diff options
Diffstat (limited to 'debian/patches/CVE-2022-0261.patch')
-rw-r--r-- | debian/patches/CVE-2022-0261.patch | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/debian/patches/CVE-2022-0261.patch b/debian/patches/CVE-2022-0261.patch new file mode 100644 index 0000000..c1a9026 --- /dev/null +++ b/debian/patches/CVE-2022-0261.patch @@ -0,0 +1,112 @@ +From: Markus Koschany <apo@debian.org> +Date: Sun, 23 Oct 2022 16:31:29 +0200 +Subject: CVE-2022-0261 + +Origin: https://github.com/vim/vim/commit/9f8c304c8a390ade133bac29963dc8e56ab14cbc +--- + src/ops.c | 41 ++++++++++++++++++++++++++--------------- + src/testdir/test_visual.vim | 10 ++++++++++ + src/version.c | 2 ++ + 3 files changed, 38 insertions(+), 15 deletions(-) + +--- a/src/ops.c ++++ b/src/ops.c +@@ -636,22 +636,26 @@ block_insert( + if (b_insert) + { + off = (*mb_head_off)(oldp, oldp + offset + spaces); ++ spaces -= off; ++ count -= off; + } + else + { +- off = (*mb_off_next)(oldp, oldp + offset); +- offset += off; ++ // spaces fill the gap, the character that's at the edge moves ++ // right ++ off = (*mb_head_off)(oldp, oldp + offset); ++ offset -= off; + } +- spaces -= off; +- count -= off; + } +- +- newp = alloc_check((unsigned)(STRLEN(oldp)) + s_len + count + 1); ++ // Make sure the allocated size matches what is actually copied below. ++ newp = alloc_check((unsigned)(STRLEN(oldp)) + spaces + s_len ++ + (spaces > 0 && !bdp->is_short ? p_ts - spaces : 0) ++ + count + 1); + if (newp == NULL) + continue; + + /* copy up to shifted part */ +- mch_memmove(newp, oldp, (size_t)(offset)); ++ mch_memmove(newp, oldp, (size_t)offset); + oldp += offset; + + /* insert pre-padding */ +@@ -661,14 +665,21 @@ block_insert( + mch_memmove(newp + offset + spaces, s, (size_t)s_len); + offset += s_len; + +- if (spaces && !bdp->is_short) ++ if (spaces > 0 && !bdp->is_short) + { +- /* insert post-padding */ +- vim_memset(newp + offset + spaces, ' ', (size_t)(p_ts - spaces)); +- /* We're splitting a TAB, don't copy it. */ +- oldp++; +- /* We allowed for that TAB, remember this now */ +- count++; ++ if (*oldp == TAB) ++ { ++ // insert post-padding ++ vim_memset(newp + offset + spaces, ' ', ++ (size_t)(p_ts - spaces)); ++ // we're splitting a TAB, don't copy it ++ oldp++; ++ // We allowed for that TAB, remember this now ++ count++; ++ } ++ else ++ // Not a TAB, no extra spaces ++ count = spaces; + } + + if (spaces > 0) +@@ -2702,7 +2713,7 @@ op_insert(oparg_T *oap, long count1) + oap->start_vcol = t; + } + else if (oap->op_type == OP_APPEND +- && oap->end.col + oap->end.coladd ++ && oap->start.col + oap->start.coladd + >= curbuf->b_op_start_orig.col + + curbuf->b_op_start_orig.coladd) + { +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -397,3 +397,13 @@ func Test_Visual_paragraph_textobject() + + bwipe! + endfunc ++ ++func Test_visual_block_append_invalid_char() ++ " this was going over the end of the line ++ new ++ call setline(1, [' let xxx', 'xxxxx', 'xxxxxxxxxxx']) ++ exe "normal 0\<C-V>jjA-\<Esc>" ++ call assert_equal([' - let xxx', 'xxxxx -', 'xxxxxxxx-xxx'], getline(1, 3)) ++ bwipe! ++endfunc ++ +--- a/src/version.c ++++ b/src/version.c +@@ -792,6 +792,8 @@ static char *(features[]) = + static int included_patches[] = + { /* Add new patch number below this line */ + /**/ ++ 4120, ++/**/ + 1401, + /**/ + 1382, |