Heap-based Buffer Overflow in vim/vim

Vulnerability

A heap-based buffer overflow exists in Vim prior to version 9.0.1331. The bug is triggered when using the :ball command (via ex_buffer_all) while Visual mode is active. The function utfc_ptr2len is called on invalid cursor data after switching buffers without resetting Visual mode, leading to an illegal memory access. The test added in the fix demonstrates the crash with a sequence of R0, splitting to a new buffer, entering Visual mode, calling :ball, then zW. Affected versions are all Vim builds before 9.0.1331.

Exploitation

An attacker needs to craft a file that, when opened in Vim, causes the user to enter and exit Visual mode in a specific sequence then execute :ball. The attack requires user interaction (opening the file and performing the steps). No special privileges are needed beyond normal file access. The exploit sequence is: open the crafted file, type R0, split the window using :split other, type R000, enter Visual mode with l, then type :ball. This triggers the heap overflow in utfc_ptr2len.

Impact

Successful exploitation can lead to arbitrary code execution or unexpected termination of Vim. Apple's advisory (macOS Sonoma 14.1) describes the impact as "Parsing a file may lead to an unexpected app termination or arbitrary code execution" [1]. The CVSS v3 score is 7.8 (High) with Confidentiality, Integrity, and Availability impacts all classified as High. The attacker can potentially execute code with the privileges of the user running Vim.

Mitigation

Vim fixed the issue in version 9.0.1331 on 2023-09-03 [2]. The patch adds a call to reset_VIsual_and_resel() before setpcmark() in ex_buffer_all to ensure Visual mode is disabled before buffer switching. Apple included the fix in macOS Sonoma 14.1 on 2023-10-25 [1]. Users should update to Vim 9.0.1331 or later, or apply the security updates from their OS vendor. No workarounds are documented; avoiding :ball while in Visual mode may reduce risk but is not a complete mitigation.