From: Markus Koschany Date: Sun, 11 Jun 2023 13:46:58 +0200 Subject: CVE-2022-4141 Bug-Debian: https://bugs.debian.org/1027146 Origin: https://github.com/vim/vim/commit/cc762a48d42b579fb7bdec2c614636b830342dd5 --- src/normal.c | 35 ++++++++++++++++++++++++++--------- src/proto/normal.pro | 1 + src/testdir/test_substitute.vim | 20 ++++++++++++++++++++ src/window.c | 4 +++- 4 files changed, 50 insertions(+), 10 deletions(-) diff --git a/src/normal.c b/src/normal.c index 8f92b9c..ee2233d 100644 --- a/src/normal.c +++ b/src/normal.c @@ -523,13 +523,36 @@ check_text_locked(oparg_T *oap) { if (text_locked()) { - clearopbeep(oap); + if (oap != NULL) + clearopbeep(oap); text_locked_msg(); return TRUE; } return FALSE; } +/* + * If text is locked, "curbuf_lock" or "allbuf_lock" is set: + * Give an error message, possibly beep and return TRUE. + * "oap" may be NULL. + */ + int +check_text_or_curbuf_locked(oparg_T *oap) +{ + if (check_text_locked(oap)) + return TRUE; + +#ifdef FEAT_AUTOCMD + if (curbuf_locked()) + { + if (oap != NULL) + clearop(oap); + return TRUE; + } +#endif + return FALSE; +} + /* * Execute a command in Normal mode. */ @@ -791,8 +814,7 @@ getcount: goto normal_end; } - if ((nv_cmds[idx].cmd_flags & NV_NCW) - && (check_text_locked(oap) || curbuf_locked())) + if ((nv_cmds[idx].cmd_flags & NV_NCW) && check_text_or_curbuf_locked(oap)) /* this command is not allowed now */ goto normal_end; @@ -6173,13 +6195,8 @@ nv_gotofile(cmdarg_T *cap) char_u *ptr; linenr_T lnum = -1; - if (check_text_locked(cap->oap)) + if (check_text_or_curbuf_locked(cap->oap)) return; - if (curbuf_locked()) - { - clearop(cap->oap); - return; - } ptr = grab_file_name(cap->count1, &lnum); diff --git a/src/proto/normal.pro b/src/proto/normal.pro index 55d12bb..cc81ff9 100644 --- a/src/proto/normal.pro +++ b/src/proto/normal.pro @@ -1,4 +1,5 @@ /* normal.c */ +int check_text_or_curbuf_locked(oparg_T *oap); void init_normal_cmds(void); void normal_cmd(oparg_T *oap, int toplevel); void do_pending_operator(cmdarg_T *cap, int old_col, int gui_yank); diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim index 9ab0adb..d78b036 100644 --- a/src/testdir/test_substitute.vim +++ b/src/testdir/test_substitute.vim @@ -565,3 +565,23 @@ func Test_sub_edit_scriptfile() bwipe! endfunc +" This was editing another file from the expression. +func Test_sub_expr_goto_other_file() + call writefile([''], 'Xfileone', 'D') + enew! + call setline(1, ['a', 'b', 'c', 'd', + \ 'Xfileone zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz']) + + func g:SplitGotoFile() + exe "sil! norm 0\gf" + return '' + endfunc + + $ + s/\%')/\=g:SplitGotoFile() + + delfunc g:SplitGotoFile + bwipe! +endfunc + + diff --git a/src/window.c b/src/window.c index 7f51c1b..82ece3e 100644 --- a/src/window.c +++ b/src/window.c @@ -478,6 +478,8 @@ newwindow: case Ctrl_F: wingotofile: CHECK_CMDWIN; + if (check_text_or_curbuf_locked(NULL)) + break; ptr = grab_file_name(Prenum1, &lnum); if (ptr != NULL) @@ -757,7 +759,7 @@ win_split(int size, int flags) * When "new_wp" is NULL: split the current window in two. * When "new_wp" is not NULL: insert this window at the far * top/left/right/bottom. - * return FAIL for failure, OK otherwise + * Return FAIL for failure, OK otherwise. */ int win_split_ins(