Vim Heap Use-After-Free Vulnerability in Clipboard Register Handling

A heap use-after-free vulnerability has been identified in Vim versions prior to 9.1.1115. The issue arises in the 'str_to_reg()' function when the ':display' command is redirected to a register that is currently being displayed. Vim frees the register's content before the new content is stored, leading to a use-after-free condition. Although Vim normally checks to avoid this situation, the check is incomplete and does not account for the '+' and '*' registers, which are used for X11 clipboard operations. In Vim patch 9.1.1115, this issue is addressed by preventing output to register zero when redirecting to the clipboard registers, ensuring proper handling and eliminating the use-after-free vulnerability.

Impact

Exploitation of this vulnerability causes a heap use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

To reproduce this vulnerability, first ensure that Vim is a version prior to 9.1.1115 and that the clipboard is not functioning. Then, redirect the ':display' command to a register that is being displayed, specifically using the '+' or '*' registers. This will trigger the use-after-free condition by freeing the register's content while it is still being accessed.

Remediation

Users are advised to upgrade to Vim version 9.1.1115 or later, where this vulnerability has been patched.