From: Markus Koschany Date: Wed, 2 Nov 2022 22:11:50 +0100 Subject: CVE_2022-1968 Origin: https://github.com/vim/vim/commit/409510c588b1eec1ae33511ae97a21eb8e110895 --- src/search.c | 21 ++++++++++++++++++--- src/testdir/test_tagjump.vim | 12 ++++++++++++ 2 files changed, 30 insertions(+), 3 deletions(-) --- a/src/search.c +++ b/src/search.c @@ -4852,6 +4852,21 @@ linewhite(linenr_T lnum) #endif #if defined(FEAT_FIND_ID) || defined(PROTO) + +/* + * Get line "lnum" and copy it into "buf[LSIZE]". + * The copy is made because the regexp may make the line invalid when using a + * mark. + */ + static char_u * +get_line_and_copy(linenr_T lnum, char_u *buf) +{ + char_u *line = ml_get(lnum); + + vim_strncpy(buf, line, LSIZE - 1); + return buf; +} + /* * Find identifiers or defines in included files. * If p_ic && (compl_cont_status & CONT_SOL) then ptr must be in lowercase. @@ -4958,7 +4973,7 @@ find_pattern_in_path( end_lnum = curbuf->b_ml.ml_line_count; if (lnum > end_lnum) /* do at least one line */ lnum = end_lnum; - line = ml_get(lnum); + line = get_line_and_copy(lnum, file_line); for (;;) { @@ -5296,7 +5311,7 @@ search_line: { if (lnum >= end_lnum) goto exit_matched; - line = ml_get(++lnum); + line = get_line_and_copy(++lnum, file_line); } else if (vim_fgets(line = file_line, LSIZE, files[depth].fp)) @@ -5511,7 +5526,7 @@ exit_matched: { if (++lnum > end_lnum) break; - line = ml_get(lnum); + line = get_line_and_copy(lnum, file_line); } already = NULL; } --- a/src/testdir/test_tagjump.vim +++ b/src/testdir/test_tagjump.vim @@ -372,4 +372,16 @@ func Test_getsettagstack() set tags& endfunc +" this was using a line from ml_get() freed by the regexp +func Test_isearch_copy_line() + new + norm o + norm 0 + 0norm o + sil! norm bc0 + sil! isearch \%') + bwipe! +endfunc + + " vim: shiftwidth=2 sts=2 expandtab