From 37406d9074654510ff5ed9362800a23a943d80f4 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 8 May 2024 07:08:16 +0200 Subject: Adding debian version 2:8.1.0875-5+deb10u4. Signed-off-by: Daniel Baumann --- debian/patches/CVE-2022-3256.patch | 73 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 debian/patches/CVE-2022-3256.patch (limited to 'debian/patches/CVE-2022-3256.patch') diff --git a/debian/patches/CVE-2022-3256.patch b/debian/patches/CVE-2022-3256.patch new file mode 100644 index 0000000..ab1abab --- /dev/null +++ b/debian/patches/CVE-2022-3256.patch @@ -0,0 +1,73 @@ +From 8ecfa2c56b4992c7f067b92488aa9acea5a454ad Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 21 Sep 2022 13:07:22 +0100 +Subject: [PATCH] patch 9.0.0530: using freed memory when autocmd changes mark + +Problem: Using freed memory when autocmd changes mark. +Solution: Copy the mark before editing another buffer. +--- + src/mark.c | 12 +++++++----- + src/testdir/test_marks.vim | 13 +++++++++++++ + src/version.c | 2 ++ + 3 files changed, 22 insertions(+), 5 deletions(-) + +diff --git a/src/mark.c b/src/mark.c +index ade5a1087b7d..584db033d3ca 100644 +--- a/src/mark.c ++++ b/src/mark.c +@@ -252,17 +252,19 @@ movemark(int count) + fname2fnum(jmp); + if (jmp->fmark.fnum != curbuf->b_fnum) + { +- /* jump to other file */ +- if (buflist_findnr(jmp->fmark.fnum) == NULL) ++ /* Make a copy, an autocommand may make "jmp" invalid. */ ++ fmark_T fmark = jmp->fmark; ++ ++ /* jump to the file with the mark */ ++ if (buflist_findnr(fmark.fnum) == NULL) + { /* Skip this one .. */ + count += count < 0 ? -1 : 1; + continue; + } +- if (buflist_getfile(jmp->fmark.fnum, jmp->fmark.mark.lnum, +- 0, FALSE) == FAIL) ++ if (buflist_getfile(fmark.fnum, fmark.mark.lnum, 0, FALSE) == FAIL) + return (pos_T *)NULL; + /* Set lnum again, autocommands my have changed it */ +- curwin->w_cursor = jmp->fmark.mark; ++ curwin->w_cursor = fmark.mark; + pos = (pos_T *)-1; + } + else +diff --git a/src/testdir/test_marks.vim b/src/testdir/test_marks.vim +index 12501a3aba07..20fb3041f244 100644 +--- a/src/testdir/test_marks.vim ++++ b/src/testdir/test_marks.vim +@@ -174,3 +174,16 @@ func Test_getmarklist() + call assert_fails('mark xx', 'E488:') + call assert_fails('mark _', 'E191:') + endfunc ++" This was using freed memory ++func Test_jump_mark_autocmd() ++ next 00 ++ edit 0 ++ sargument ++ au BufEnter 0 all ++ sil norm  ++ ++ au! BufEnter ++ bwipe! ++endfunc ++ ++ +--- a/src/version.c ++++ b/src/version.c +@@ -2619,6 +2619,7 @@ + "8.2.3409", + "8.2.3428", + "9.0.0490", ++ "9.0.0530", + /**/ + NULL + }; -- cgit v1.2.3