1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
From: Markus Koschany <apo@debian.org>
Date: Wed, 19 Oct 2022 19:53:49 +0200
Subject: CVE-2021-4069
Origin: https://github.com/vim/vim/commit/e031fe90cf2e375ce861ff5e5e281e4ad229ebb9
---
src/ex_docmd.c | 10 +++++++---
src/testdir/test_ex_equal.vim | 13 +++++++++++++
2 files changed, 20 insertions(+), 3 deletions(-)
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -8659,13 +8659,17 @@ ex_open(exarg_T *eap)
regmatch.regprog = vim_regcomp(eap->arg, p_magic ? RE_MAGIC : 0);
if (regmatch.regprog != NULL)
{
+ // make a copy of the line, when searching for a mark it might be
+ // flushed
+ char_u *line = vim_strsave(ml_get_curline());
+
regmatch.rm_ic = p_ic;
- p = ml_get_curline();
- if (vim_regexec(®match, p, (colnr_T)0))
- curwin->w_cursor.col = (colnr_T)(regmatch.startp[0] - p);
+ if (vim_regexec(®match, line, (colnr_T)0))
+ curwin->w_cursor.col = (colnr_T)(regmatch.startp[0] - line);
else
emsg(_(e_nomatch));
vim_regfree(regmatch.regprog);
+ vim_free(line);
}
/* Move to the NUL, ignore any other arguments. */
eap->arg += STRLEN(eap->arg);
--- a/src/testdir/test_ex_equal.vim
+++ b/src/testdir/test_ex_equal.vim
@@ -30,3 +30,16 @@ func Test_ex_equal()
bwipe!
endfunc
+
+func Test_open_command_flush_line()
+ " this was accessing freed memory: the regexp match uses a pointer to the
+ " current line which becomes invalid when searching for the ') mark.
+ new
+ call setline(1, ['one', 'two. three'])
+ s/one/ONE
+ try
+ open /\%')/
+ catch /E479/
+ endtry
+ bwipe!
+endfunc
|
