summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2022-3256.patch
blob: ab1abab684c0b06c2821a520dee3a092c1a2df0a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
From 8ecfa2c56b4992c7f067b92488aa9acea5a454ad Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 21 Sep 2022 13:07:22 +0100
Subject: [PATCH] patch 9.0.0530: using freed memory when autocmd changes mark

Problem:    Using freed memory when autocmd changes mark.
Solution:   Copy the mark before editing another buffer.
---
 src/mark.c                 | 12 +++++++-----
 src/testdir/test_marks.vim | 13 +++++++++++++
 src/version.c              |  2 ++
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/src/mark.c b/src/mark.c
index ade5a1087b7d..584db033d3ca 100644
--- a/src/mark.c
+++ b/src/mark.c
@@ -252,17 +252,19 @@ movemark(int count)
 	    fname2fnum(jmp);
 	if (jmp->fmark.fnum != curbuf->b_fnum)
 	{
-	    /* jump to other file */
-	    if (buflist_findnr(jmp->fmark.fnum) == NULL)
+	    /* Make a copy, an autocommand may make "jmp" invalid. */
+	    fmark_T fmark = jmp->fmark;
+
+	    /* jump to the file with the mark */
+	    if (buflist_findnr(fmark.fnum) == NULL)
 	    {					     /* Skip this one .. */
 		count += count < 0 ? -1 : 1;
 		continue;
 	    }
-	    if (buflist_getfile(jmp->fmark.fnum, jmp->fmark.mark.lnum,
-							    0, FALSE) == FAIL)
+	    if (buflist_getfile(fmark.fnum, fmark.mark.lnum, 0, FALSE) == FAIL)
 		return (pos_T *)NULL;
 	    /* Set lnum again, autocommands my have changed it */
-	    curwin->w_cursor = jmp->fmark.mark;
+	    curwin->w_cursor = fmark.mark;
 	    pos = (pos_T *)-1;
 	}
 	else
diff --git a/src/testdir/test_marks.vim b/src/testdir/test_marks.vim
index 12501a3aba07..20fb3041f244 100644
--- a/src/testdir/test_marks.vim
+++ b/src/testdir/test_marks.vim
@@ -174,3 +174,16 @@ func Test_getmarklist()
   call assert_fails('mark xx', 'E488:')
   call assert_fails('mark _', 'E191:')
 endfunc
+" This was using freed memory
+func Test_jump_mark_autocmd()
+  next 00
+  edit 0
+  sargument
+  au BufEnter 0 all
+  sil norm 
+
+  au! BufEnter
+  bwipe!
+endfunc
+
+
--- a/src/version.c
+++ b/src/version.c
@@ -2619,6 +2619,7 @@
     "8.2.3409",
     "8.2.3428",
     "9.0.0490",
+    "9.0.0530",
 /**/
     NULL
 };