From: Markus Koschany Date: Sun, 23 Oct 2022 17:18:10 +0200 Subject: CVE-2022-0351 Origin: https://github.com/vim/vim/commit/fe6fb267e6ee5c5da2f41889e4e0e0ac5bf4b89d --- src/eval.c | 10 ++++++++++ src/testdir/test_eval_stuff.vim | 5 +++++ 2 files changed, 15 insertions(+) --- a/src/eval.c +++ b/src/eval.c @@ -4159,6 +4159,7 @@ eval7( char_u *start_leader, *end_leader; int ret = OK; char_u *alias; + static int recurse = 0; /* * Initialise variable so that clear_tv() can't mistake this for a @@ -4174,6 +4175,14 @@ eval7( *arg = skipwhite(*arg + 1); end_leader = *arg; + // Limit recursion to 1000 levels. At least at 10000 we run out of stack + // and crash. + if (recurse == 1000) + { + return FAIL; + } + ++recurse; + switch (**arg) { /* @@ -4481,6 +4490,7 @@ eval7( } } + --recurse; return ret; } --- a/src/testdir/test_eval_stuff.vim +++ b/src/testdir/test_eval_stuff.vim @@ -94,3 +94,8 @@ func Test_let_errmsg() call assert_fails('let v:errmsg = []', 'E730:') let v:errmsg = '' endfunc + +func Test_deep_recursion() + " this was running out of stack + call assert_fails("exe 'if ' . repeat('(', 1002)") +endfunc