diff options
Diffstat (limited to 'debian/patches/CVE-2022-0417.patch')
| -rw-r--r-- | debian/patches/CVE-2022-0417.patch | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/debian/patches/CVE-2022-0417.patch b/debian/patches/CVE-2022-0417.patch new file mode 100644 index 0000000..d5a99e0 --- /dev/null +++ b/debian/patches/CVE-2022-0417.patch @@ -0,0 +1,88 @@ +From: Markus Koschany <apo@debian.org> +Date: Wed, 26 Oct 2022 23:26:57 +0200 +Subject: CVE-2022-0417 + +Origin: https://github.com/vim/vim/commit/652dee448618589de5528a9e9a36995803f5557a +--- + src/option.c | 16 +++++++++------- + src/testdir/test_options.vim | 2 ++ + src/vim.h | 2 ++ + 3 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/src/option.c b/src/option.c +index 12d903f..f7643eb 100644 +--- a/src/option.c ++++ b/src/option.c +@@ -9371,6 +9371,11 @@ set_num_option( + errmsg = e_positive; + curbuf->b_p_ts = 8; + } ++ else if (curbuf->b_p_ts > TABSTOP_MAX) ++ { ++ errmsg = e_invarg; ++ curbuf->b_p_ts = 8; ++ } + if (p_tm < 0) + { + errmsg = e_positive; +@@ -11397,7 +11402,7 @@ buf_copy_options(buf_T *buf, int flags) + if (p_vsts && p_vsts != empty_option) + (void)tabstop_set(p_vsts, &buf->b_p_vsts_array); + else +- buf->b_p_vsts_array = 0; ++ buf->b_p_vsts_array = NULL; + buf->b_p_vsts_nopaste = p_vsts_nopaste + ? vim_strsave(p_vsts_nopaste) : NULL; + #endif +@@ -12384,9 +12389,7 @@ paste_option_changed(void) + if (buf->b_p_vsts) + free_string_option(buf->b_p_vsts); + buf->b_p_vsts = empty_option; +- if (buf->b_p_vsts_array) +- vim_free(buf->b_p_vsts_array); +- buf->b_p_vsts_array = 0; ++ VIM_CLEAR(buf->b_p_vsts_array); + #endif + } + +@@ -12432,12 +12435,11 @@ paste_option_changed(void) + free_string_option(buf->b_p_vsts); + buf->b_p_vsts = buf->b_p_vsts_nopaste + ? vim_strsave(buf->b_p_vsts_nopaste) : empty_option; +- if (buf->b_p_vsts_array) +- vim_free(buf->b_p_vsts_array); ++ vim_free(buf->b_p_vsts_array); + if (buf->b_p_vsts && buf->b_p_vsts != empty_option) + (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array); + else +- buf->b_p_vsts_array = 0; ++ buf->b_p_vsts_array = NULL; + #endif + } + +diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim +index 83b315d..50aae7c 100644 +--- a/src/testdir/test_options.vim ++++ b/src/testdir/test_options.vim +@@ -234,6 +234,8 @@ func Test_set_errors() + call assert_fails('set shiftwidth=-1', 'E487:') + call assert_fails('set sidescroll=-1', 'E487:') + call assert_fails('set tabstop=-1', 'E487:') ++ call assert_fails('set tabstop=10000', 'E474:') ++ call assert_fails('set tabstop=5500000000', 'E474:') + call assert_fails('set textwidth=-1', 'E487:') + call assert_fails('set timeoutlen=-1', 'E487:') + call assert_fails('set updatecount=-1', 'E487:') +diff --git a/src/vim.h b/src/vim.h +index 7ee164a..dfc96bc 100644 +--- a/src/vim.h ++++ b/src/vim.h +@@ -1988,6 +1988,8 @@ typedef int sock_T; + #define VAR_TYPE_CHANNEL 9 + #define VAR_TYPE_BLOB 10 + ++#define TABSTOP_MAX 9999 ++ + #ifdef FEAT_CLIPBOARD + + /* VIM_ATOM_NAME is the older Vim-specific selection type for X11. Still |