diff options
Diffstat (limited to 'debian/patches/CVE-2022-3352.patch')
| -rw-r--r-- | debian/patches/CVE-2022-3352.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/debian/patches/CVE-2022-3352.patch b/debian/patches/CVE-2022-3352.patch new file mode 100644 index 0000000..f55e40d --- /dev/null +++ b/debian/patches/CVE-2022-3352.patch @@ -0,0 +1,69 @@ +From ef976323e770315b5fca544efb6b2faa25674d15 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Wed, 28 Sep 2022 11:48:30 +0100 +Subject: [PATCH] patch 9.0.0614: SpellFileMissing autocmd may delete buffer + +Problem: SpellFileMissing autocmd may delete buffer. +Solution: Disallow deleting the current buffer to avoid using freed memory. +--- + src/buffer.c | 7 ++++++- + src/spell.c | 6 ++++++ + src/testdir/test_autocmd.vim | 10 ++++++++++ + src/version.c | 2 ++ + 4 files changed, 24 insertions(+), 1 deletion(-) + +Backport: src/buffer.c isn't vulnerable yet + +diff --git a/src/spell.c b/src/spell.c +index 628814fe6db3..975b5a6789a9 100644 +--- a/src/spell.c ++++ b/src/spell.c +@@ -1813,6 +1813,10 @@ spell_load_lang(char_u *lang) + sl.sl_slang = NULL; + sl.sl_nobreak = FALSE; + ++ // Disallow deleting the current buffer. Autocommands can do weird things ++ // and cause "lang" to be freed. ++ ++curbuf->b_locked; ++ + /* We may retry when no spell file is found for the language, an + * autocommand may load it then. */ + for (round = 1; round <= 2; ++round) +@@ -1866,6 +1870,8 @@ spell_load_lang(char_u *lang) + STRCPY(fname_enc + STRLEN(fname_enc) - 3, "add.spl"); + do_in_runtimepath(fname_enc, DIP_ALL, spell_load_cb, &sl); + } ++ ++ --curbuf->b_locked; + } + + /* +diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim +index 86732f15dbe4..70f0f553a226 100644 +--- a/src/testdir/test_autocmd.vim ++++ b/src/testdir/test_autocmd.vim +@@ -1416,3 +1416,14 @@ + endfunc + + " FileChangedShell tested in test_filechanged.vim ++ ++" this was wiping out the current buffer and using freed memory ++func Test_SpellFileMissing_bwipe() ++ next 0 ++ au SpellFileMissing 0 bwipe ++ call assert_fails('set spell spelllang=0', 'E937:') ++ ++ au! SpellFileMissing ++ bwipe ++endfunc ++ +--- a/src/version.c ++++ b/src/version.c +@@ -2620,6 +2620,7 @@ + "8.2.3428", + "9.0.0490", + "9.0.0530", ++ "9.0.0614", + /**/ + NULL + }; |