer down to the option callback functions, but in\nsome parts of the code, we simply use sprintf(buf) to write into the error\nbuffer, which can overflow.\n\nSo let\u0027s pass down the length of the error buffer and use sprintf(buf, size)\ninstead.\n\nReported by @henices, thanks!\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "0fb375aae608d7306b4baf9c1f906961f32e2abf", "tree": "10a990e59a5b11b65536b3ad9a482e0a26a9d584", "parents": [ "eec0c2b3a4cfab93dd8d4adaa60638d47a2bbc8a" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Wed Nov 29 10:23:39 2023 +0100" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Fri Dec 01 18:58:50 2023 +0100" }, "message": "patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk\n\nProblem: [security]: buffer-overflow in suggest_trie_walk\nSolution: Check n before using it as index into byts array\n\nBasically, n as an index into the byts array, can point to beyond the byts\narray. So let\u0027s double check, that n is within the expected range after\nincrementing it from sp-\u003ets_curi and bail out if it would be invalid.\n\nReported by @henices, thanks!\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "eec0c2b3a4cfab93dd8d4adaa60638d47a2bbc8a", "tree": "2f60c6c3095b52818325cbd6c92dcb293f8c8727", "parents": [ "9cc95aa0d8f52bb0c906ca13297ce3a2ba615f2b" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Tue Nov 28 22:03:48 2023 +0100" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Fri Dec 01 18:58:50 2023 +0100" }, "message": "patch 9.0.2140: [security]: use-after-free in win-enter\n\nProblem: [security]: use-after-free in win-enter\nSolution: validate window pointer before calling win_enter()\n\nwin_goto() may stop visual mode, if it is active. However, this may in\nturn trigger the ModeChanged autocommand, which could potentially free\nthe wp pointer which was valid before now became stale and points to now\nfreed memory.\n\nSo before calling win_enter(), let\u0027s verify one more time, that the\nwp pointer still points to a valid window structure.\n\nReported by @henices, thanks!\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "25aabc2b8ee1e19ced6f4da9d866cf9378fc4c5a", "tree": "9b56e90635d6bc6b124bda1d179348bcd6a2cf8d", "parents": [ "67abf1592c83c910c7815478f67e0a8989d51417" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Tue Nov 14 19:31:34 2023 +0100" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Thu Nov 16 22:04:00 2023 +0100" }, "message": "patch 9.0.2106: [security]: Use-after-free in win_close()\n\nProblem: [security]: Use-after-free in win_close()\nSolution: Check window is valid, before accessing it\n\nIf the current window structure is no longer valid (because a previous\nautocommand has already freed this window), fail and return before\nattempting to set win-\u003ew_closing variable.\n\nAdd a test to trigger ASAN in CI\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "41e6f7d6ba67b61d911f9b1d76325cd79224753d", "tree": "d2b6fcf5f7daa4712502d693635bcc3125bc38ca", "parents": [ "54844857fd6933fa4f6678e47610c4b9c9f7a091" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Wed Oct 11 21:08:13 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Wed Oct 11 21:09:53 2023 +0200" }, "message": "patch 9.0.2010: [security] use-after-free from buf_contents_changed()\n\nProblem: [security] use-after-free from buf_contents_changed()\nSolution: block autocommands\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "20d161ace307e28690229b68584f2d84556f8960", "tree": "a32cb8c7f5a18d862253b3b6832d2d38f97f1210", "parents": [ "290b887e8cc2c0d3dfc7f315b2052472c7c589cc" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Thu Oct 05 22:08:30 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Thu Oct 05 22:10:10 2023 +0200" }, "message": "patch 9.0.1992: [security] segfault in exmode\n\nProblem: segfault in exmode when redrawing\nSolution: skip gui_scroll when exmode_active\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "3bd7fa12e146c6051490d048a4acbfba974eeb04", "tree": "16eef95edff7dd16bcf19fa40cd6d55e74e7a49c", "parents": [ "6ee7b521fa7531ef356ececc8be7575c3800f872" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Mon Oct 02 20:59:08 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Mon Oct 02 20:59:47 2023 +0200" }, "message": "patch 9.0.1969: [security] buffer-overflow in trunc_string()\n\nProblem: buffer-overflow in trunc_string()\nSolution: Add NULL at end of buffer\n\nCurrently trunc_string() assumes that when the string is too long,\nbuf[e-1] will always be writeable. But that assumption may not always be\ntrue. The condition currently looks like this\n\n else if (e + 3 \u003c buflen)\n [...]\n else\n {\n\t// can\u0027t fit in the \"...\", just truncate it\n\tbuf[e - 1] \u003d NUL;\n }\n\nbut this means, we may run into the last else clause with e still being\nlarger than buflen. So a buffer overflow occurs.\n\nSo instead of using `buf[e - 1]`, let\u0027s just always\ntruncate at `buf[buflen - 1]` which should always be writable.\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "da200c2f78ef3c91557a2b484d284eb0c1c62776", "tree": "b376f8b4e8367190ace73f06245af3ad62fb557a", "parents": [ "5856b07795dff69e3bac57deb5033b5839c1dfb8" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Wed Sep 06 21:12:24 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Wed Sep 06 21:12:24 2023 +0200" }, "message": "patch 9.0.1882: Trailing white space in tests\n\nProblem: Trailing white space in tests\nSolution: Delete it\n\nThis causes test_codestyle to fail, so we need to remove it again.\nHopefully that makes the CI green again.\n\nNote: I will start using annotated tags from now on.\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "5856b07795dff69e3bac57deb5033b5839c1dfb8", "tree": "58cd81b4b8b35fdc5919f122d21d207751710d73", "parents": [ "cf138d4ea5b7e4495abbc867f9bb8a6be6482762" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Wed Sep 06 20:53:46 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Wed Sep 06 20:53:46 2023 +0200" }, "message": "patch 9.0.1881: Test_crash fails on Mac\n\nProblem: Test_crash fails on Mac\nSolution: Skip test on Mac\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "1690ec64ffd784cddddb937870f5891adbb21986", "tree": "41e07ccf4a7aae339334f5f5254c122eb654f4c7", "parents": [ "18d2709aa12ffa3f6ae1a13059990558c5f8e406" ], "author": { "name": "Philip H", "email": "47042125+pheiduck@users.noreply.github.com", "time": "Wed Sep 06 20:20:07 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Wed Sep 06 20:20:07 2023 +0200" }, "message": "patch 9.0.1878: tests running sh have problems\n\nProblem: tests running sh have problems\nSolution: Check that dash is installed\n\ncloses: #13040\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\nCo-authored-by: Philip H \u003c47042125+pheiduck@users.noreply.github.com\u003e\nCo-authored-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "00cb247465856eaa546c520b65cf0ccc753ee1cd", "tree": "e6925577888a5fa96c3fb5ae4b68dd8c02bc0d1d", "parents": [ "28a60f898d5cd7023596b0e96a081b1573edc807" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Tue Sep 05 20:46:25 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Tue Sep 05 20:53:46 2023 +0200" }, "message": "patch 9.0.1876: Vim9: parsing commands with newlines wrong\n\nProblem: Vim9: parsing commands with newlines wrong\nSolution: Accept a \u0027\\n\u0027 for parsing lists and command arguments\n\ncloses: #13015\ncloses: #13020\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "f6d28fe2c95c678cc3202cc5dc825a3fcc709e93", "tree": "a0acea7e99632dae8fd280bdadf932fc59435b2b", "parents": [ "d2a08ba0fa4a25f31cee9d9f33b0aa8237227387" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Tue Sep 05 20:18:06 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Tue Sep 05 20:18:06 2023 +0200" }, "message": "patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both\n\nProblem: heap-buffer-overflow in vim_regsub_both\nSolution: Disallow exchanging windows when textlock is active\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "d2a08ba0fa4a25f31cee9d9f33b0aa8237227387", "tree": "c5c52f2bbaa413dc9597ae28d4b18b8300c416b8", "parents": [ "a4245a10eacac614dc833a2721cd7c0376627ec8" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Tue Sep 05 07:45:04 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Tue Sep 05 07:45:04 2023 +0200" }, "message": "patch 9.0.1872: CI: test_crash() fails on CI\n\nProblem: CI: test_crash() fails on CI\nSolution: Skip test on BSD\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "59adcb4c203371258c72e76011da93eac8540317", "tree": "485782c4ede8b627993c7dbd753d69471df10364", "parents": [ "e4ba5df7c7359742999263115b2faeff94f5a35c" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Mon Sep 04 22:42:55 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Mon Sep 04 22:42:55 2023 +0200" }, "message": "patch 9.0.1868: test_crash still fails for circle ci\n\nProblem: test_crash still fails for circle ci\nSolution: give even more time to complete\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "623ba31821a41acee7e948794e84867680b97885", "tree": "bf6c964be7cd4f4c8885c139096b3b434dc81444", "parents": [ "e073a8b79f1d3398b27f35b7920746b564a169e9" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Mon Sep 04 22:09:12 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Mon Sep 04 22:09:12 2023 +0200" }, "message": "patch 9.0.1864: still crash with bt_quickfix1_poc\n\nProblem: crash with bt_quickfix1_poc when cleaning up\n and EXITFREE is defined\nSolution: Test if buffer is valid in a window, else close\n window directly, don\u0027t try to access buffer properties\n\nWhile at it, increase the crash timeout slightly, so that CI has a\nchance to finish processing the test_crash() test.\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "f44cbe96fa44d10d6dd717e0a9f6ef0f104ee98a", "tree": "91d72f0c93871e749aeee51c91f43336e41adc2b", "parents": [ "6e60cf444a8839ca1694319bf9a82e7b097e5c4d" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Mon Sep 04 07:42:27 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Mon Sep 04 07:42:27 2023 +0200" }, "message": "patch 9.0.1860: CI: test_crash1() is flaky\n\nProblem: CI: test_crash1() is flaky\nSolution: Wait a bit longer\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "6e60cf444a8839ca1694319bf9a82e7b097e5c4d", "tree": "0ae96b7f0834c9e82cd174dda7683eb209dd46e3", "parents": [ "ee9166eb3b41846661a39b662dc7ebe8b5e15139" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Sun Sep 03 21:43:46 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Sun Sep 03 21:43:46 2023 +0200" }, "message": "patch 9.0.1859: heap-use-after-free in bt_normal()\n\nProblem: heap-use-after-free in bt_normal()\nSolution: check that buffer is still valid\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "ee9166eb3b41846661a39b662dc7ebe8b5e15139", "tree": "05f2a8a49b5a322d7f5d3840366e764ebcb7c0c5", "parents": [ "fc68299d436cf87453e432daa77b6d545df4d7ed" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Sun Sep 03 21:24:33 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Sun Sep 03 21:24:33 2023 +0200" }, "message": "patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()\n\nProblem: heap use after free in ins_compl_get_exp()\nSolution: validate buffer before accessing it\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "fc68299d436cf87453e432daa77b6d545df4d7ed", "tree": "de179fbfbc61e6d9f59d2343f777f2cb83c55fff", "parents": [ "aa90d4f031f73a34aaef5746931ea746849a2231" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Sun Sep 03 20:20:52 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Sun Sep 03 20:20:52 2023 +0200" }, "message": "patch 9.0.1857: [security] heap-use-after-free in is_qf_win()\n\nProblem: heap-use-after-free in is_qf_win()\nSolution: Check buffer is valid before accessing it\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "db510ca8052884fd260f425025bacf44f6c92fa9", "tree": "1f60b8dd639b78bb6fc21521578d6d0c7e052d5f", "parents": [ "15cbaae31382f17c96a4519e334dd7ba4a90ecba" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Sun Sep 03 09:23:12 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Sun Sep 03 09:30:09 2023 +0200" }, "message": "patch 9.0.1854: test_crash1() fails on CI\n\nProblem: test_crash1() fails on CI\nSolution: don\u0027t run Screendump test, verify that it doesn\u0027t crash\n by running it through a shell command line, testing\n the exit value and concatenating success cmd using \u0027\u0026\u0026\u0027\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "ced2c7394aafdc90fb7845e09b3a3fee23d48cb1", "tree": "9576ca9f0aa1d127ed8d06821375b6d2de50fd5a", "parents": [ "889f6af37164775192e33b233a90e86fd3df0f57" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Sat Sep 02 21:15:52 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Sat Sep 02 21:37:04 2023 +0200" }, "message": "patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()\n\nProblem: buffer-overflow in vim_regsub_both()\nSolution: Check remaining space\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" }, { "commit": "e1dc9a627536304bc4f738c21e909ad9fcf3974c", "tree": "03d9e7d48d9db0cfd5321b735c542f642ff84860", "parents": [ "acb91d3905cfef5eff8edfb76e62a6b6bab1e91e" ], "author": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Sat Sep 02 14:40:13 2023 +0200" }, "committer": { "name": "Christian Brabandt", "email": "cb@256bit.org", "time": "Sat Sep 02 14:44:47 2023 +0200" }, "message": "patch 9.0.1840: [security] use-after-free in do_ecmd\n\nProblem: use-after-free in do_ecmd\nSolution: Verify oldwin pointer after reset_VIsual()\n\nSigned-off-by: Christian Brabandt \u003ccb@256bit.org\u003e\n" } ] }