Integer Overflow in :history command in Vim

Vulnerability

A heap-use-after-free vulnerability exists in Vim versions prior to 9.0.2068, triggered by an integer overflow in the :history command. The flaw resides in the get_list_range function in src/eval.c, where user-supplied arguments are parsed without overflow validation. When an overly large argument is provided, it can cause an integer overflow at src/cmdhist.c:759, leading to a use-after-free of memory originally allocated by ga_grow_inner at src/alloc.c:748 and freed in do_cmdline at src/ex_docmd.c:1010 [1]. The vulnerability is exploitable when Vim is run with -u NONE -i NONE -n -e -s -S flags and a specially crafted script file containing the :history command [1].

Exploitation

An attacker must supply a crafted argument to the :history command that overflows the accepted integer value. The proof-of-concept from [1] demonstrates the attack by executing Vim with ./bins/vim -u NONE -i NONE -n -e -s -S ./crashmin/gchar_cursor -c :qa!, which triggers the overflow. The overflow causes the memory region to be freed while still in use, leading to the use-after-free condition.

Impact

Successful exploitation results in a heap-use-after-free, which can be leveraged for arbitrary code execution or to crash Vim, leading to denial of service. The AddressSanitizer output in [1] confirms a read of size 4 on freed memory, indicating potential for information disclosure or control-flow hijacking depending on the attacker's ability to manipulate the heap.

Mitigation

The vulnerability is patched in Vim version 9.0.2068 [1][4]. The fix adds an overflow check in the get_list_range function, ensuring that parsed numbers exceeding INT_MAX cause the parsing to fail gracefully [4]. Users should upgrade to Vim 9.0.2068 or later. No workaround is available for unpatched versions; users are advised to avoid processing untrusted files with Vim until they can update.