1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
From: Markus Koschany <apo@debian.org>
Date: Mon, 7 Nov 2022 00:35:02 +0100
Subject: CVE-2022-3234
Origin: https://github.com/vim/vim/commit/c249913edc35c0e666d783bfc21595cf9f7d9e0d
---
src/ops.c | 12 ++++++++++--
src/testdir/test_virtualedit.vim | 14 ++++++++++++++
2 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/src/ops.c b/src/ops.c
index 84b5f90..c2319b1 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -2295,6 +2295,8 @@ op_replace(oparg_T *oap, int c)
while (LTOREQ_POS(curwin->w_cursor, oap->end))
{
+ int done = FALSE;
+
n = gchar_cursor();
if (n != NUL)
{
@@ -2305,6 +2307,7 @@ op_replace(oparg_T *oap, int c)
if (curwin->w_cursor.lnum == oap->end.lnum)
oap->end.col += (*mb_char2len)(c) - (*mb_char2len)(n);
replace_character(c);
+ done = TRUE;
}
else
{
@@ -2323,10 +2326,15 @@ op_replace(oparg_T *oap, int c)
if (curwin->w_cursor.lnum == oap->end.lnum)
getvpos(&oap->end, end_vcol);
}
- PBYTE(curwin->w_cursor, c);
+ // with "coladd" set may move to just after a TAB
+ if (gchar_cursor() != NUL)
+ {
+ PBYTE(curwin->w_cursor, c);
+ done = TRUE;
+ }
}
}
- else if (virtual_op && curwin->w_cursor.lnum == oap->end.lnum)
+ if (!done && virtual_op && curwin->w_cursor.lnum == oap->end.lnum)
{
int virtcols = oap->end.coladd;
diff --git a/src/testdir/test_virtualedit.vim b/src/testdir/test_virtualedit.vim
index 67adede..6b8fdfd 100644
--- a/src/testdir/test_virtualedit.vim
+++ b/src/testdir/test_virtualedit.vim
@@ -73,3 +73,17 @@ func Test_edit_CTRL_G()
bwipe!
set virtualedit=
endfunc
+
+" this was replacing the NUL at the end of the line
+func Test_virtualedit_replace_after_tab()
+ new
+ s/\v/ 0
+ set ve=all
+ let @" = ''
+ sil! norm vPvr0
+
+ call assert_equal("\t0", getline(1))
+ set ve&
+ bwipe!
+endfunc
+
|
