From: Markus Koschany Date: Sun, 11 Jun 2023 13:58:23 +0200 Subject: CVE-2023-2610 Bug-Debian: https://bugs.debian.org/1035955 Origin: https://github.com/vim/vim/commit/ab9a2d884b3a4abe319606ea95a5a6d6b01cd73a --- src/regexp.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/src/regexp.c b/src/regexp.c index 6939fd1..5630364 100644 --- a/src/regexp.c +++ b/src/regexp.c @@ -7150,10 +7150,7 @@ do_Lower(int *d, int c) regtilde(char_u *source, int magic) { char_u *newsub = source; - char_u *tmpsub; char_u *p; - int len; - int prevlen; for (p = newsub; *p; ++p) { @@ -7162,24 +7159,34 @@ regtilde(char_u *source, int magic) if (reg_prev_sub != NULL) { /* length = len(newsub) - 1 + len(prev_sub) + 1 */ - prevlen = (int)STRLEN(reg_prev_sub); - tmpsub = alloc((unsigned)(STRLEN(newsub) + prevlen)); + // Avoid making the text longer than MAXCOL, it will cause + // trouble at some point. + size_t prevsublen = STRLEN(reg_prev_sub); + size_t newsublen = STRLEN(newsub); + if (prevsublen > MAXCOL || newsublen > MAXCOL + || newsublen + prevsublen > MAXCOL) + { + break; + } + + char_u *tmpsub = alloc(newsublen + prevsublen); if (tmpsub != NULL) { /* copy prefix */ - len = (int)(p - newsub); /* not including ~ */ - mch_memmove(tmpsub, newsub, (size_t)len); + size_t prefixlen = p - newsub; // not including ~ + mch_memmove(tmpsub, newsub, prefixlen); /* interpret tilde */ - mch_memmove(tmpsub + len, reg_prev_sub, (size_t)prevlen); + mch_memmove(tmpsub + prefixlen, reg_prev_sub, + prevsublen); /* copy postfix */ if (!magic) ++p; /* back off \ */ - STRCPY(tmpsub + len + prevlen, p + 1); + STRCPY(tmpsub + prefixlen + prevsublen, p + 1); - if (newsub != source) /* already allocated newsub */ + if (newsub != source) // allocated newsub before vim_free(newsub); newsub = tmpsub; - p = newsub + len + prevlen; + p = newsub + prefixlen + prevsublen; } } else if (magic)