From: Markus Koschany Date: Mon, 7 Nov 2022 00:48:30 +0100 Subject: CVE-2022-3324 Origin: https://github.com/vim/vim/commit/8279af514ca7e5fd3c31cf13b0864163d1a0bfeb --- src/testdir/test_cmdline.vim | 22 ++++++++++++++++++++++ src/window.c | 5 ++++- 2 files changed, 26 insertions(+), 1 deletion(-) --- a/src/testdir/test_cmdline.vim +++ b/src/testdir/test_cmdline.vim @@ -620,5 +620,27 @@ func Test_report_error_with_composing() call assert_equal('yes', caught) endfunc +" This was resulting in a window with negative width. +" The test doesn't reproduce the illegal memory access though... +func Test_cmdwin_split_often() + let lines = &lines + let columns = &columns + set t_WS= + + try + set encoding=iso8859 + set ruler + winsize 0 0 + noremap 0 H + sil norm 0000000q: + catch /E36:/ + endtry + + bwipe! + set encoding=utf8 + let &lines = lines + let &columns = columns +endfunc + set cpo& --- a/src/window.c +++ b/src/window.c @@ -1945,6 +1945,8 @@ win_equal_rec( if (hnc) /* add next_curwin size */ { next_curwin_size -= p_wiw - (m - n); + if (next_curwin_size < 0) + next_curwin_size = 0; new_size += next_curwin_size; room -= new_size - next_curwin_size; } @@ -5899,7 +5901,8 @@ scroll_to_fraction(win_T *wp, int prev_h void win_new_width(win_T *wp, int width) { - wp->w_width = width; + // Should we give an error if width < 0? + wp->w_width = width < 0 ? 0 : width; wp->w_lines_valid = 0; changed_line_abv_curs_win(wp); invalidate_botline_win(wp);