summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2022-0261.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/CVE-2022-0261.patch')
-rw-r--r--debian/patches/CVE-2022-0261.patch112
1 files changed, 112 insertions, 0 deletions
diff --git a/debian/patches/CVE-2022-0261.patch b/debian/patches/CVE-2022-0261.patch
new file mode 100644
index 0000000..c1a9026
--- /dev/null
+++ b/debian/patches/CVE-2022-0261.patch
@@ -0,0 +1,112 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 23 Oct 2022 16:31:29 +0200
+Subject: CVE-2022-0261
+
+Origin: https://github.com/vim/vim/commit/9f8c304c8a390ade133bac29963dc8e56ab14cbc
+---
+ src/ops.c | 41 ++++++++++++++++++++++++++---------------
+ src/testdir/test_visual.vim | 10 ++++++++++
+ src/version.c | 2 ++
+ 3 files changed, 38 insertions(+), 15 deletions(-)
+
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -636,22 +636,26 @@ block_insert(
+ if (b_insert)
+ {
+ off = (*mb_head_off)(oldp, oldp + offset + spaces);
++ spaces -= off;
++ count -= off;
+ }
+ else
+ {
+- off = (*mb_off_next)(oldp, oldp + offset);
+- offset += off;
++ // spaces fill the gap, the character that's at the edge moves
++ // right
++ off = (*mb_head_off)(oldp, oldp + offset);
++ offset -= off;
+ }
+- spaces -= off;
+- count -= off;
+ }
+-
+- newp = alloc_check((unsigned)(STRLEN(oldp)) + s_len + count + 1);
++ // Make sure the allocated size matches what is actually copied below.
++ newp = alloc_check((unsigned)(STRLEN(oldp)) + spaces + s_len
++ + (spaces > 0 && !bdp->is_short ? p_ts - spaces : 0)
++ + count + 1);
+ if (newp == NULL)
+ continue;
+
+ /* copy up to shifted part */
+- mch_memmove(newp, oldp, (size_t)(offset));
++ mch_memmove(newp, oldp, (size_t)offset);
+ oldp += offset;
+
+ /* insert pre-padding */
+@@ -661,14 +665,21 @@ block_insert(
+ mch_memmove(newp + offset + spaces, s, (size_t)s_len);
+ offset += s_len;
+
+- if (spaces && !bdp->is_short)
++ if (spaces > 0 && !bdp->is_short)
+ {
+- /* insert post-padding */
+- vim_memset(newp + offset + spaces, ' ', (size_t)(p_ts - spaces));
+- /* We're splitting a TAB, don't copy it. */
+- oldp++;
+- /* We allowed for that TAB, remember this now */
+- count++;
++ if (*oldp == TAB)
++ {
++ // insert post-padding
++ vim_memset(newp + offset + spaces, ' ',
++ (size_t)(p_ts - spaces));
++ // we're splitting a TAB, don't copy it
++ oldp++;
++ // We allowed for that TAB, remember this now
++ count++;
++ }
++ else
++ // Not a TAB, no extra spaces
++ count = spaces;
+ }
+
+ if (spaces > 0)
+@@ -2702,7 +2713,7 @@ op_insert(oparg_T *oap, long count1)
+ oap->start_vcol = t;
+ }
+ else if (oap->op_type == OP_APPEND
+- && oap->end.col + oap->end.coladd
++ && oap->start.col + oap->start.coladd
+ >= curbuf->b_op_start_orig.col
+ + curbuf->b_op_start_orig.coladd)
+ {
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -397,3 +397,13 @@ func Test_Visual_paragraph_textobject()
+
+ bwipe!
+ endfunc
++
++func Test_visual_block_append_invalid_char()
++ " this was going over the end of the line
++ new
++ call setline(1, [' let xxx', 'xxxxxˆ', 'xxxxxxxxxxx'])
++ exe "normal 0\<C-V>jjA-\<Esc>"
++ call assert_equal([' - let xxx', 'xxxxx -ˆ', 'xxxxxxxx-xxx'], getline(1, 3))
++ bwipe!
++endfunc
++
+--- a/src/version.c
++++ b/src/version.c
+@@ -792,6 +792,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ { /* Add new patch number below this line */
+ /**/
++ 4120,
++/**/
+ 1401,
+ /**/
+ 1382,