summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2021-3974.patch
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/CVE-2021-3974.patch56
1 files changed, 56 insertions, 0 deletions
diff --git a/debian/patches/CVE-2021-3974.patch b/debian/patches/CVE-2021-3974.patch
new file mode 100644
index 0000000..331ecee
--- /dev/null
+++ b/debian/patches/CVE-2021-3974.patch
@@ -0,0 +1,56 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 19 Oct 2022 19:33:45 +0200
+Subject: CVE-2021-3974
+
+Origin: https://github.com/vim/vim/commit/64066b9acd9f8cffdf4840f797748f938a13f2d6
+---
+ src/regexp.c | 2 +-
+ src/regexp_nfa.c | 8 ++++++++
+ src/testdir/test_regexp_latin.vim | 9 +++++++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+
+--- a/src/regexp.c
++++ b/src/regexp.c
+@@ -3474,7 +3474,7 @@ typedef struct {
+ // The current match-position is stord in these variables:
+ linenr_T lnum; // line number, relative to first line
+ char_u *line; // start of current line
+- char_u *input; // current input, points into "regline"
++ char_u *input; // current input, points into "line"
+
+ int need_clear_subexpr; // subexpressions still need to be cleared
+ #ifdef FEAT_SYN_HL
+--- a/src/regexp_nfa.c
++++ b/src/regexp_nfa.c
+@@ -6570,8 +6570,16 @@ nfa_regmatch(
+ case NFA_MARK_GT:
+ case NFA_MARK_LT:
+ {
++ size_t col = rex.input - rex.line;
+ pos_T *pos = getmark_buf(rex.reg_buf, t->state->val, FALSE);
+
++ // Line may have been freed, get it again.
++ if (REG_MULTI)
++ {
++ rex.line = reg_getline(rex.lnum);
++ rex.input = rex.line + col;
++ }
++
+ /* Compare the mark position to the match position. */
+ result = (pos != NULL /* mark doesn't exist */
+ && pos->lnum > 0 /* mark isn't set in reg_buf */
+--- a/src/testdir/test_regexp_latin.vim
++++ b/src/testdir/test_regexp_latin.vim
+@@ -84,3 +84,12 @@ func Test_multi_failure()
+ call assert_fails('/a\{a}', 'E870:')
+ set re=0
+ endfunc
++
++func Test_using_mark_position()
++ " this was using freed memory
++ new
++ norm O0
++ call assert_fails("s/\\%')", 'E486:')
++ bwipe!
++endfunc
++