summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2022-1154.patch
blob: 99b417532de4a6723b2f8f26b07efda6c1e59e7f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
From: Markus Koschany <apo@debian.org>
Date: Sun, 30 Oct 2022 22:46:37 +0100
Subject: CVE-2022-1154

Origin: https://github.com/vim/vim/commit/b55986c52d4cd88a22d0b0b0e8a79547ba13e1d5
---
 src/regexp.c                      |  8 ++++++++
 src/testdir/test_regexp_latin.vim | 14 ++++++++++++++
 2 files changed, 22 insertions(+)

--- a/src/regexp.c
+++ b/src/regexp.c
@@ -4322,8 +4322,16 @@ regmatch(
 		int	mark = OPERAND(scan)[0];
 		int	cmp = OPERAND(scan)[1];
 		pos_T	*pos;
+		size_t	col = REG_MULTI ? rex.input - rex.line : 0;
 
 		pos = getmark_buf(rex.reg_buf, mark, FALSE);
+		// Line may have been freed, get it again.
+		if (REG_MULTI)
+		{
+		    rex.line = reg_getline(rex.lnum);
+		    rex.input = rex.line + col;
+		}
+
 		if (pos == NULL		     /* mark doesn't exist */
 			|| pos->lnum <= 0    /* mark isn't set in reg_buf */
 			|| (pos->lnum == rex.lnum + rex.reg_firstlnum