diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-08 05:09:06 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-08 05:09:06 +0000 |
| commit | fe9135eaa14adace367ce3e0de55c4b53e5223c8 (patch) | |
| tree | cf0f56b778db5c718f20f8d2ab7058b159b8437c /debian/patches/CVE-2023-2610.patch | |
| parent | Adding debian version 2:8.1.0875-5+deb10u4. (diff) | |
| download | vim-fe9135eaa14adace367ce3e0de55c4b53e5223c8.tar.xz vim-fe9135eaa14adace367ce3e0de55c4b53e5223c8.zip | |
Adding debian version 2:8.1.0875-5+deb10u5.debian/2%8.1.0875-5+deb10u5
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/CVE-2023-2610.patch')
| -rw-r--r-- | debian/patches/CVE-2023-2610.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/debian/patches/CVE-2023-2610.patch b/debian/patches/CVE-2023-2610.patch new file mode 100644 index 0000000..085b7b9 --- /dev/null +++ b/debian/patches/CVE-2023-2610.patch @@ -0,0 +1,68 @@ +From: Markus Koschany <apo@debian.org> +Date: Sun, 11 Jun 2023 13:58:23 +0200 +Subject: CVE-2023-2610 + +Bug-Debian: https://bugs.debian.org/1035955 +Origin: https://github.com/vim/vim/commit/ab9a2d884b3a4abe319606ea95a5a6d6b01cd73a +--- + src/regexp.c | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +diff --git a/src/regexp.c b/src/regexp.c +index 6939fd1..5630364 100644 +--- a/src/regexp.c ++++ b/src/regexp.c +@@ -7150,10 +7150,7 @@ do_Lower(int *d, int c) + regtilde(char_u *source, int magic) + { + char_u *newsub = source; +- char_u *tmpsub; + char_u *p; +- int len; +- int prevlen; + + for (p = newsub; *p; ++p) + { +@@ -7162,24 +7159,34 @@ regtilde(char_u *source, int magic) + if (reg_prev_sub != NULL) + { + /* length = len(newsub) - 1 + len(prev_sub) + 1 */ +- prevlen = (int)STRLEN(reg_prev_sub); +- tmpsub = alloc((unsigned)(STRLEN(newsub) + prevlen)); ++ // Avoid making the text longer than MAXCOL, it will cause ++ // trouble at some point. ++ size_t prevsublen = STRLEN(reg_prev_sub); ++ size_t newsublen = STRLEN(newsub); ++ if (prevsublen > MAXCOL || newsublen > MAXCOL ++ || newsublen + prevsublen > MAXCOL) ++ { ++ break; ++ } ++ ++ char_u *tmpsub = alloc(newsublen + prevsublen); + if (tmpsub != NULL) + { + /* copy prefix */ +- len = (int)(p - newsub); /* not including ~ */ +- mch_memmove(tmpsub, newsub, (size_t)len); ++ size_t prefixlen = p - newsub; // not including ~ ++ mch_memmove(tmpsub, newsub, prefixlen); + /* interpret tilde */ +- mch_memmove(tmpsub + len, reg_prev_sub, (size_t)prevlen); ++ mch_memmove(tmpsub + prefixlen, reg_prev_sub, ++ prevsublen); + /* copy postfix */ + if (!magic) + ++p; /* back off \ */ +- STRCPY(tmpsub + len + prevlen, p + 1); ++ STRCPY(tmpsub + prefixlen + prevsublen, p + 1); + +- if (newsub != source) /* already allocated newsub */ ++ if (newsub != source) // allocated newsub before + vim_free(newsub); + newsub = tmpsub; +- p = newsub + len + prevlen; ++ p = newsub + prefixlen + prevsublen; + } + } + else if (magic) |