blob: f3e50d5b56a82e057a9e8c87ac4fe3a53b613d80 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
From: Markus Koschany <apo@debian.org>
Date: Mon, 7 Nov 2022 00:48:30 +0100
Subject: CVE-2022-3324
Origin: https://github.com/vim/vim/commit/8279af514ca7e5fd3c31cf13b0864163d1a0bfeb
---
src/testdir/test_cmdline.vim | 22 ++++++++++++++++++++++
src/window.c | 5 ++++-
2 files changed, 26 insertions(+), 1 deletion(-)
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -620,5 +620,27 @@ func Test_report_error_with_composing()
call assert_equal('yes', caught)
endfunc
+" This was resulting in a window with negative width.
+" The test doesn't reproduce the illegal memory access though...
+func Test_cmdwin_split_often()
+ let lines = &lines
+ let columns = &columns
+ set t_WS=
+
+ try
+ set encoding=iso8859
+ set ruler
+ winsize 0 0
+ noremap 0 H
+ sil norm 0000000q:
+ catch /E36:/
+ endtry
+
+ bwipe!
+ set encoding=utf8
+ let &lines = lines
+ let &columns = columns
+endfunc
+
set cpo&
--- a/src/window.c
+++ b/src/window.c
@@ -1945,6 +1945,8 @@ win_equal_rec(
if (hnc) /* add next_curwin size */
{
next_curwin_size -= p_wiw - (m - n);
+ if (next_curwin_size < 0)
+ next_curwin_size = 0;
new_size += next_curwin_size;
room -= new_size - next_curwin_size;
}
@@ -5899,7 +5901,8 @@ scroll_to_fraction(win_T *wp, int prev_h
void
win_new_width(win_T *wp, int width)
{
- wp->w_width = width;
+ // Should we give an error if width < 0?
+ wp->w_width = width < 0 ? 0 : width;
wp->w_lines_valid = 0;
changed_line_abv_curs_win(wp);
invalidate_botline_win(wp);
|
