Vim Stack-Buffer Overflow Vulnerability in Statusline Rendering Prior to Version 9.2.0078

A stack-buffer overflow vulnerability has been identified in Vim versions prior to 9.2.0078. The issue occurs in the function 'build_stl_str_hl()' when a multi-byte fill character is used in the statusline on a very wide terminal. Vim's statusline rendering process uses a fixed-size stack buffer of 4096 bytes. When a multi-byte character, such as U+2500, is employed as a fill character, it can exceed the buffer's capacity on terminals wider than approximately 1365 columns. This discrepancy leads to a stack overflow of up to 1904 bytes, as the byte-count surpasses the buffer limit while the cell-count check still passes.

Impact

Exploitation of this vulnerability causes a stack-buffer overflow, leading to memory corruption. This can result in unpredictable behavior, especially when the statusline is redrawn on a wide terminal. While the overflow may not cause an immediate crash in all environments, it can disrupt normal operations.

Reproduction

To reproduce this vulnerability, set a multi-byte character fill in the 'fillchars' or 'statusline' options. This can be done through a malicious modeline or plugin. Then, open Vim in a terminal wider than 1365 columns. The combination of the wide terminal and the multi-byte fill character will trigger the stack-buffer overflow in the 'build_stl_str_hl()' function.

Remediation

Users can update to Vim version 9.2.0078 or later, where this vulnerability has been patched.