summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2022-0417.patch
blob: d5a99e040e8ebc0543abaa9ba2b9d48948e3ccce (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
From: Markus Koschany <apo@debian.org>
Date: Wed, 26 Oct 2022 23:26:57 +0200
Subject: CVE-2022-0417

Origin: https://github.com/vim/vim/commit/652dee448618589de5528a9e9a36995803f5557a
---
 src/option.c                 | 16 +++++++++-------
 src/testdir/test_options.vim |  2 ++
 src/vim.h                    |  2 ++
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/src/option.c b/src/option.c
index 12d903f..f7643eb 100644
--- a/src/option.c
+++ b/src/option.c
@@ -9371,6 +9371,11 @@ set_num_option(
 	errmsg = e_positive;
 	curbuf->b_p_ts = 8;
     }
+    else if (curbuf->b_p_ts > TABSTOP_MAX)
+    {
+	errmsg = e_invarg;
+	curbuf->b_p_ts = 8;
+    }
     if (p_tm < 0)
     {
 	errmsg = e_positive;
@@ -11397,7 +11402,7 @@ buf_copy_options(buf_T *buf, int flags)
 	    if (p_vsts && p_vsts != empty_option)
 		(void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
 	    else
-		buf->b_p_vsts_array = 0;
+		buf->b_p_vsts_array = NULL;
 	    buf->b_p_vsts_nopaste = p_vsts_nopaste
 				 ? vim_strsave(p_vsts_nopaste) : NULL;
 #endif
@@ -12384,9 +12389,7 @@ paste_option_changed(void)
 	    if (buf->b_p_vsts)
 		free_string_option(buf->b_p_vsts);
 	    buf->b_p_vsts = empty_option;
-	    if (buf->b_p_vsts_array)
-		vim_free(buf->b_p_vsts_array);
-	    buf->b_p_vsts_array = 0;
+	    VIM_CLEAR(buf->b_p_vsts_array);
 #endif
 	}
 
@@ -12432,12 +12435,11 @@ paste_option_changed(void)
 		free_string_option(buf->b_p_vsts);
 	    buf->b_p_vsts = buf->b_p_vsts_nopaste
 			 ? vim_strsave(buf->b_p_vsts_nopaste) : empty_option;
-	    if (buf->b_p_vsts_array)
-		vim_free(buf->b_p_vsts_array);
+	    vim_free(buf->b_p_vsts_array);
 	    if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
 		(void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
 	    else
-		buf->b_p_vsts_array = 0;
+		buf->b_p_vsts_array = NULL;
 #endif
 	}
 
diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim
index 83b315d..50aae7c 100644
--- a/src/testdir/test_options.vim
+++ b/src/testdir/test_options.vim
@@ -234,6 +234,8 @@ func Test_set_errors()
   call assert_fails('set shiftwidth=-1', 'E487:')
   call assert_fails('set sidescroll=-1', 'E487:')
   call assert_fails('set tabstop=-1', 'E487:')
+  call assert_fails('set tabstop=10000', 'E474:')
+  call assert_fails('set tabstop=5500000000', 'E474:')
   call assert_fails('set textwidth=-1', 'E487:')
   call assert_fails('set timeoutlen=-1', 'E487:')
   call assert_fails('set updatecount=-1', 'E487:')
diff --git a/src/vim.h b/src/vim.h
index 7ee164a..dfc96bc 100644
--- a/src/vim.h
+++ b/src/vim.h
@@ -1988,6 +1988,8 @@ typedef int sock_T;
 #define VAR_TYPE_CHANNEL    9
 #define VAR_TYPE_BLOB	    10
 
+#define TABSTOP_MAX 9999
+
 #ifdef FEAT_CLIPBOARD
 
 /* VIM_ATOM_NAME is the older Vim-specific selection type for X11.  Still