Vim Heap-Based Buffer Overflow and Out-of-Bounds Read Vulnerability in Terminal Emulator

A heap-based buffer overflow vulnerability allowing write operations and an out-of-bounds read have been identified in Vim's terminal emulator. This issue affects Vim versions prior to 9.2.0076 and arises when the editor processes the maximum number of combining characters from Unicode supplementary planes. The vulnerability is located in the 'handle_pushline()' function within 'src/terminal.c'. The heap overflow occurs because Vim allocates 21 bytes per cell, based on the assumption that characters will remain within the Basic Multilingual Plane (BMP). However, a cell can actually contain up to six characters from supplementary planes, each requiring four bytes, leading to a three-byte heap overflow. The out-of-bounds read is caused by a loop that iterates over cell characters without properly checking the boundaries, allowing it to read past the end of the character array.

Impact

Exploitation of this vulnerability can lead to a heap-based buffer overflow, causing a crash or potential memory corruption. Such memory corruption could be leveraged for arbitrary code execution, according to a GitHub advisory.

Reproduction

The vulnerability can be reproduced by using a Vim version prior to 9.2.0076 and sending a terminal output that includes a high number of combining characters from Unicode supplementary planes. This can be done by using a command that outputs such characters into a Vim terminal buffer.

Remediation

Users can upgrade to Vim version 9.2.0076 or later to address this vulnerability.