diff options
Diffstat (limited to '')
-rw-r--r-- | debian/patches/CVE-2021-3872.patch | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/debian/patches/CVE-2021-3872.patch b/debian/patches/CVE-2021-3872.patch new file mode 100644 index 0000000..ad1ffc3 --- /dev/null +++ b/debian/patches/CVE-2021-3872.patch @@ -0,0 +1,64 @@ +From: Markus Koschany <apo@debian.org> +Date: Wed, 19 Oct 2022 18:47:02 +0200 +Subject: CVE-2021-3872 + +Origin: https://github.com/vim/vim/commit/826bfe4bbd7594188e3d74d2539d9707b1c6a14b +--- + src/screen.c | 10 +++++----- + src/testdir/test_statusline.vim | 14 ++++++++++++++ + 2 files changed, 19 insertions(+), 5 deletions(-) + +--- a/src/screen.c ++++ b/src/screen.c +@@ -6887,13 +6887,13 @@ win_redr_status(win_T *wp, int ignore_pu + *(p + len++) = ' '; + if (bt_help(wp->w_buffer)) + { +- STRCPY(p + len, _("[Help]")); ++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]")); + len += (int)STRLEN(p + len); + } + #ifdef FEAT_QUICKFIX + if (wp->w_p_pvw) + { +- STRCPY(p + len, _("[Preview]")); ++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]")); + len += (int)STRLEN(p + len); + } + #endif +@@ -6903,12 +6903,12 @@ win_redr_status(win_T *wp, int ignore_pu + #endif + ) + { +- STRCPY(p + len, "[+]"); +- len += 3; ++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]"); ++ len += (int)STRLEN(p + len); + } + if (wp->w_buffer->b_p_ro) + { +- STRCPY(p + len, _("[RO]")); ++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]")); + len += (int)STRLEN(p + len); + } + +--- a/src/testdir/test_statusline.vim ++++ b/src/testdir/test_statusline.vim +@@ -341,3 +341,17 @@ func Test_statusline() + set laststatus& + set splitbelow& + endfunc ++ ++ ++" CVE-2021-3872 ++" Used to write beyond allocated memory. This assumes MAXPATHL is 4096 bytes. ++function Test_statusline_verylong_filename() ++ let fname = repeat('x', 4090) ++ exe "new " . fname ++ set buftype=help ++ set previewwindow ++ redraw ++ bwipe! ++endfunc ++ ++ |