summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2022-3234.patch
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/CVE-2022-3234.patch71
1 files changed, 71 insertions, 0 deletions
diff --git a/debian/patches/CVE-2022-3234.patch b/debian/patches/CVE-2022-3234.patch
new file mode 100644
index 0000000..16207d5
--- /dev/null
+++ b/debian/patches/CVE-2022-3234.patch
@@ -0,0 +1,71 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 7 Nov 2022 00:35:02 +0100
+Subject: CVE-2022-3234
+
+Origin: https://github.com/vim/vim/commit/c249913edc35c0e666d783bfc21595cf9f7d9e0d
+---
+ src/ops.c | 12 ++++++++++--
+ src/testdir/test_virtualedit.vim | 14 ++++++++++++++
+ 2 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/src/ops.c b/src/ops.c
+index 84b5f90..c2319b1 100644
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -2295,6 +2295,8 @@ op_replace(oparg_T *oap, int c)
+
+ while (LTOREQ_POS(curwin->w_cursor, oap->end))
+ {
++ int done = FALSE;
++
+ n = gchar_cursor();
+ if (n != NUL)
+ {
+@@ -2305,6 +2307,7 @@ op_replace(oparg_T *oap, int c)
+ if (curwin->w_cursor.lnum == oap->end.lnum)
+ oap->end.col += (*mb_char2len)(c) - (*mb_char2len)(n);
+ replace_character(c);
++ done = TRUE;
+ }
+ else
+ {
+@@ -2323,10 +2326,15 @@ op_replace(oparg_T *oap, int c)
+ if (curwin->w_cursor.lnum == oap->end.lnum)
+ getvpos(&oap->end, end_vcol);
+ }
+- PBYTE(curwin->w_cursor, c);
++ // with "coladd" set may move to just after a TAB
++ if (gchar_cursor() != NUL)
++ {
++ PBYTE(curwin->w_cursor, c);
++ done = TRUE;
++ }
+ }
+ }
+- else if (virtual_op && curwin->w_cursor.lnum == oap->end.lnum)
++ if (!done && virtual_op && curwin->w_cursor.lnum == oap->end.lnum)
+ {
+ int virtcols = oap->end.coladd;
+
+diff --git a/src/testdir/test_virtualedit.vim b/src/testdir/test_virtualedit.vim
+index 67adede..6b8fdfd 100644
+--- a/src/testdir/test_virtualedit.vim
++++ b/src/testdir/test_virtualedit.vim
+@@ -73,3 +73,17 @@ func Test_edit_CTRL_G()
+ bwipe!
+ set virtualedit=
+ endfunc
++
++" this was replacing the NUL at the end of the line
++func Test_virtualedit_replace_after_tab()
++ new
++ s/\v/ 0
++ set ve=all
++ let @" = ''
++ sil! norm vPvr0
++
++ call assert_equal("\t0", getline(1))
++ set ve&
++ bwipe!
++endfunc
++