patch 9.1.1043: [security]: segfault in win_line()

chrisbra · chrisbra · commit 9d1bed5eccdb · 2025-01-20T22:55:57.000+01:00
Problem: [security]: segfault in win_line() (fizz-is-on-the-way) Solution: Check that ScreenLines is not NULL Github Advisory: GHSA-j3g9-wg22-v955 Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/gui.c b/src/gui.c
@@ -4478,13 +4478,15 @@ gui_do_scroll(void)
     /*
      * Don't call updateWindow() when nothing has changed (it will overwrite
      * the status line!).
+     *
+     * Check for ScreenLines, because in ex-mode, we don't have a valid display.
      */
-    if (old_topline != wp->w_topline
+    if (ScreenLines != NULL && (old_topline != wp->w_topline
 	    || wp->w_redr_type != 0
 #ifdef FEAT_DIFF
 	    || old_topfill != wp->w_topfill
 #endif
-	    )
+	    ))
     {
 	int type = UPD_VALID;
 
diff --git a/src/testdir/crash/ex_redraw_crash b/src/testdir/crash/ex_redraw_crash
@@ -0,0 +1 @@
+vdivvi|gIv|÷�X��\��,X��X��\��#X��\��<��\��,X��X
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
@@ -234,6 +234,12 @@ func Test_crash1_3()
   call term_sendkeys(buf, args)
   call TermWait(buf, 50)
 
+  let file = 'crash/ex_redraw_crash'
+  let cmn_args = "%s -u NONE -i NONE -n -m -X -Z -e -s -S %s -c ':qa!'"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 150)
+
   " clean up
   exe buf .. "bw!"
   bw!
diff --git a/src/version.c b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1043,
 /**/
     1042,
 /**/

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+vdivvi\|gIv\|÷�X��\��,X��X��\��#X��\��<��\��,X��X`