1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
From: Markus Koschany <apo@debian.org>
Date: Wed, 2 Nov 2022 22:07:35 +0100
Subject: CVE-2022-1898
Origin: https://github.com/vim/vim/commit/e2fa213cf571041dbd04ab0329303ffdc980678a
---
src/normal.c | 6 ++++++
src/testdir/test_tagjump.vim | 6 ++++++
src/version.c | 2 ++
3 files changed, 14 insertions(+)
--- a/src/normal.c
+++ b/src/normal.c
@@ -6426,6 +6426,11 @@ nv_brackets(cmdarg_T *cap)
clearop(cap->oap);
else
{
+ // Make a copy, if the line was changed it will be freed.
+ ptr = vim_strnsave(ptr, len);
+ if (ptr == NULL)
+ return;
+
find_pattern_in_path(ptr, 0, len, TRUE,
cap->count0 == 0 ? !isupper(cap->nchar) : FALSE,
((cap->nchar & 0xf) == ('d' & 0xf)) ? FIND_DEFINE : FIND_ANY,
@@ -6434,6 +6439,7 @@ nv_brackets(cmdarg_T *cap)
islower(cap->nchar) ? ACTION_SHOW : ACTION_GOTO,
cap->cmdchar == ']' ? curwin->w_cursor.lnum + 1 : (linenr_T)1,
(linenr_T)MAXLNUM);
+ vim_free(ptr);
curwin->w_set_curswant = TRUE;
}
}
--- a/src/testdir/test_tagjump.vim
+++ b/src/testdir/test_tagjump.vim
@@ -255,6 +255,12 @@ func Test_tagjump_etags()
call delete('Xtags')
call delete('Xmain.c')
bwipe!
+
+ new somefile
+ call setline(1, ['first line', '', '#define something 0'])
+ sil norm 0o0
+ sil! norm ]d
+ bwipe!
endfunc
" Test for getting and modifying the tag stack
--- a/src/version.c
+++ b/src/version.c
@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 5024,
+/**/
4214,
/**/
4120,
|