diff options
Diffstat (limited to 'debian/patches/CVE-2022-0392.patch')
| -rw-r--r-- | debian/patches/CVE-2022-0392.patch | 130 |
1 files changed, 130 insertions, 0 deletions
diff --git a/debian/patches/CVE-2022-0392.patch b/debian/patches/CVE-2022-0392.patch new file mode 100644 index 0000000..e410044 --- /dev/null +++ b/debian/patches/CVE-2022-0392.patch @@ -0,0 +1,130 @@ +From 806d037671e133bd28a7864248763f643967973a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Tue, 25 Jan 2022 20:45:16 +0000 +Subject: [PATCH] patch 8.2.4218: illegal memory access with bracketed paste in + Ex mode + +Problem: Illegal memory access with bracketed paste in Ex mode. +Solution: Reserve space for the trailing NUL. +--- + src/edit.c | 3 ++- + src/testdir/test_paste.vim | 3 +++ + src/version.c | 2 ++ + 3 files changed, 7 insertions(+), 1 deletion(-) + +From fe4bbac1166f2e4e3fa18cb966ec7305198c8176 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Mon, 20 Jan 2020 21:12:20 +0100 +Subject: [PATCH] patch 8.2.0135: bracketed paste can still cause invalid + memory access + +Problem: Bracketed paste can still cause invalid memory access. (Dominique + Pelle) +Solution: Check for NULL pointer. +--- + src/edit.c | 2 +- + src/testdir/test_search.vim | 3 ++- + src/version.c | 2 ++ + 3 files changed, 5 insertions(+), 2 deletions(-) + +Backport: drop included_patches 135 due to version bump + +From 98a336dd497d3422e7efeef9f24cc9e25aeb8a49 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Mon, 20 Jan 2020 20:22:30 +0100 +Subject: [PATCH] patch 8.2.0133: invalid memory access with search command + +Problem: Invalid memory access with search command. +Solution: When :normal runs out of characters in bracketed paste mode break + out of the loop.(closes #5511) +--- + src/edit.c | 4 ++-- + src/testdir/test_search.vim | 5 +++++ + src/version.c | 2 ++ + 3 files changed, 9 insertions(+), 2 deletions(-) + +Backport: drop included_patches 135 due to version bump + +diff --git a/src/edit.c b/src/edit.c +index ee3caf0dad50..2b5301100ddb 100644 +--- a/src/edit.c ++++ b/src/edit.c +@@ -9183,7 +9183,7 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + int save_paste = p_paste; + + /* If the end code is too long we can't detect it, read everything. */ +- if (STRLEN(end) >= NUMBUFLEN) ++ if (end != NULL && STRLEN(end) >= NUMBUFLEN) + end = NULL; + ++no_mapping; + allow_keys = 0; +@@ -9201,9 +9201,9 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + { + c = vgetc(); + } while (c == K_IGNORE || c == K_VER_SCROLLBAR || c == K_HOR_SCROLLBAR); +- if (c == NUL || got_int) ++ if (c == NUL || got_int || (ex_normal_busy > 0 && c == Ctrl_C)) + // When CTRL-C was encountered the typeahead will be flushed and we +- // won't get the end sequence. ++ // won't get the end sequence. Except when using ":normal". + break; + + if (has_mbyte) +@@ -9226,7 +9226,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + break; + + case PASTE_EX: +- if (gap != NULL && ga_grow(gap, idx) == OK) ++ /* add one for the NUL that is going to be appended */ ++ if (gap != NULL && ga_grow(gap, idx + 1) == OK) + { + mch_memmove((char *)gap->ga_data + gap->ga_len, + buf, (size_t)idx); +diff --git a/src/testdir/test_paste.vim b/src/testdir/test_paste.vim +index c94fe7c357ed..5b8d8a0e3e2d 100644 +--- a/src/testdir/test_paste.vim ++++ b/src/testdir/test_paste.vim +@@ -84,6 +84,16 @@ + call assert_equal("\"afoo\<CR>barb", getreg(':')) + endfunc + ++" bracketed paste in Ex-mode ++func Test_paste_ex_mode() ++ unlet! foo ++ call feedkeys("Qlet foo=\"\<Esc>[200~foo\<CR>bar\<Esc>[201~\"\<CR>vi\<CR>", 'xt') ++ call assert_equal("foo\rbar", foo) ++ ++ " pasting more than 40 bytes ++ exe "norm Q\<PasteStart>0000000000000000000000000000000000000000000000000000000000000000000000\<C-C>" ++endfunc ++ + func Test_paste_visual_mode() + new + call setline(1, 'here are some words') +diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim +index 60152f602..89ca6e131 100644 +--- a/src/testdir/test_search.vim ++++ b/src/testdir/test_search.vim +@@ -1187,3 +1187,9 @@ + call assert_equal(bufcontent[1], @/) + call Incsearch_cleanup() + endfunc ++ ++func Test_search_special() ++ " this was causing illegal memory access and an endless loop ++ set t_PE= ++ exe "norm /\x80PS" ++endfunc +diff --git a/src/version.c b/src/version.c +index 6685b554f537..9dcf34928f8d 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -795,6 +795,8 @@ static char *(features[]) = + 805, + /**/ + 5024, ++/**/ ++ 4218, + /**/ + 4214, + /**/ |