From: Markus Koschany Date: Wed, 26 Oct 2022 23:26:57 +0200 Subject: CVE-2022-0417 Origin: https://github.com/vim/vim/commit/652dee448618589de5528a9e9a36995803f5557a --- src/option.c | 16 +++++++++------- src/testdir/test_options.vim | 2 ++ src/vim.h | 2 ++ 3 files changed, 13 insertions(+), 7 deletions(-) --- a/src/option.c +++ b/src/option.c @@ -9371,6 +9371,11 @@ set_num_option( errmsg = e_positive; curbuf->b_p_ts = 8; } + else if (curbuf->b_p_ts > TABSTOP_MAX) + { + errmsg = e_invarg; + curbuf->b_p_ts = 8; + } if (p_tm < 0) { errmsg = e_positive; @@ -11397,7 +11402,7 @@ buf_copy_options(buf_T *buf, int flags) if (p_vsts && p_vsts != empty_option) (void)tabstop_set(p_vsts, &buf->b_p_vsts_array); else - buf->b_p_vsts_array = 0; + buf->b_p_vsts_array = NULL; buf->b_p_vsts_nopaste = p_vsts_nopaste ? vim_strsave(p_vsts_nopaste) : NULL; #endif @@ -12384,9 +12389,7 @@ paste_option_changed(void) if (buf->b_p_vsts) free_string_option(buf->b_p_vsts); buf->b_p_vsts = empty_option; - if (buf->b_p_vsts_array) - vim_free(buf->b_p_vsts_array); - buf->b_p_vsts_array = 0; + VIM_CLEAR(buf->b_p_vsts_array); #endif } @@ -12432,12 +12435,11 @@ paste_option_changed(void) free_string_option(buf->b_p_vsts); buf->b_p_vsts = buf->b_p_vsts_nopaste ? vim_strsave(buf->b_p_vsts_nopaste) : empty_option; - if (buf->b_p_vsts_array) - vim_free(buf->b_p_vsts_array); + vim_free(buf->b_p_vsts_array); if (buf->b_p_vsts && buf->b_p_vsts != empty_option) (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array); else - buf->b_p_vsts_array = 0; + buf->b_p_vsts_array = NULL; #endif } --- a/src/testdir/test_options.vim +++ b/src/testdir/test_options.vim @@ -234,6 +234,8 @@ func Test_set_errors() call assert_fails('set shiftwidth=-1', 'E487:') call assert_fails('set sidescroll=-1', 'E487:') call assert_fails('set tabstop=-1', 'E487:') + call assert_fails('set tabstop=10000', 'E474:') + call assert_fails('set tabstop=5500000000', 'E474:') call assert_fails('set textwidth=-1', 'E487:') call assert_fails('set timeoutlen=-1', 'E487:') call assert_fails('set updatecount=-1', 'E487:') --- a/src/vim.h +++ b/src/vim.h @@ -1988,6 +1988,8 @@ typedef int sock_T; #define VAR_TYPE_CHANNEL 9 #define VAR_TYPE_BLOB 10 +#define TABSTOP_MAX 9999 + #ifdef FEAT_CLIPBOARD /* VIM_ATOM_NAME is the older Vim-specific selection type for X11. Still