blob: 862f43a057eb6948a3dfc53d7ed5e83d02fc57ea (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
From: Christian Brabandt <cb@256bit.org>
Date: Thu, 28 Sep 2023 13:47:03 +0000
Subject: CVE-2023-4781: heap-buffer-overflow in vim_regsub_both
Problem: heap-buffer-overflow in vim_regsub_both
Solution: Disallow exchanging windows when textlock is active
Signed-off-by: Christian Brabandt <cb@256bit.org>
origin: https://github.com/vim/vim/commit/f6d28fe2c95c678cc3202cc5dc825a3fcc709e93.patch
bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-4781
bug: https://huntr.dev/bounties/c867eb0a-aa8b-4946-a621-510350673883/
---
---
src/ex_cmds.c | 3 +++
src/version.c | 2 ++
src/window.c | 5 +++++
3 files changed, 10 insertions(+)
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index e4dffdb..766cfbe 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -5604,6 +5604,9 @@ do_sub(exarg_T *eap)
{
nmatch = curbuf->b_ml.ml_line_count - sub_firstlnum + 1;
skip_match = TRUE;
+ // safety check
+ if (nmatch < 0)
+ goto skip;
}
/* Need room for:
diff --git a/src/version.c b/src/version.c
index d863dd1..86c3195 100644
--- a/src/version.c
+++ b/src/version.c
@@ -791,6 +791,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1873,
/**/
1858,
/**/
diff --git a/src/window.c b/src/window.c
index 82ece3e..71908f6 100644
--- a/src/window.c
+++ b/src/window.c
@@ -1604,6 +1604,11 @@ win_rotate(int upwards, int count)
beep_flush();
return;
}
+ if (text_or_buf_locked())
+ {
+ beep_flush();
+ return;
+ }
#ifdef FEAT_GUI
need_mouse_correct = TRUE;
|
