1 files changed, 52 insertions, 0 deletions

diff --git a/debian/patches/CVE-2021-4069.patch b/debian/patches/CVE-2021-4069.patch
new file mode 100644
index 0000000..ad21727
--- /dev/null
+++ b/debian/patches/CVE-2021-4069.patch
@@ -0,0 +1,52 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 19 Oct 2022 19:53:49 +0200
+Subject: CVE-2021-4069
+
+Origin: https://github.com/vim/vim/commit/e031fe90cf2e375ce861ff5e5e281e4ad229ebb9
+---
+ src/ex_docmd.c                | 10 +++++++---
+ src/testdir/test_ex_equal.vim | 13 +++++++++++++
+ 2 files changed, 20 insertions(+), 3 deletions(-)
+
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -8659,13 +8659,17 @@ ex_open(exarg_T *eap)
+ 	regmatch.regprog = vim_regcomp(eap->arg, p_magic ? RE_MAGIC : 0);
+ 	if (regmatch.regprog != NULL)
+ 	{
++	    // make a copy of the line, when searching for a mark it might be
++	    // flushed
++	    char_u *line = vim_strsave(ml_get_curline());
++
+ 	    regmatch.rm_ic = p_ic;
+-	    p = ml_get_curline();
+-	    if (vim_regexec(&regmatch, p, (colnr_T)0))
+-		curwin->w_cursor.col = (colnr_T)(regmatch.startp[0] - p);
++	    if (vim_regexec(&regmatch, line, (colnr_T)0))
++		curwin->w_cursor.col = (colnr_T)(regmatch.startp[0] - line);
+ 	    else
+ 		emsg(_(e_nomatch));
+ 	    vim_regfree(regmatch.regprog);
++	    vim_free(line);
+ 	}
+ 	/* Move to the NUL, ignore any other arguments. */
+ 	eap->arg += STRLEN(eap->arg);
+--- a/src/testdir/test_ex_equal.vim
++++ b/src/testdir/test_ex_equal.vim
+@@ -30,3 +30,16 @@ func Test_ex_equal()
+ 
+   bwipe!
+ endfunc
++
++func Test_open_command_flush_line()
++  " this was accessing freed memory: the regexp match uses a pointer to the
++  " current line which becomes invalid when searching for the ') mark.
++  new
++  call setline(1, ['one', 'two. three'])
++  s/one/ONE
++  try
++    open /\%')/
++  catch /E479/
++  endtry
++  bwipe!
++endfunc