blob: 564850b589a6ff980c75034dcd7f7d329a2fe214 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
From: Markus Koschany <apo@debian.org>
Date: Wed, 19 Oct 2022 20:05:49 +0200
Subject: CVE-2021-4193
Origin: https://github.com/vim/vim/commit/94f3192b03ed27474db80b4d3a409e107140738b
---
src/charset.c | 13 +++++++++----
src/testdir/test_regexp_latin.vim | 8 ++++++++
2 files changed, 17 insertions(+), 4 deletions(-)
--- a/src/charset.c
+++ b/src/charset.c
@@ -1244,10 +1244,15 @@ getvcol(
posptr = NULL; /* continue until the NUL */
else
{
- /* Special check for an empty line, which can happen on exit, when
- * ml_get_buf() always returns an empty string. */
- if (*ptr == NUL)
- pos->col = 0;
+ colnr_T i;
+
+ // In a few cases the position can be beyond the end of the line.
+ for (i = 0; i < pos->col; ++i)
+ if (ptr[i] == NUL)
+ {
+ pos->col = i;
+ break;
+ }
posptr = ptr + pos->col;
if (has_mbyte)
/* always start on the first byte */
--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
@@ -101,3 +101,11 @@ func Test_using_visual_position()
bwipe!
endfunc
+func Test_using_invalid_visual_position()
+ " this was going beyond the end of the line
+ new
+ exe "norm 0o000\<Esc>0\<C-V>$s0"
+ /\%V
+ bwipe!
+endfunc
+
|
