From: Markus Koschany Date: Sun, 6 Nov 2022 23:00:10 +0100 Subject: CVE-2022-2598 Origin: https://github.com/vim/vim/commit/4e677b9c40ccbc5f090971b31dc2fe07bf05541d --- src/diff.c | 9 ++++++--- src/testdir/test_diffmode.vim | 15 +++++++++++++++ 2 files changed, 21 insertions(+), 3 deletions(-) --- a/src/diff.c +++ b/src/diff.c @@ -451,7 +451,10 @@ diff_mark_adjust_tp( for (i = 0; i < DB_COUNT; ++i) if (tp->tp_diffbuf[i] != NULL && i != idx) { - dp->df_lnum[i] -= off; + if (dp->df_lnum[i] > off) + dp->df_lnum[i] -= off; + else + dp->df_lnum[i] = 1; dp->df_count[i] += n; } } @@ -2735,8 +2738,8 @@ ex_diffgetput(exarg_T *eap) { /* remember deleting the last line of the buffer */ buf_empty = curbuf->b_ml.ml_line_count == 1; - ml_delete(lnum, FALSE); - --added; + if (ml_delete(lnum, FALSE) == OK) + --added; } for (i = 0; i < dp->df_count[idx_from] - start_skip - end_skip; ++i) { --- a/src/testdir/test_diffmode.vim +++ b/src/testdir/test_diffmode.vim @@ -913,3 +913,18 @@ func Test_diff_of_diff() call StopVimInTerminal(buf) call delete('Xtest_diff_diff') endfunc + +" This was causing the line number in the diff block to go below one. +" FIXME: somehow this causes a valgrind error when run directly but not when +" run as a test. +func Test_diff_put_and_undo() + set diff + next 0 + split 00 + sil! norm o0gguudpo0ggJuudp + + bwipe! + bwipe! + set nodiff +endfunc +