1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
From 57df9e8a9f9ae1aafdde9b86b10ad907627a87dc Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 20 Jan 2022 12:10:48 +0000
Subject: [PATCH] patch 8.2.4151: reading beyond the end of a line
Problem: Reading beyond the end of a line.
Solution: For block insert only use the offset for correcting the length.
---
src/ops.c | 19 ++-----------------
src/testdir/test_visual.vim | 9 +++++++++
src/version.c | 2 ++
3 files changed, 13 insertions(+), 17 deletions(-)
Backport:
* In Debian, this patch got swapped with CVE-2022-0261 aka
9f8c304c8a390ade133bac29963dc8e56ab14cbc.
* We also backport the spaces check from
4067bd3604215b48e4b4201e28f9e401b08418e4, see #1023818.
* We also backport the expected test output from
fc6ccebea668c49e9e617e0657421b6a8ed9df1e.
* Replace expr-.. by expr-.
--- a/src/ops.c
+++ b/src/ops.c
@@ -629,24 +629,12 @@ block_insert(
}
if (has_mbyte && spaces > 0)
- {
- int off;
+ /* avoid copying part of a multi-byte character */
+ offset -= (*mb_head_off)(oldp, oldp + offset);
+
+ if (spaces < 0) // can happen when the cursor was moved
+ spaces = 0;
- /* Avoid starting halfway a multi-byte character. */
- if (b_insert)
- {
- off = (*mb_head_off)(oldp, oldp + offset + spaces);
- spaces -= off;
- count -= off;
- }
- else
- {
- // spaces fill the gap, the character that's at the edge moves
- // right
- off = (*mb_head_off)(oldp, oldp + offset);
- offset -= off;
- }
- }
// Make sure the allocated size matches what is actually copied below.
newp = alloc_check((unsigned)(STRLEN(oldp)) + spaces + s_len
+ (spaces > 0 && !bdp->is_short ? p_ts - spaces : 0)
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -417,6 +417,15 @@ func Test_visual_block_append_invalid_ch
bwipe!
endfunc
+func Test_visual_block_insert_round_off()
+ new
+ " The number of characters are tuned to fill a 4096 byte allocated block,
+ " so that valgrind reports going over the end.
+ call setline(1, ['xxxxx', repeat('0', 1350), "\t", repeat('x', 60)])
+ exe "normal gg0\<C-V>GI" . repeat('0', 1320) . "\<Esc>"
+ bwipe!
+endfunc
+
" CVE-2022-0361
func Test_visual_ex_copy_line()
new
--- a/src/testdir/test_utf8.vim
+++ b/src/testdir/test_utf8.vim
@@ -6,7 +6,7 @@ func Test_visual_block_insert()
new
call setline(1, ["aaa", "あああ", "bbb"])
exe ":norm! gg0l\<C-V>jjIx\<Esc>"
- call assert_equal(['axaa', 'xあああ', 'bxbb'], getline(1, '$'))
+ call assert_equal(['axaa', ' xあああ', 'bxbb'], getline(1, '$'))
bwipeout!
endfunc
--- a/src/version.c
+++ b/src/version.c
@@ -798,6 +798,10 @@ static int included_patches[] =
/**/
4214,
/**/
+ 4152,
+/**/
+ 4151,
+/**/
4120,
/**/
1401,
|