Incorrect Calculation of Buffer Size in vim/vim

Vulnerability

The vulnerability is an incorrect buffer size calculation in vim's virtual editing mode. In the op_yank function, when calculating bd.startspaces, the value could become negative, leading to an out-of-bounds memory access. This occurs in versions prior to 9.0.1378 when virtual editing is enabled (set virtualedit=all) and a yank operation is performed on a line with certain column offsets. The official patch [4] adds a check to clamp bd.startspaces to zero if negative.

Exploitation

An attacker can exploit this by providing a specially crafted text file that, when opened and yanked by a victim using virtual editing, triggers the negative startspaces condition. The attacker requires the victim to have virtual editing enabled and to perform a yank operation. No network access is needed; local file interaction suffices. The exploit sequence involves opening the malicious file, entering virtual edit mode, and executing a yank command (e.g., y or Y).

Impact

Successful exploitation results in an illegal memory access, which can cause a denial of service (crash) or potentially arbitrary code execution, depending on how the memory corruption is leveraged. The commit description [4] explicitly mentions "illegal memory access". The attacker gains no direct privileges but may leverage the crash or code execution to compromise the vim process.

Mitigation

The vulnerability is fixed in vim version 9.0.1378, released on or around March 2023. Users should update to this version or later. No practical workaround exists aside from disabling virtual editing (set novirtualedit) or avoiding untrusted files, but upgrading is recommended. The fix is available in the official vim repository [4]. Fedora packages may have updates as well, but the advisory pages are inaccessible.