summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2022-3235.patch
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-08 05:08:28 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-08 05:08:28 +0000
commite1a321ce6150e001d4a94bca2bf901820fcbb29f (patch)
tree41e96f0bb8ad99f91d78a1fb19843e7405a02571 /debian/patches/CVE-2022-3235.patch
parentReleasing progress-linux version 2:8.1.0875-5+deb10u3progress5u1. (diff)
downloadvim-e1a321ce6150e001d4a94bca2bf901820fcbb29f.tar.xz
vim-e1a321ce6150e001d4a94bca2bf901820fcbb29f.zip
Merging debian version 2:8.1.0875-5+deb10u4.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/CVE-2022-3235.patch')
-rw-r--r--debian/patches/CVE-2022-3235.patch116
1 files changed, 116 insertions, 0 deletions
diff --git a/debian/patches/CVE-2022-3235.patch b/debian/patches/CVE-2022-3235.patch
new file mode 100644
index 0000000..fc3e20e
--- /dev/null
+++ b/debian/patches/CVE-2022-3235.patch
@@ -0,0 +1,116 @@
+From 1c3dd8ddcba63c1af5112e567215b3cec2de11d0 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 17 Sep 2022 19:43:23 +0100
+Subject: [PATCH] patch 9.0.0490: using freed memory with cmdwin and BufEnter
+ autocmd
+
+Problem: Using freed memory with cmdwin and BufEnter autocmd.
+Solution: Make sure pointer to b_p_iminsert is still valid.
+---
+ src/ex_getln.c | 8 ++++++--
+ src/testdir/test_cmdwin.vim | 10 ++++++++++
+ src/version.c | 2 ++
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+Backport: rewrote b_im_ptr handling
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 70436b31f05e..a4fb61145c96 100644
+--- a/src/ex_getln.c
++++ b/src/ex_getln.c
+@@ -858,6 +858,7 @@ getcmdline_int(
+ #endif
+ expand_T xpc;
+ long *b_im_ptr = NULL;
++ buf_T *b_im_ptr_buf = NULL; // buffer where b_im_ptr is valid
+ struct cmdline_info save_ccline;
+ int did_save_ccline = FALSE;
+ int cmdline_type;
+@@ -968,6 +969,7 @@ getcmdline_int(
+ b_im_ptr = &curbuf->b_p_iminsert;
+ else
+ b_im_ptr = &curbuf->b_p_imsearch;
++ b_im_ptr_buf = curbuf;
+ if (*b_im_ptr == B_IMODE_LMAP)
+ State |= LANGMAP;
+ #ifdef HAVE_INPUT_METHOD
+@@ -1718,7 +1720,7 @@ getcmdline_int(
+ #ifdef HAVE_INPUT_METHOD
+ im_set_active(FALSE); /* Disable input method */
+ #endif
+- if (b_im_ptr != NULL)
++ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
+ {
+ if (State & LANGMAP)
+ *b_im_ptr = B_IMODE_LMAP;
+@@ -1732,7 +1734,7 @@ getcmdline_int(
+ /* There are no ":lmap" mappings, toggle IM. When
+ * 'imdisable' is set don't try getting the status, it's
+ * always off. */
+- if ((p_imdisable && b_im_ptr != NULL)
++ if ((p_imdisable && b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
+ ? *b_im_ptr == B_IMODE_IM : im_get_status())
+ {
+ im_set_active(FALSE); /* Disable input method */
+@@ -1742,12 +1744,12 @@ getcmdline_int(
+ else
+ {
+ im_set_active(TRUE); /* Enable input method */
+- if (b_im_ptr != NULL)
++ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
+ *b_im_ptr = B_IMODE_IM;
+ }
+ }
+ #endif
+- if (b_im_ptr != NULL)
++ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
+ {
+ if (b_im_ptr == &curbuf->b_p_iminsert)
+ set_iminsert_global();
+@@ -2476,7 +2478,8 @@ getcmdline_int(
+
+ State = save_State;
+ #ifdef HAVE_INPUT_METHOD
+- if (b_im_ptr != NULL && *b_im_ptr != B_IMODE_LMAP)
++ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf)
++ && *b_im_ptr != B_IMODE_LMAP)
+ im_save_status(b_im_ptr);
+ im_set_active(FALSE);
+ #endif
+diff --git a/src/testdir/test_cmdwin.vim b/src/testdir/test_cmdwin.vim
+index d62673aba254..fe849bcc1686 100644
+--- /dev/null
++++ b/src/testdir/test_cmdwin.vim
+@@ -0,0 +0,12 @@
++" This was using a pointer to a freed buffer
++func Test_cmdwin_freed_buffer_ptr()
++ au BufEnter * next 0| file
++ edit 0
++ silent! norm q/
++
++ au! BufEnter
++ bwipe!
++endfunc
++
++
++" vim: shiftwidth=2 sts=2 expandtab
+--- a/src/testdir/Make_all.mak
++++ b/src/testdir/Make_all.mak
+@@ -89,6 +89,7 @@
+ test_clientserver \
+ test_close_count \
+ test_cmdline \
++ test_cmdwin \
+ test_command_count \
+ test_comparators \
+ test_compiler \
+--- a/src/version.c
++++ b/src/version.c
+@@ -2618,6 +2618,7 @@
+ "8.2.3403",
+ "8.2.3409",
+ "8.2.3428",
++ "9.0.0490",
+ /**/
+ NULL
+ };