1 files changed, 62 insertions, 0 deletions

diff --git a/debian/patches/CVE-2023-4781-heap-buffer-overflow-in-vim_regsub_both.patch b/debian/patches/CVE-2023-4781-heap-buffer-overflow-in-vim_regsub_both.patch
new file mode 100644
index 0000000..862f43a
--- /dev/null
+++ b/debian/patches/CVE-2023-4781-heap-buffer-overflow-in-vim_regsub_both.patch
@@ -0,0 +1,62 @@
+From: Christian Brabandt <cb@256bit.org>
+Date: Thu, 28 Sep 2023 13:47:03 +0000
+Subject: CVE-2023-4781: heap-buffer-overflow in vim_regsub_both
+
+Problem:  heap-buffer-overflow in vim_regsub_both
+Solution: Disallow exchanging windows when textlock is active
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+origin: https://github.com/vim/vim/commit/f6d28fe2c95c678cc3202cc5dc825a3fcc709e93.patch
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-4781
+bug: https://huntr.dev/bounties/c867eb0a-aa8b-4946-a621-510350673883/
+---
+---
+ src/ex_cmds.c | 3 +++
+ src/version.c | 2 ++
+ src/window.c  | 5 +++++
+ 3 files changed, 10 insertions(+)
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index e4dffdb..766cfbe 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -5604,6 +5604,9 @@ do_sub(exarg_T *eap)
+ 		{
+ 		    nmatch = curbuf->b_ml.ml_line_count - sub_firstlnum + 1;
+ 		    skip_match = TRUE;
++		    // safety check
++		    if (nmatch < 0)
++			goto skip;
+ 		}
+ 
+ 		/* Need room for:
+diff --git a/src/version.c b/src/version.c
+index d863dd1..86c3195 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
++/**/
++    1873,
+ /**/
+     1858,
+ /**/
+diff --git a/src/window.c b/src/window.c
+index 82ece3e..71908f6 100644
+--- a/src/window.c
++++ b/src/window.c
+@@ -1604,6 +1604,11 @@ win_rotate(int upwards, int count)
+ 	beep_flush();
+ 	return;
+     }
++    if (text_or_buf_locked())
++    {
++	beep_flush();
++	return;
++    }
+ 
+ #ifdef FEAT_GUI
+     need_mouse_correct = TRUE;