1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
From: Markus Koschany <apo@debian.org>
Date: Mon, 31 Oct 2022 14:50:16 +0100
Subject: CVE-2022-1616
Origin: https://github.com/vim/vim/commit/d88934406c5375d88f8f1b65331c9f0cab68cc6c
---
src/ex_docmd.c | 4 +++-
src/testdir/test_cmdline.vim | 12 ++++++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index 1dfa95d..bb8d719 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -3116,7 +3116,7 @@ append_command(char_u *cmd)
STRCAT(IObuff, ": ");
d = IObuff + STRLEN(IObuff);
- while (*s != NUL && d - IObuff < IOSIZE - 7)
+ while (*s != NUL && d - IObuff + 5 < IOSIZE)
{
if (enc_utf8 ? (s[0] == 0xc2 && s[1] == 0xa0) : *s == 0xa0)
{
@@ -3124,6 +3124,8 @@ append_command(char_u *cmd)
STRCPY(d, "<a0>");
d += 4;
}
+ else if (d - IObuff + (*mb_ptr2len)(s) + 1 >= IOSIZE)
+ break;
else
MB_COPY_CHAR(s, d);
}
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index 02eeb6b..46f18dc 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -609,4 +609,16 @@ func Test_cmdline_overstrike()
let &encoding = encoding_save
endfunc
+" this was going over the end of IObuff
+func Test_report_error_with_composing()
+ let caught = 'no'
+ try
+ exe repeat('0', 987) . "0\xdd\x80\xdd\x80\xdd\x80\xdd\x80"
+ catch /E492:/
+ let caught = 'yes'
+ endtry
+ call assert_equal('yes', caught)
+endfunc
+
+
set cpo&
|
