summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2022-3256.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/CVE-2022-3256.patch')
-rw-r--r--debian/patches/CVE-2022-3256.patch73
1 files changed, 73 insertions, 0 deletions
diff --git a/debian/patches/CVE-2022-3256.patch b/debian/patches/CVE-2022-3256.patch
new file mode 100644
index 0000000..ab1abab
--- /dev/null
+++ b/debian/patches/CVE-2022-3256.patch
@@ -0,0 +1,73 @@
+From 8ecfa2c56b4992c7f067b92488aa9acea5a454ad Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 21 Sep 2022 13:07:22 +0100
+Subject: [PATCH] patch 9.0.0530: using freed memory when autocmd changes mark
+
+Problem: Using freed memory when autocmd changes mark.
+Solution: Copy the mark before editing another buffer.
+---
+ src/mark.c | 12 +++++++-----
+ src/testdir/test_marks.vim | 13 +++++++++++++
+ src/version.c | 2 ++
+ 3 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/src/mark.c b/src/mark.c
+index ade5a1087b7d..584db033d3ca 100644
+--- a/src/mark.c
++++ b/src/mark.c
+@@ -252,17 +252,19 @@ movemark(int count)
+ fname2fnum(jmp);
+ if (jmp->fmark.fnum != curbuf->b_fnum)
+ {
+- /* jump to other file */
+- if (buflist_findnr(jmp->fmark.fnum) == NULL)
++ /* Make a copy, an autocommand may make "jmp" invalid. */
++ fmark_T fmark = jmp->fmark;
++
++ /* jump to the file with the mark */
++ if (buflist_findnr(fmark.fnum) == NULL)
+ { /* Skip this one .. */
+ count += count < 0 ? -1 : 1;
+ continue;
+ }
+- if (buflist_getfile(jmp->fmark.fnum, jmp->fmark.mark.lnum,
+- 0, FALSE) == FAIL)
++ if (buflist_getfile(fmark.fnum, fmark.mark.lnum, 0, FALSE) == FAIL)
+ return (pos_T *)NULL;
+ /* Set lnum again, autocommands my have changed it */
+- curwin->w_cursor = jmp->fmark.mark;
++ curwin->w_cursor = fmark.mark;
+ pos = (pos_T *)-1;
+ }
+ else
+diff --git a/src/testdir/test_marks.vim b/src/testdir/test_marks.vim
+index 12501a3aba07..20fb3041f244 100644
+--- a/src/testdir/test_marks.vim
++++ b/src/testdir/test_marks.vim
+@@ -174,3 +174,16 @@ func Test_getmarklist()
+ call assert_fails('mark xx', 'E488:')
+ call assert_fails('mark _', 'E191:')
+ endfunc
++" This was using freed memory
++func Test_jump_mark_autocmd()
++ next 00
++ edit 0
++ sargument
++ au BufEnter 0 all
++ sil norm 
++
++ au! BufEnter
++ bwipe!
++endfunc
++
++
+--- a/src/version.c
++++ b/src/version.c
+@@ -2619,6 +2619,7 @@
+ "8.2.3409",
+ "8.2.3428",
+ "9.0.0490",
++ "9.0.0530",
+ /**/
+ NULL
+ };