patch 9.0.1331: illegal memory access when using :ball in Visual mode

Problem:    Illegal memory access when using :ball in Visual mode.
Solution:   Stop Visual mode when using :ball. (Pavel Mayorov, closes #11923)

diff --git a/src/buffer.c b/src/buffer.c
index cb7bdf445dee1cded42ef0b59153686b495d6877..ff35729fb9299b90529da59ce3c315970266af54 100644 (file)
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -5402,6 +5402,10 @@ ex_buffer_all(exarg_T *eap)
     else
        all = TRUE;
 
+    // Stop Visual mode, the cursor and "VIsual" may very well be invalid after
+    // switching to another buffer.
+    reset_VIsual_and_resel();
+
     setpcmark();
 
 #ifdef FEAT_GUI

diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index 295e16f93d9d9965a0b7775f9c16dde447b9792e..f152e7b79ba805653954031538185b2824857882 100644 (file)
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -1534,4 +1534,25 @@ func Test_switch_buffer_ends_visual_mode()
   exe 'bwipe!' buf2
 endfunc
 
+" Check fix for the heap-based buffer overflow bug found in the function
+" utfc_ptr2len and reported at
+" https://huntr.dev/bounties/ae933869-a1ec-402a-bbea-d51764c6618e
+func Test_heap_buffer_overflow()
+  enew
+  set updatecount=0
+
+  norm R0
+  split other
+  norm R000
+  exe "norm \<C-V>l"
+  ball
+  call assert_equal(getpos("."), getpos("v"))
+  call assert_equal('n', mode())
+  norm zW
+
+  %bwipe!
+  set updatecount&
+endfunc
+
+
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index 63fd787923260566e1ca79d66f8493557bbe0379..4c1282327573d2ab7de99184256bb62e09b75207 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -695,6 +695,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1331,
 /**/
     1330,
 /**/