Vim Heap-Buffer Overflow and Segmentation Fault Vulnerability in Swap File Recovery Logic

A heap-buffer-overflow vulnerability and a segmentation fault (SEGV) have been identified in Vim's swap file recovery process, affecting versions prior to 9.2.0077. These issues arise from unvalidated data read from manipulated pointer blocks within a swap file. The heap overflow occurs when a crafted swap file contains invalid block numbers or page counts that exceed the file size, leading to a buffer overflow in the database index array. The segmentation fault occurs when a negative block number is read, allowing Vim to attempt to access the original file with garbage parameters, causing a crash.

Impact

Exploitation of this vulnerability can lead to a crash or potentially allow for arbitrary code execution, triggered when a user recovers a crafted swap file.

Reproduction

The vulnerability can be reproduced by creating a swap file that includes crafted pointer block entries. This can be done by manipulating the swap file's pointer blocks to include invalid block numbers or page counts that exceed the file's actual size. Once the crafted swap file is prepared, it can be placed in a location where Vim will attempt to recover it, such as a shared project directory. When Vim tries to recover the file, the unvalidated entries will cause the heap-buffer-overflow and segmentation fault.

Remediation

Users should update to Vim version 9.2.0077 or later, where this vulnerability has been fixed.