summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2022-0443.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/CVE-2022-0443.patch')
-rw-r--r--debian/patches/CVE-2022-0443.patch79
1 files changed, 79 insertions, 0 deletions
diff --git a/debian/patches/CVE-2022-0443.patch b/debian/patches/CVE-2022-0443.patch
new file mode 100644
index 0000000..fdf2329
--- /dev/null
+++ b/debian/patches/CVE-2022-0443.patch
@@ -0,0 +1,79 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 30 Oct 2022 20:10:52 +0100
+Subject: CVE-2022-0443
+
+Origin: https://github.com/vim/vim/commit/9b4a80a66544f2782040b641498754bcb5b8d461
+---
+ src/buffer.c | 15 ++++++++++-----
+ src/testdir/test_quickfix.vim | 16 ++++++++++++++++
+ 2 files changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 590a63c..4cac106 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -1627,6 +1627,7 @@ set_curbuf(buf_T *buf, int action)
+ #endif
+ bufref_T newbufref;
+ bufref_T prevbufref;
++ int valid;
+
+ setpcmark();
+ if (!cmdmod.keepalt)
+@@ -1679,13 +1680,19 @@ set_curbuf(buf_T *buf, int action)
+ /* An autocommand may have deleted "buf", already entered it (e.g., when
+ * it did ":bunload") or aborted the script processing.
+ * If curwin->w_buffer is null, enter_buffer() will make it valid again */
+- if ((buf_valid(buf) && buf != curbuf
++ valid = buf_valid(buf);
++ if ((valid && buf != curbuf
+ #ifdef FEAT_EVAL
+ && !aborting()
+ #endif
+ ) || curwin->w_buffer == NULL)
+ {
+- enter_buffer(buf);
++ // If the buffer is not valid but curwin->w_buffer is NULL we must
++ // enter some buffer. Using the last one is hopefully OK.
++ if (!valid)
++ enter_buffer(lastbuf);
++ else
++ enter_buffer(buf);
+ #ifdef FEAT_SYN_HL
+ if (old_tw != curbuf->b_p_tw)
+ check_colorcolumn(curwin);
+@@ -2166,9 +2173,7 @@ free_buf_options(
+ if (buf->b_p_vsts_nopaste)
+ vim_free(buf->b_p_vsts_nopaste);
+ buf->b_p_vsts_nopaste = NULL;
+- if (buf->b_p_vsts_array)
+- vim_free(buf->b_p_vsts_array);
+- buf->b_p_vsts_array = NULL;
++ VIM_CLEAR(buf->b_p_vsts_array);
+ clear_string_option(&buf->b_p_vts);
+ VIM_CLEAR(buf->b_p_vts_array);
+ #endif
+diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
+index e7aa41e..8668224 100644
+--- a/src/testdir/test_quickfix.vim
++++ b/src/testdir/test_quickfix.vim
+@@ -3899,3 +3899,19 @@ func Test_viscol()
+ set efm&
+ call delete('Xfile1')
+ endfunc
++
++" Weird sequence of commands that caused entering a wiped-out buffer
++func Test_lopen_bwipe()
++ func! R()
++ silent! tab lopen
++ e x
++ silent! lfile
++ endfunc
++
++ cal R()
++ cal R()
++ cal R()
++ bw!
++ delfunc R
++endfunc
++
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-23 10:18:15 +0000