blob: 99b417532de4a6723b2f8f26b07efda6c1e59e7f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
From: Markus Koschany <apo@debian.org>
Date: Sun, 30 Oct 2022 22:46:37 +0100
Subject: CVE-2022-1154
Origin: https://github.com/vim/vim/commit/b55986c52d4cd88a22d0b0b0e8a79547ba13e1d5
---
src/regexp.c | 8 ++++++++
src/testdir/test_regexp_latin.vim | 14 ++++++++++++++
2 files changed, 22 insertions(+)
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -4322,8 +4322,16 @@ regmatch(
int mark = OPERAND(scan)[0];
int cmp = OPERAND(scan)[1];
pos_T *pos;
+ size_t col = REG_MULTI ? rex.input - rex.line : 0;
pos = getmark_buf(rex.reg_buf, mark, FALSE);
+ // Line may have been freed, get it again.
+ if (REG_MULTI)
+ {
+ rex.line = reg_getline(rex.lnum);
+ rex.input = rex.line + col;
+ }
+
if (pos == NULL /* mark doesn't exist */
|| pos->lnum <= 0 /* mark isn't set in reg_buf */
|| (pos->lnum == rex.lnum + rex.reg_firstlnum
|