oss-sec mailing list archives

A heap use-after-free was found in str_to_reg() in Vim < 9.1.1115
==================================================================
Date: 16.02.2025
Severity: Medium
CVE: *not yet assigned
CWE: Use-after-free (CWE-416)

Vim allows to redirect screen messages using the `:redir` ex command to
register, variables and files. It also allows to show the contents of
registers using the `:registers` or `:display` ex command.

When redirecting the output of `:display` to a register, Vim will free 
the register content before storing the new content in the
register. Now when redirecting the `:display` command to a register that
is being displayed, Vim will free the content while shortly afterwards
trying to access it, which leads to a use-after-free.

Vim pre 9.1.1115 checks in the ex_display() function, that it does not
try to redirect to a register while displaying this register at the same
time. However this check is not complete, and so Vim does not check the
`+` and `*` registers (which typically donate the X11/clipboard
registers, and when a clipboard connection is not possible will fall
back to use register 0 instead.

In Patch 9.1.1115 Vim will therefore skip outputting to register zero
when trying to redirect to the clipboard registers `*` or `+`.

Impact is medium since this is a rather unusual situation and a user
must explicitly run this command.

The Vim project would like to thank github user @fizz-is-on-the-way
for reporting this issue.

The issue has been fixed as of Vim patch v9.1.1115

References:
https://github.com/vim/vim/commit/c0f0e2380e5954f4a52a131bf6b8
https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v

Thanks,
Christian

Current thread:

• [vim-security] heap use-after-free in str_to_reg() in Vim < Christian Brabandt (Feb 16)