packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

upgrade version to 9.0

Browse Source
This commit is contained in:
wangjiang 2022-11-03 15:03:25 +08:00
parent 1c91e07db5
commit 037eeee382
189 changed files with 18711 additions and 15212 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
Fix-vim-lua5.4.0-defines+luaL_typeerror-twice.patch
View File

@ -1,56 +0,0 @@
From ea3ebd50e2a4ec26ee503f352a1280e11e4af93b Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Tue, 14 Jul 2020 12:14:03 +0200
Subject: [PATCH] if_lua.c: new Lua 5.4.0 defines luaL_typeerror, so don't
define it twice
---
src/if_lua.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/if_lua.c b/src/if_lua.c
index 9b03c97..81faf92 100644
--- a/src/if_lua.c
+++ b/src/if_lua.c
@@ -109,6 +109,9 @@ static luaV_Funcref *luaV_pushfuncref(lua_State *L, char_u *name);
#define luaL_loadbufferx dll_luaL_loadbufferx
#define luaL_argerror dll_luaL_argerror
#endif
+#if LUA_VERSION_NUM >= 504
+#define luaL_typeerror dll_luaL_typeerror
+#endif
#define luaL_checkany dll_luaL_checkany
#define luaL_checklstring dll_luaL_checklstring
#define luaL_checkinteger dll_luaL_checkinteger
@@ -203,6 +206,9 @@ int (*dll_luaL_loadfilex) (lua_State *L, const char *filename, const char *mode)
int (*dll_luaL_loadbufferx) (lua_State *L, const char *buff, size_t sz, const char *name, const char *mode);
int (*dll_luaL_argerror) (lua_State *L, int numarg, const char *extramsg);
#endif
+#if LUA_VERSION_NUM >= 504
+int (*dll_luaL_typeerror) (lua_State *L, int narg, const char *tname);
+#endif
void (*dll_luaL_checkany) (lua_State *L, int narg);
const char *(*dll_luaL_checklstring) (lua_State *L, int numArg, size_t *l);
lua_Integer (*dll_luaL_checkinteger) (lua_State *L, int numArg);
@@ -314,6 +320,9 @@ static const luaV_Reg luaV_dll[] = {
{"luaL_loadfilex", (luaV_function) &dll_luaL_loadfilex},
{"luaL_loadbufferx", (luaV_function) &dll_luaL_loadbufferx},
{"luaL_argerror", (luaV_function) &dll_luaL_argerror},
+#endif
+#if LUA_VERSION_NUM >= 504
+ {"luaL_typeerror", (luaV_function) &dll_luaL_typeerror},
#endif
{"luaL_checkany", (luaV_function) &dll_luaL_checkany},
{"luaL_checklstring", (luaV_function) &dll_luaL_checklstring},
@@ -443,7 +452,7 @@ lua_enabled(int verbose)
}
#endif
-#if LUA_VERSION_NUM > 501
+#if LUA_VERSION_NUM > 501 && LUA_VERSION_NUM < 504
static int
luaL_typeerror(lua_State *L, int narg, const char *tname)
{
--
2.23.0

132
backport-8.2.2550-signal-stack-size-is-wrong-with-lates.patch
View File

@ -1,132 +0,0 @@
From 0e62a6742bca186624e97e2121c98ada30e009a0 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 25 Feb 2021 17:17:56 +0100
Subject: [PATCH 4236/5000] patch 8.2.2550: signal stack size is wrong with
latest glibc 2.34
Problem: Signal stack size is wrong with latest glibc 2.34.
Solution: Use sysconf(_SC_SIGSTKSZ) if available. (Zdenek Dohnal, closes
#7895)
---
src/auto/configure | 24 ++++++++++++++++++++++++
src/config.h.in | 3 +++
src/configure.ac | 9 +++++++++
src/os_unix.c | 14 +++++++++++++-
4 files changed, 49 insertions(+), 1 deletion(-)
diff --git a/src/auto/configure b/src/auto/configure
index 250e5ae..8183499 100755
--- a/src/auto/configure
+++ b/src/auto/configure
@@ -13943,6 +13943,30 @@ $as_echo "not usable" >&6; }
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for _SC_SIGSTKSZ via sysconf()" >&5
+$as_echo_n "checking for _SC_SIGSTKSZ via sysconf()... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <unistd.h>
+int
+main ()
+{
+ (void)sysconf(_SC_SIGSTKSZ);
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }; $as_echo "#define HAVE_SYSCONF_SIGSTKSZ 1" >>confdefs.h
+
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: not usable" >&5
+$as_echo "not usable" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
# The cast to long int works around a bug in the HP C Compiler
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
diff --git a/src/config.h.in b/src/config.h.in
index b114480..5d01e2c 100644
--- a/src/config.h.in
+++ b/src/config.h.in
@@ -496,3 +496,6 @@
/* Define to inline symbol or empty */
#undef inline
+
+/* Define if _SC_SIGSTKSZ is available via sysconf() */
+#undef HAVE_SYSCONF_SIGSTKSZ
diff --git a/src/configure.ac b/src/configure.ac
index 58bfa19..798e9b8 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -4105,6 +4105,15 @@ AC_TRY_COMPILE(
AC_MSG_RESULT(yes); AC_DEFINE(HAVE_SYSCONF),
AC_MSG_RESULT(not usable))
+dnl check if we have _SC_SIGSTKSZ via sysconf()
+AC_MSG_CHECKING(for _SC_SIGSTKSZ via sysconf())
+AC_TRY_COMPILE(
+[#include <unistd.h>],
+[ (void)sysconf(_SC_SIGSTKSZ);
+ ],
+ AC_MSG_RESULT(yes); AC_DEFINE(HAVE_SYSCONF_SIGSTKSZ),
+ AC_MSG_RESULT(not usable))
+
AC_CHECK_SIZEOF([int])
AC_CHECK_SIZEOF([long])
AC_CHECK_SIZEOF([time_t])
diff --git a/src/os_unix.c b/src/os_unix.c
index 1edc7e6..1c80799 100644
--- a/src/os_unix.c
+++ b/src/os_unix.c
@@ -783,7 +783,7 @@ mch_stackcheck(char *p)
* completely full.
*/
-#ifndef SIGSTKSZ
+#if !defined SIGSTKSZ && !defined(HAVE_SYSCONF_SIGSTKSZ)
# define SIGSTKSZ 8000 // just a guess of how much stack is needed...
#endif
@@ -806,13 +806,21 @@ init_signal_stack(void)
# else
sigstk.ss_sp = signal_stack;
# endif
+# ifdef HAVE_SYSCONF_SIGSTKSZ
+ sigstk.ss_size = sysconf(_SC_SIGSTKSZ);
+# else
sigstk.ss_size = SIGSTKSZ;
+# endif
sigstk.ss_flags = 0;
(void)sigaltstack(&sigstk, NULL);
# else
sigstk.ss_sp = signal_stack;
if (stack_grows_downwards)
+# ifdef HAVE_SYSCONF_SIGSTKSZ
+ sigstk.ss_sp += sysconf(_SC_SIGSTKSZ) - 1;
+# else
sigstk.ss_sp += SIGSTKSZ - 1;
+# endif
sigstk.ss_onstack = 0;
(void)sigstack(&sigstk, NULL);
# endif
@@ -3261,7 +3269,11 @@ mch_early_init(void)
* Ignore any errors.
*/
#if defined(HAVE_SIGALTSTACK) || defined(HAVE_SIGSTACK)
+# ifdef HAVE_SYSCONF_SIGSTKSZ
+ signal_stack = alloc(sysconf(_SC_SIGSTKSZ));
+# else
signal_stack = alloc(SIGSTKSZ);
+# endif
init_signal_stack();
#endif
}
--
1.8.3.1

2
backport-9.0.0581-adding-a-character-for-incsearch-fails-at-end-of-line.patch
View File

@ -14,7 +14,7 @@ diff --git a/src/move.c b/src/move.c
index 1d7bcfb..3760042 100644
--- a/src/move.c
+++ b/src/move.c
@@ -637,7 +637,7 @@ cursor_valid(void)
@@ -652,7 +652,7 @@ cursor_valid(void)
void
validate_cursor(void)
{

206
backport-CVE-2021-3770.patch
View File

@ -1,206 +0,0 @@
From b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 4 Sep 2021 18:47:28 +0200
Subject: [PATCH] patch 8.2.3402: invalid memory access when using :retab with
large value
Problem: Invalid memory access when using :retab with large value.
Solution: Check the number is positive.
---
src/indent.c | 34 +++++++++++++++++++++-------------
src/option.c | 12 ++++++------
src/optionstr.c | 4 ++--
src/testdir/test_retab.vim | 3 +++
src/version.c | 2 ++
5 files changed, 34 insertions(+), 21 deletions(-)
diff --git a/src/indent.c b/src/indent.c
index 32f1e12..7e196c2 100644
--- a/src/indent.c
+++ b/src/indent.c
@@ -18,18 +18,19 @@
/*
* Set the integer values corresponding to the string setting of 'vartabstop'.
* "array" will be set, caller must free it if needed.
+ * Return FAIL for an error.
*/
int
tabstop_set(char_u *var, int **array)
{
- int valcount = 1;
- int t;
- char_u *cp;
+ int valcount = 1;
+ int t;
+ char_u *cp;
if (var[0] == NUL || (var[0] == '0' && var[1] == NUL))
{
*array = NULL;
- return TRUE;
+ return OK;
}
for (cp = var; *cp != NUL; ++cp)
@@ -43,8 +44,8 @@ tabstop_set(char_u *var, int **array)
if (cp != end)
emsg(_(e_positive));
else
- emsg(_(e_invarg));
- return FALSE;
+ semsg(_(e_invarg2), cp);
+ return FAIL;
}
}
@@ -55,26 +56,33 @@ tabstop_set(char_u *var, int **array)
++valcount;
continue;
}
- emsg(_(e_invarg));
- return FALSE;
+ semsg(_(e_invarg2), var);
+ return FAIL;
}
*array = ALLOC_MULT(int, valcount + 1);
if (*array == NULL)
- return FALSE;
+ return FAIL;
(*array)[0] = valcount;
t = 1;
for (cp = var; *cp != NUL;)
{
- (*array)[t++] = atoi((char *)cp);
- while (*cp != NUL && *cp != ',')
+ int n = atoi((char *)cp);
+
+ if (n < 0 || n > 9999)
+ {
+ semsg(_(e_invarg2), cp);
+ return FAIL;
+ }
+ (*array)[t++] = n;
+ while (*cp != NUL && *cp != ',')
++cp;
if (*cp != NUL)
++cp;
}
- return TRUE;
+ return OK;
}
/*
@@ -1556,7 +1564,7 @@ ex_retab(exarg_T *eap)
#ifdef FEAT_VARTABS
new_ts_str = eap->arg;
- if (!tabstop_set(eap->arg, &new_vts_array))
+ if (tabstop_set(eap->arg, &new_vts_array) == FAIL)
return;
while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',')
++(eap->arg);
diff --git a/src/option.c b/src/option.c
index 5c99c69..e9598d6 100644
--- a/src/option.c
+++ b/src/option.c
@@ -2292,9 +2292,9 @@ didset_options2(void)
#endif
#ifdef FEAT_VARTABS
vim_free(curbuf->b_p_vsts_array);
- tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
+ (void)tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
vim_free(curbuf->b_p_vts_array);
- tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
+ (void)tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
#endif
}
@@ -5756,7 +5756,7 @@ buf_copy_options(buf_T *buf, int flags)
buf->b_p_vsts = vim_strsave(p_vsts);
COPY_OPT_SCTX(buf, BV_VSTS);
if (p_vsts && p_vsts != empty_option)
- tabstop_set(p_vsts, &buf->b_p_vsts_array);
+ (void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
else
buf->b_p_vsts_array = 0;
buf->b_p_vsts_nopaste = p_vsts_nopaste
@@ -5914,7 +5914,7 @@ buf_copy_options(buf_T *buf, int flags)
buf->b_p_isk = save_p_isk;
#ifdef FEAT_VARTABS
if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
- tabstop_set(p_vts, &buf->b_p_vts_array);
+ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
else
buf->b_p_vts_array = NULL;
#endif
@@ -5929,7 +5929,7 @@ buf_copy_options(buf_T *buf, int flags)
buf->b_p_vts = vim_strsave(p_vts);
COPY_OPT_SCTX(buf, BV_VTS);
if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
- tabstop_set(p_vts, &buf->b_p_vts_array);
+ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
else
buf->b_p_vts_array = NULL;
#endif
@@ -6634,7 +6634,7 @@ paste_option_changed(void)
if (buf->b_p_vsts_array)
vim_free(buf->b_p_vsts_array);
if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
- tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
+ (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
else
buf->b_p_vsts_array = 0;
#endif
diff --git a/src/optionstr.c b/src/optionstr.c
index 98e90a4..383babe 100644
--- a/src/optionstr.c
+++ b/src/optionstr.c
@@ -2166,7 +2166,7 @@ did_set_string_option(
if (errmsg == NULL)
{
int *oldarray = curbuf->b_p_vsts_array;
- if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)))
+ if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)) == OK)
{
if (oldarray)
vim_free(oldarray);
@@ -2205,7 +2205,7 @@ did_set_string_option(
{
int *oldarray = curbuf->b_p_vts_array;
- if (tabstop_set(*varp, &(curbuf->b_p_vts_array)))
+ if (tabstop_set(*varp, &(curbuf->b_p_vts_array)) == OK)
{
vim_free(oldarray);
#ifdef FEAT_FOLDING
diff --git a/src/testdir/test_retab.vim b/src/testdir/test_retab.vim
index f11a32b..e7b8946 100644
--- a/src/testdir/test_retab.vim
+++ b/src/testdir/test_retab.vim
@@ -74,4 +74,7 @@ endfunc
func Test_retab_error()
call assert_fails('retab -1', 'E487:')
call assert_fails('retab! -1', 'E487:')
+ call assert_fails('ret -1000', 'E487:')
+ call assert_fails('ret 10000', 'E475:')
+ call assert_fails('ret 80000000000000000000', 'E475:')
endfunc
diff --git a/src/version.c b/src/version.c
index 3ef6259..8912f62 100644
--- a/src/version.c
+++ b/src/version.c
@@ -743,6 +743,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 3402,
+/**/
0
};
--
1.8.3.1

46
backport-CVE-2021-3778.patch
View File

@ -1,46 +0,0 @@
From 65b605665997fad54ef39a93199e305af2fe4d7f Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 7 Sep 2021 19:26:53 +0200
Subject: [PATCH] patch 8.2.3409: reading beyond end of line with invalid utf-8
character
Problem: Reading beyond end of line with invalid utf-8 character.
Solution: Check for NUL when advancing.
---
src/regexp_nfa.c | 3 ++-
src/testdir/test_regexp_utf8.vim | 8 ++++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
index fb512f9..bc4a4b6 100644
--- a/src/regexp_nfa.c
+++ b/src/regexp_nfa.c
@@ -5455,7 +5455,8 @@ find_match_text(colnr_T startcol, int regstart, char_u *match_text)
match = FALSE;
break;
}
- len2 += MB_CHAR2LEN(c2);
+ len2 += enc_utf8 ? utf_ptr2len(rex.line + col + len2)
+ : MB_CHAR2LEN(c2);
}
if (match
// check that no composing char follows
diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim
index 19ff882..6d0ce59 100644
--- a/src/testdir/test_regexp_utf8.vim
+++ b/src/testdir/test_regexp_utf8.vim
@@ -215,3 +215,11 @@ func Test_optmatch_toolong()
set re=0
endfunc
+func Test_match_invalid_byte()
+ call writefile(0z630a.765d30aa0a.2e0a.790a.4030, 'Xinvalid')
+ new
+ source Xinvalid
+ bwipe!
+ call delete('Xinvalid')
+endfunc
+
--
1.8.3.1

67
backport-CVE-2021-3796.patch
View File

@ -1,67 +0,0 @@
From 35a9a00afcb20897d462a766793ff45534810dc3 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 11 Sep 2021 21:14:20 +0200
Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
Problem: Using freed memory when replacing. (Dhiraj Mishra)
Solution: Get the line pointer after calling ins_copychar().
---
src/normal.c | 10 +++++++---
src/testdir/test_edit.vim | 13 +++++++++++++
2 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/src/normal.c b/src/normal.c
index c4963e6..d6333b9 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap)
{
/*
* Get ptr again, because u_save and/or showmatch() will have
- * released the line. At the same time we let know that the
- * line will be changed.
+ * released the line. This may also happen in ins_copychar().
+ * At the same time we let know that the line will be changed.
*/
- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
{
int c = ins_copychar(curwin->w_cursor.lnum
+ (cap->nchar == Ctrl_Y ? -1 : 1));
+
+ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
if (c != NUL)
ptr[curwin->w_cursor.col] = c;
}
else
+ {
+ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
ptr[curwin->w_cursor.col] = cap->nchar;
+ }
if (p_sm && msg_silent == 0)
showmatch(cap->nchar);
++curwin->w_cursor.col;
diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
index 4e29e7f..c3b1af5 100644
--- a/src/testdir/test_edit.vim
+++ b/src/testdir/test_edit.vim
@@ -1519,3 +1519,16 @@ func Test_edit_noesckeys()
bwipe!
set esckeys
endfunc
+
+" Test for getting the character of the line below after "p"
+func Test_edit_put_CTRL_E()
+ set encoding=latin1
+ new
+ let @" = ''
+ sil! norm orggRx
+ sil! norm pr
+ call assert_equal(['r', 'r'], getline(1, 2))
+ bwipe!
+ set encoding=utf-8
+endfunc
+
--
1.8.3.1

70
backport-CVE-2021-3872.patch
View File

@ -1,70 +0,0 @@
From 826bfe4bbd7594188e3d74d2539d9707b1c6a14b Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 8 Oct 2021 18:39:28 +0100
Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very
long
Problem: Illegal memory access if buffer name is very long.
Solution: Make sure not to go over the end of the buffer.
---
src/drawscreen.c | 10 +++++-----
src/testdir/test_statusline.vim | 10 ++++++++++
2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/src/drawscreen.c b/src/drawscreen.c
index 3a88ee9..9acb705 100644
--- a/src/drawscreen.c
+++ b/src/drawscreen.c
@@ -446,13 +446,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
*(p + len++) = ' ';
if (bt_help(wp->w_buffer))
{
- STRCPY(p + len, _("[Help]"));
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
len += (int)STRLEN(p + len);
}
#ifdef FEAT_QUICKFIX
if (wp->w_p_pvw)
{
- STRCPY(p + len, _("[Preview]"));
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
len += (int)STRLEN(p + len);
}
#endif
@@ -462,12 +462,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
#endif
)
{
- STRCPY(p + len, "[+]");
- len += 3;
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
+ len += (int)STRLEN(p + len);
}
if (wp->w_buffer->b_p_ro)
{
- STRCPY(p + len, _("[RO]"));
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
len += (int)STRLEN(p + len);
}
diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim
index 1f705b8..febb5d6 100644
--- a/src/testdir/test_statusline.vim
+++ b/src/testdir/test_statusline.vim
@@ -393,3 +393,13 @@ func Test_statusline_visual()
bwipe! x1
bwipe! x2
endfunc
+
+" Used to write beyond allocated memory. This assumes MAXPATHL is 4096 bytes.
+func Test_statusline_verylong_filename()
+ let fname = repeat('x', 4090)
+ exe "new " .. fname
+ set buftype=help
+ set previewwindow
+ redraw
+ bwipe!
+endfunc
--
2.27.0

54
backport-CVE-2021-3875.patch
View File

@ -1,54 +0,0 @@
From 35a319b77f897744eec1155b736e9372c9c5575f Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 9 Oct 2021 13:58:55 +0100
Subject: [PATCH] patch 8.2.3489: ml_get error after search with range
Problem: ml_get error after search with range.
Solution: Limit the line number to the buffer line count.
---
src/ex_docmd.c | 6 ++++--
src/testdir/test_search.vim | 14 ++++++++++++++
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index 76daf43..12554fa 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -3586,8 +3586,10 @@ get_address(
// When '/' or '?' follows another address, start from
// there.
- if (lnum != MAXLNUM)
- curwin->w_cursor.lnum = lnum;
+ if (lnum > 0 && lnum != MAXLNUM)
+ curwin->w_cursor.lnum =
+ lnum > curbuf->b_ml.ml_line_count
+ ? curbuf->b_ml.ml_line_count : lnum;
// Start a forward search at the end of the line (unless
// before the first line).
diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim
index 1876713..ac0881c 100644
--- a/src/testdir/test_search.vim
+++ b/src/testdir/test_search.vim
@@ -1366,3 +1366,17 @@ func Test_searchdecl()
bwipe!
endfunc
+
+func Test_search_with_invalid_range()
+ new
+ let lines =<< trim END
+ /\%.v
+ 5/
+ c
+ END
+ call writefile(lines, 'Xrangesearch')
+ source Xrangesearch
+
+ bwipe!
+ call delete('Xrangesearch')
+endfunc
--
2.27.0

78
backport-CVE-2021-3903.patch
View File

@ -1,78 +0,0 @@
From 777e7c21b7627be80961848ac560cb0a9978ff43 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 25 Oct 2021 17:07:04 +0100
Subject: [PATCH] patch 8.2.3564: invalid memory access when scrolling without
valid screen
Problem: Invalid memory access when scrolling without a valid screen.
Solution: Do not set VALID_BOTLINE in w_valid.
---
src/move.c | 1 -
src/testdir/test_normal.vim | 22 +++++++++++++++++++---
2 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/src/move.c b/src/move.c
index 8e53d8b..10165ef 100644
--- a/src/move.c
+++ b/src/move.c
@@ -198,7 +198,6 @@ update_topline(void)
{
curwin->w_topline = curwin->w_cursor.lnum;
curwin->w_botline = curwin->w_topline;
- curwin->w_valid |= VALID_BOTLINE|VALID_BOTLINE_AP;
curwin->w_scbind_pos = 1;
return;
}
diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim
index d45cf41..1f0088a 100644
--- a/src/testdir/test_normal.vim
+++ b/src/testdir/test_normal.vim
@@ -33,14 +33,14 @@ func CountSpaces(type, ...)
else
silent exe "normal! `[v`]y"
endif
- let g:a=strlen(substitute(@@, '[^ ]', '', 'g'))
+ let g:a = strlen(substitute(@@, '[^ ]', '', 'g'))
let &selection = sel_save
let @@ = reg_save
endfunc
func OpfuncDummy(type, ...)
" for testing operatorfunc
- let g:opt=&linebreak
+ let g:opt = &linebreak
if a:0 " Invoked from Visual mode, use gv command.
silent exe "normal! gvy"
@@ -51,7 +51,7 @@ func OpfuncDummy(type, ...)
endif
" Create a new dummy window
new
- let g:bufnr=bufnr('%')
+ let g:bufnr = bufnr('%')
endfunc
fun! Test_normal00_optrans()
@@ -2705,3 +2705,19 @@ func Test_normal_gk()
bw!
set cpoptions& number& numberwidth&
endfunc
+
+func Test_scroll_in_ex_mode()
+ " This was using invalid memory because w_botline was invalid.
+ let lines =<< trim END
+ diffsplit
+ norm os00(
+ call writefile(['done'], 'Xdone')
+ qa!
+ END
+ call writefile(lines, 'Xscript')
+ call assert_equal(1, RunVim([], [], '--clean -X -Z -e -s -S Xscript'))
+ call assert_equal(['done'], readfile('Xdone'))
+
+ call delete('Xscript')
+ call delete('Xdone')
+endfunc
--
1.8.3.1

44
backport-CVE-2021-3927.patch
View File

@ -1,44 +0,0 @@
From 0b5b06cb4777d1401fdf83e7d48d287662236e7e Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 4 Nov 2021 15:10:11 +0000
Subject: [PATCH] patch 8.2.3581: reading character past end of line
Problem: Reading character past end of line.
Solution: Correct the cursor column.
---
src/ex_docmd.c | 1 +
src/testdir/test_put.vim | 9 +++++++++
2 files changed, 10 insertions(+)
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index 12554fa..203174a 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -6906,6 +6906,7 @@ ex_put(exarg_T *eap)
eap->forceit = TRUE;
}
curwin->w_cursor.lnum = eap->line2;
+ check_cursor_col();
do_put(eap->regname, eap->forceit ? BACKWARD : FORWARD, 1L,
PUT_LINE|PUT_CURSLINE);
}
diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim
index 225ebd1..f5037dc 100644
--- a/src/testdir/test_put.vim
+++ b/src/testdir/test_put.vim
@@ -113,3 +113,12 @@ func Test_put_p_indent_visual()
call assert_equal('select that text', getline(2))
bwipe!
endfunc
+
+func Test_put_above_first_line()
+ new
+ let @" = 'text'
+ silent! normal 0o00
+ 0put
+ call assert_equal('text', getline(1))
+ bwipe!
+endfunc
--
1.8.3.1

48
backport-CVE-2021-3928.patch
View File

@ -1,48 +0,0 @@
From 15d9890eee53afc61eb0a03b878a19cb5672f732 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 4 Nov 2021 15:46:05 +0000
Subject: [PATCH] patch 8.2.3582: reading uninitialized memory when giving
spell suggestions
Problem: Reading uninitialized memory when giving spell suggestions.
Solution: Check that preword is not empty.
---
src/spellsuggest.c | 2 +-
src/testdir/test_spell.vim | 8 ++++++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/spellsuggest.c b/src/spellsuggest.c
index 9d6df79..8615d52 100644
--- a/src/spellsuggest.c
+++ b/src/spellsuggest.c
@@ -1600,7 +1600,7 @@ suggest_trie_walk(
// char, e.g., "thes," -> "these".
p = fword + sp->ts_fidx;
MB_PTR_BACK(fword, p);
- if (!spell_iswordp(p, curwin))
+ if (!spell_iswordp(p, curwin) && *preword != NUL)
{
p = preword + STRLEN(preword);
MB_PTR_BACK(preword, p);
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index 79fb892..e435e91 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -498,6 +498,14 @@ func Test_spell_screendump()
call delete('XtestSpell')
endfunc
+func Test_spell_single_word()
+ new
+ silent! norm 0R00
+ spell! ßÂ
+ silent 0norm 0r$ Dvz=
+ bwipe!
+endfunc
+
let g:test_data_aff1 = [
\"SET ISO8859-1",
\"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",
--
1.8.3.1

79
backport-CVE-2021-3973.patch
View File

@ -1,79 +0,0 @@
From 615ddd5342b50a6878a907062aa471740bd9a847 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 17 Nov 2021 18:00:31 +0000
Subject: [PATCH] patch 8.2.3611: crash when using CTRL-W f without finding a
file name
Problem: Crash when using CTRL-W f without finding a file name.
Solution: Bail out when the file name length is zero.
Reference:https://github.com/vim/vim/commit/615ddd5342b50a6878a907062aa471740bd9a847
---
src/findfile.c | 8 ++++++++
src/normal.c | 6 ++++--
src/testdir/test_visual.vim | 8 ++++++++
3 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/src/findfile.c b/src/findfile.c
index ba996c4..7a4dfe5 100644
--- a/src/findfile.c
+++ b/src/findfile.c
@@ -1727,6 +1727,9 @@ find_file_in_path_option(
proc->pr_WindowPtr = (APTR)-1L;
# endif
+ if (len == 0)
+ return NULL;
+
if (first == TRUE)
{
// copy file name into NameBuff, expanding environment variables
@@ -2103,7 +2106,12 @@ find_file_name_in_path(
int c;
# if defined(FEAT_FIND_ID) && defined(FEAT_EVAL)
char_u *tofree = NULL;
+# endif
+ if (len == 0)
+ return NULL;
+
+# if defined(FEAT_FIND_ID) && defined(FEAT_EVAL)
if ((options & FNAME_INCL) && *curbuf->b_p_inex != NUL)
{
tofree = eval_includeexpr(ptr, len);
diff --git a/src/normal.c b/src/normal.c
index d6333b9..e9e587d 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -3778,8 +3778,10 @@ get_visual_text(
*pp = ml_get_pos(&VIsual);
*lenp = curwin->w_cursor.col - VIsual.col + 1;
}
- if (has_mbyte)
- // Correct the length to include the whole last character.
+ if (**pp == NUL)
+ *lenp = 0;
+ if (has_mbyte && *lenp > 0)
+ // Correct the length to include all bytes of the last character.
*lenp += (*mb_ptr2len)(*pp + (*lenp - 1)) - 1;
}
reset_VIsual_and_resel();
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index ae28123..0705fdb 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -894,4 +894,12 @@ func Test_block_insert_replace_tabs()
bwipe!
endfunc
+func Test_visual_block_ctrl_w_f()
+ " Emtpy block selected in new buffer should not result in an error.
+ au! BufNew foo sil norm f
+ edit foo
+
+ au! BufNew
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.23.0

67
backport-CVE-2021-3974.patch
View File

@ -1,67 +0,0 @@
From 64066b9acd9f8cffdf4840f797748f938a13f2d6 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 17 Nov 2021 18:22:56 +0000
Subject: [PATCH] patch 8.2.3612: using freed memory with regexp using a mark
Problem: Using freed memory with regexp using a mark.
Solution: Get the line again after getting the mark position.
Reference:https://github.com/vim/vim/commit/64066b9acd9f8cffdf4840f797748f938a13f2d6
---
src/regexp.c | 2 +-
src/regexp_nfa.c | 8 ++++++++
src/testdir/test_regexp_latin.vim | 8 ++++++++
3 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/regexp.c b/src/regexp.c
index 112f753..2e94e5a 100644
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -1092,7 +1092,7 @@ typedef struct {
// The current match-position is stord in these variables:
linenr_T lnum; // line number, relative to first line
char_u *line; // start of current line
- char_u *input; // current input, points into "regline"
+ char_u *input; // current input, points into "line"
int need_clear_subexpr; // subexpressions still need to be cleared
#ifdef FEAT_SYN_HL
diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
index bc4a4b6..433523e 100644
--- a/src/regexp_nfa.c
+++ b/src/regexp_nfa.c
@@ -6623,8 +6623,16 @@ nfa_regmatch(
case NFA_MARK_GT:
case NFA_MARK_LT:
{
+ size_t col = rex.input - rex.line;
pos_T *pos = getmark_buf(rex.reg_buf, t->state->val, FALSE);
+ // Line may have been freed, get it again.
+ if (REG_MULTI)
+ {
+ rex.line = reg_getline(rex.lnum);
+ rex.input = rex.line + col;
+ }
+
// Compare the mark position to the match position.
result = (pos != NULL // mark doesn't exist
&& pos->lnum > 0 // mark isn't set in reg_buf
diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim
index 7a4d98f..3168edc 100644
--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
@@ -141,3 +141,11 @@ func Test_pattern_compile_speed()
call assert_inrange(0.01, 10.0, reltimefloat(reltime(start)))
set spc=
endfunc
+
+func Test_using_mark_position()
+ " this was using freed memory
+ new
+ norm O0
+ call assert_fails("s/\\%')", 'E486:')
+ bwipe!
+endfunc
--
2.23.0

64
backport-CVE-2021-3984.patch
View File

@ -1,64 +0,0 @@
From 2de9b7c7c8791da8853a9a7ca9c467867465b655 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 19 Nov 2021 19:41:13 +0000
Subject: [PATCH] patch 8.2.3625: illegal memory access when C-indenting
Problem: Illegal memory access when C-indenting.
Solution: Also set the cursor column.
---
src/cindent.c | 10 +++++-----
src/testdir/test_cindent.vim | 12 ++++++++++++
2 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/src/cindent.c b/src/cindent.c
index c7caed6..28d1558 100644
--- a/src/cindent.c
+++ b/src/cindent.c
@@ -1635,10 +1635,10 @@ get_baseclass_amount(int col)
static pos_T *
find_start_brace(void) // XXX
{
- pos_T cursor_save;
- pos_T *trypos;
- pos_T *pos;
- static pos_T pos_copy;
+ pos_T cursor_save;
+ pos_T *trypos;
+ pos_T *pos;
+ static pos_T pos_copy;
cursor_save = curwin->w_cursor;
while ((trypos = findmatchlimit(NULL, '{', FM_BLOCKSTOP, 0)) != NULL)
@@ -1652,7 +1652,7 @@ find_start_brace(void) // XXX
&& (pos = ind_find_start_CORS(NULL)) == NULL) // XXX
break;
if (pos != NULL)
- curwin->w_cursor.lnum = pos->lnum;
+ curwin->w_cursor = *pos;
}
curwin->w_cursor = cursor_save;
return trypos;
diff --git a/src/testdir/test_cindent.vim b/src/testdir/test_cindent.vim
index 2cb3f24..2a87460 100644
--- a/src/testdir/test_cindent.vim
+++ b/src/testdir/test_cindent.vim
@@ -5251,4 +5251,16 @@ func Test_cindent_56()
enew! | close
endfunc
+func Test_find_brace_backwards()
+ " this was looking beyond the end of the line
+ new
+ norm R/*
+ norm o0{
+ norm o//
+ norm V{=
+ call assert_equal(['/*', ' 0{', '//'], getline(1, 3))
+ bwipe!
+endfunc
+
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

45
backport-CVE-2021-4019.patch
View File

@ -1,45 +0,0 @@
From bd228fd097b41a798f90944b5d1245eddd484142 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 25 Nov 2021 10:50:12 +0000
Subject: [PATCH] patch 8.2.3669: buffer overflow with long help argument
Problem: Buffer overflow with long help argument.
Solution: Use snprintf().
---
src/ex_cmds.c | 3 +--
src/testdir/test_help.vim | 8 ++++++++
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index 45c733b..8f6444f 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -5436,8 +5436,7 @@ find_help_tags(
|| (vim_strchr((char_u *)"%_z@", arg[1]) != NULL
&& arg[2] != NUL)))
{
- STRCPY(d, "/\\\\");
- STRCPY(d + 3, arg + 1);
+ vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1);
// Check for "/\\_$", should be "/\\_\$"
if (d[3] == '_' && d[4] == '$')
STRCPY(d + 4, "\\$");
diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim
index 5dd937a..c2aeb1f 100644
--- a/src/testdir/test_help.vim
+++ b/src/testdir/test_help.vim
@@ -55,3 +55,11 @@ func Test_help_local_additions()
call delete('Xruntime', 'rf')
let &rtp = rtp_save
endfunc
+
+func Test_help_long_argument()
+ try
+ exe 'help \%' .. repeat('0', 1021)
+ catch
+ call assert_match("E149:", v:exception)
+ endtry
+endfunc
--
1.8.3.1

56
backport-CVE-2021-4069.patch
View File

@ -1,56 +0,0 @@
From e031fe90cf2e375ce861ff5e5e281e4ad229ebb9 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 5 Dec 2021 12:06:24 +0000
Subject: [PATCH] patch 8.2.3741: using freed memory in open command
Problem: Using freed memory in open command.
Solution: Make a copy of the current line.
Reference:https://github.com/vim/vim/commit/e031fe90cf2e375ce861ff5e5e281e4ad229ebb9
Conflict:src/testdir/test_ex_mode.vim, The current version does not exist and therefore does not fit into this test case
---
src/ex_docmd.c | 10 +++++++---
src/version.c | 2 ++
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index 203174a..cb6b64a 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -6030,13 +6030,17 @@ ex_open(exarg_T *eap)
regmatch.regprog = vim_regcomp(eap->arg, p_magic ? RE_MAGIC : 0);
if (regmatch.regprog != NULL)
{
+ // make a copy of the line, when searching for a mark it might be
+ // flushed
+ char_u *line = vim_strsave(ml_get_curline());
+
regmatch.rm_ic = p_ic;
- p = ml_get_curline();
- if (vim_regexec(&regmatch, p, (colnr_T)0))
- curwin->w_cursor.col = (colnr_T)(regmatch.startp[0] - p);
+ if (vim_regexec(&regmatch, line, (colnr_T)0))
+ curwin->w_cursor.col = (colnr_T)(regmatch.startp[0] - line);
else
emsg(_(e_nomatch));
vim_regfree(regmatch.regprog);
+ vim_free(line);
}
// Move to the NUL, ignore any other arguments.
eap->arg += STRLEN(eap->arg);
diff --git a/src/version.c b/src/version.c
index 035c46f..bd45631 100644
--- a/src/version.c
+++ b/src/version.c
@@ -742,6 +742,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 3741,
/**/
3403,
/**/
--
2.27.0

61
backport-CVE-2021-4166.patch
View File

@ -1,61 +0,0 @@
From 6f98371532fcff911b462d51bc64f2ce8a6ae682 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 24 Dec 2021 18:11:27 +0000
Subject: [PATCH] patch 8.2.3884: crash when clearing the argument list while
using it
Conflict:NA
Reference:https://github.com/vim/vim/commit/6f98371532fcff911b462d51bc64f2ce8a6ae682
Problem: Crash when clearing the argument list while using it.
Solution: Lock the argument list for ":all".
---
src/arglist.c | 3 +++
src/testdir/test_arglist.vim | 7 +++++++
2 files changed, 10 insertions(+)
diff --git a/src/arglist.c b/src/arglist.c
index 21c38c1..cdd70ca 100644
--- a/src/arglist.c
+++ b/src/arglist.c
@@ -902,6 +902,7 @@ do_arg_all(
tabpage_T *old_curtab, *last_curtab;
win_T *new_curwin = NULL;
tabpage_T *new_curtab = NULL;
+ int prev_arglist_locked = arglist_locked;
if (ARGCOUNT <= 0)
{
@@ -921,6 +922,7 @@ do_arg_all(
// watch out for its size to be changed.
alist = curwin->w_alist;
++alist->al_refcount;
+ arglist_locked = TRUE;
old_curwin = curwin;
old_curtab = curtab;
@@ -1132,6 +1134,7 @@ do_arg_all(
// Remove the "lock" on the argument list.
alist_unlink(alist);
+ arglist_locked = prev_arglist_locked;
--autocmd_no_enter;
diff --git a/src/testdir/test_arglist.vim b/src/testdir/test_arglist.vim
index c486b18..1c94fe9 100644
--- a/src/testdir/test_arglist.vim
+++ b/src/testdir/test_arglist.vim
@@ -505,3 +505,10 @@ func Test_argdo()
call assert_equal(['Xa.c', 'Xb.c', 'Xc.c'], l)
bwipe Xa.c Xb.c Xc.c
endfunc
+
+func Test_clear_arglist_in_all()
+ n 0 00 000 0000 00000 000000
+ au! * 0 n 0
+ all
+ au! *
+endfunc
--
2.27.0

65
backport-CVE-2021-4192.patch
View File

@ -1,65 +0,0 @@
From 4c13e5e6763c6eb36a343a2b8235ea227202e952 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 30 Dec 2021 14:49:43 +0000
Subject: [PATCH] patch 8.2.3949: using freed memory with /\%V
Conflict:NA
Reference:https://github.com/vim/vim/commit/4c13e5e6763c6eb36a343a2b8235ea227202e952
Problem: Using freed memory with /\%V.
Solution: Get the line again after getvvcol().
---
src/regexp.c | 9 +++++++--
src/testdir/test_regexp_latin.vim | 8 ++++++++
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/regexp.c b/src/regexp.c
index 2e94e5a..6849cba 100644
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -1276,9 +1276,9 @@ reg_match_visual(void)
if (lnum < top.lnum || lnum > bot.lnum)
return FALSE;
+ col = (colnr_T)(rex.input - rex.line);
if (mode == 'v')
{
- col = (colnr_T)(rex.input - rex.line);
if ((lnum == top.lnum && col < top.col)
|| (lnum == bot.lnum && col >= bot.col + (*p_sel != 'e')))
return FALSE;
@@ -1293,7 +1293,12 @@ reg_match_visual(void)
end = end2;
if (top.col == MAXCOL || bot.col == MAXCOL)
end = MAXCOL;
- cols = win_linetabsize(wp, rex.line, (colnr_T)(rex.input - rex.line));
+
+ // getvvcol() flushes rex.line, need to get it again
+ rex.line = reg_getline(rex.lnum);
+ rex.input = rex.line + col;
+
+ cols = win_linetabsize(wp, rex.line, col);
if (cols < start || cols > end - (*p_sel == 'e'))
return FALSE;
}
diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim
index 3168edc..044b678 100644
--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
@@ -39,6 +39,14 @@ func Test_recursive_substitute()
bwipe!
endfunc
+func Test_using_visual_position()
+ " this was using freed memory
+ new
+ exe "norm 0o\<Esc>\<C-V>k\<C-X>o0"
+ /\%V
+ bwipe!
+endfunc
+
func Test_nested_backrefs()
" Check example in change.txt.
new
--
2.27.0

58
backport-CVE-2021-4193.patch
View File

@ -1,58 +0,0 @@
From 94f3192b03ed27474db80b4d3a409e107140738b Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 30 Dec 2021 15:29:18 +0000
Subject: [PATCH] patch 8.2.3950: going beyond the end of the line with /\%V
Conflict:NA
Reference:https://github.com/vim/vim/commit/94f3192b03ed27474db80b4d3a409e107140738b
Problem: Going beyond the end of the line with /\%V.
Solution: Check for valid column in getvcol().
---
src/charset.c | 13 +++++++++----
src/testdir/test_regexp_latin.vim | 8 ++++++++
2 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/src/charset.c b/src/charset.c
index 7505fea..a768c17 100644
--- a/src/charset.c
+++ b/src/charset.c
@@ -1226,10 +1226,15 @@ getvcol(
posptr = NULL; // continue until the NUL
else
{
- // Special check for an empty line, which can happen on exit, when
- // ml_get_buf() always returns an empty string.
- if (*ptr == NUL)
- pos->col = 0;
+ colnr_T i;
+
+ // In a few cases the position can be beyond the end of the line.
+ for (i = 0; i < pos->col; ++i)
+ if (ptr[i] == NUL)
+ {
+ pos->col = i;
+ break;
+ }
posptr = ptr + pos->col;
if (has_mbyte)
// always start on the first byte
diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim
index 3168edc..4f52bac 100644
--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
@@ -149,3 +149,11 @@ func Test_using_mark_position()
call assert_fails("s/\\%')", 'E486:')
bwipe!
endfunc
+
+func Test_using_invalid_visual_position()
+ " this was going beyond the end of the line
+ new
+ exe "norm 0o000\<Esc>0\<C-V>$s0"
+ /\%V
+ bwipe!
+endfunc
--
2.27.0

62
backport-CVE-2022-0213.patch
View File

@ -1,62 +0,0 @@
From de05bb25733c3319e18dca44e9b59c6ee389eb26 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 13 Jan 2022 13:08:14 +0000
Subject: [PATCH] patch 8.2.4074: going over the end of NameBuff
Problem: Going over the end of NameBuff.
Solution: Check length when appending a space.
---
src/drawscreen.c | 9 +++++----
src/testdir/test_edit.vim | 15 +++++++++++++++
src/version.c | 2 ++
3 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/src/drawscreen.c b/src/drawscreen.c
index 9acb705..7425ad4 100644
--- a/src/drawscreen.c
+++ b/src/drawscreen.c
@@ -437,12 +437,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
p = NameBuff;
len = (int)STRLEN(p);
- if (bt_help(wp->w_buffer)
+ if ((bt_help(wp->w_buffer)
#ifdef FEAT_QUICKFIX
- || wp->w_p_pvw
+ || wp->w_p_pvw
#endif
- || bufIsChanged(wp->w_buffer)
- || wp->w_buffer->b_p_ro)
+ || bufIsChanged(wp->w_buffer)
+ || wp->w_buffer->b_p_ro)
+ && len < MAXPATHL - 1)
*(p + len++) = ' ';
if (bt_help(wp->w_buffer))
{
diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
index c3b1af5..48e6ff2 100644
--- a/src/testdir/test_edit.vim
+++ b/src/testdir/test_edit.vim
@@ -1532,3 +1532,18 @@ func Test_edit_put_CTRL_E()
set encoding=utf-8
endfunc
+" Weird long file name was going over the end of NameBuff
+func Test_edit_overlong_file_name()
+ CheckUnix
+
+ file 0000000000000000000000000000
+ file %%%%%%%%%%%%%%%%%%%%%%%%%%
+ file %%%%%%
+ set readonly
+ set ls=2
+
+ redraw!
+ set noreadonly ls&
+ bwipe!
+endfunc
+
--
2.23.0

109
backport-CVE-2022-0261.patch
View File

@ -1,109 +0,0 @@
From 9f8c304c8a390ade133bac29963dc8e56ab14cbc Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 17 Jan 2022 17:30:21 +0000
Subject: [PATCH] patch 8.2.4120: block insert goes over the end of the line
Problem: Block insert goes over the end of the line.
Solution: Handle invalid byte better. Fix inserting the wrong text.
---
src/ops.c | 40 ++++++++++++++++++++++++-------------
src/testdir/test_visual.vim | 10 ++++++++++
2 files changed, 36 insertions(+), 14 deletions(-)
diff --git a/src/ops.c b/src/ops.c
index d3e1e47..13e6bdb 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -535,22 +535,27 @@ block_insert(
if (b_insert)
{
off = (*mb_head_off)(oldp, oldp + offset + spaces);
+ spaces -= off;
+ count -= off;
}
else
{
- off = (*mb_off_next)(oldp, oldp + offset);
- offset += off;
+ // spaces fill the gap, the character that's at the edge moves
+ // right
+ off = (*mb_head_off)(oldp, oldp + offset);
+ offset -= off;
}
- spaces -= off;
- count -= off;
}
- newp = alloc(STRLEN(oldp) + s_len + count + 1);
+ // Make sure the allocated size matches what is actually copied below.
+ newp = alloc(STRLEN(oldp) + spaces + s_len
+ + (spaces > 0 && !bdp->is_short ? ts_val - spaces : 0)
+ + count + 1);
if (newp == NULL)
continue;
// copy up to shifted part
- mch_memmove(newp, oldp, (size_t)(offset));
+ mch_memmove(newp, oldp, (size_t)offset);
oldp += offset;
// insert pre-padding
@@ -560,14 +565,21 @@ block_insert(
mch_memmove(newp + offset + spaces, s, (size_t)s_len);
offset += s_len;
- if (spaces && !bdp->is_short)
+ if (spaces > 0 && !bdp->is_short)
{
- // insert post-padding
- vim_memset(newp + offset + spaces, ' ', (size_t)(ts_val - spaces));
- // We're splitting a TAB, don't copy it.
- oldp++;
- // We allowed for that TAB, remember this now
- count++;
+ if (*oldp == TAB)
+ {
+ // insert post-padding
+ vim_memset(newp + offset + spaces, ' ',
+ (size_t)(ts_val - spaces));
+ // we're splitting a TAB, don't copy it
+ oldp++;
+ // We allowed for that TAB, remember this now
+ count++;
+ }
+ else
+ // Not a TAB, no extra spaces
+ count = spaces;
}
if (spaces > 0)
@@ -1609,7 +1621,7 @@ op_insert(oparg_T *oap, long count1)
oap->start_vcol = t;
}
else if (oap->op_type == OP_APPEND
- && oap->end.col + oap->end.coladd
+ && oap->start.col + oap->start.coladd
>= curbuf->b_op_start_orig.col
+ curbuf->b_op_start_orig.coladd)
{
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index 0705fdb..84a8981 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -903,3 +903,13 @@ func Test_visual_block_ctrl_w_f()
endfunc
" vim: shiftwidth=2 sts=2 expandtab
+
+func Test_visual_block_append_invalid_char()
+ " this was going over the end of the line
+ new
+ call setline(1, [' let xxx', 'xxxxxˆ', 'xxxxxxxxxxx'])
+ exe "normal 0\<C-V>jjA-\<Esc>"
+ call assert_equal([' - let xxx', 'xxxxx -ˆ', 'xxxxxxxx-xxx'], getline(1, 3))
+ bwipe!
+endfunc
+
--
2.27.0

63
backport-CVE-2022-0318.patch
View File

@ -1,63 +0,0 @@
From 57df9e8a9f9ae1aafdde9b86b10ad907627a87dc Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 20 Jan 2022 12:10:48 +0000
Subject: [PATCH] patch 8.2.4151: reading beyond the end of a line
Problem: Reading beyond the end of a line.
Solution: For block insert only use the offset for correcting the length.
---
src/ops.c | 20 ++------------------
src/testdir/test_visual.vim | 9 +++++++++
2 files changed, 11 insertions(+), 18 deletions(-)
diff --git a/src/ops.c b/src/ops.c
index 13e6bdb..2122ff3 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -528,24 +528,8 @@ block_insert(
}
if (has_mbyte && spaces > 0)
- {
- int off;
-
- // Avoid starting halfway a multi-byte character.
- if (b_insert)
- {
- off = (*mb_head_off)(oldp, oldp + offset + spaces);
- spaces -= off;
- count -= off;
- }
- else
- {
- // spaces fill the gap, the character that's at the edge moves
- // right
- off = (*mb_head_off)(oldp, oldp + offset);
- offset -= off;
- }
- }
+ // avoid copying part of a multi-byte character
+ offset -= (*mb_head_off)(oldp, oldp + offset);
// Make sure the allocated size matches what is actually copied below.
newp = alloc(STRLEN(oldp) + spaces + s_len
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index 84a8981..3ed927a 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -913,3 +913,12 @@ func Test_visual_block_append_invalid_char()
bwipe!
endfunc
+func Test_visual_block_insert_round_off()
+ new
+ " The number of characters are tuned to fill a 4096 byte allocated block,
+ " so that valgrind reports going over the end.
+ call setline(1, ['xxxxx', repeat('0', 1350), "\t", repeat('x', 60)])
+ exe "normal gg0\<C-V>GI" .. repeat('0', 1320) .. "\<Esc>"
+ bwipe!
+endfunc
+
--
2.27.0

65
backport-CVE-2022-0319.patch
View File

@ -1,65 +0,0 @@
From 05b27615481e72e3b338bb12990fb3e0c2ecc2a9 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 20 Jan 2022 13:32:50 +0000
Subject: [PATCH] patch 8.2.4154: ml_get error when exchanging windows in
Visual mode
Problem: ml_get error when exchanging windows in Visual mode.
Solution: Correct end of Visual area when entering another buffer
Reference:https://github.com/vim/vim/commit/05b27615481e72e3b338bb12990fb3e0c2ecc2a9
Conflict:NA
---
src/testdir/test_visual.vim | 10 ++++++++++
src/window.c | 7 ++++++-
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index fcf6473..4f8f056 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -705,6 +705,16 @@ func Test_visual_undo_deletes_last_line()
bwipe!
endfunc
+" this was causing an ml_get error
+func Test_visual_exchange_windows()
+ enew!
+ new
+ call setline(1, ['foo', 'bar'])
+ exe "normal G\<C-V>gg\<C-W>\<C-X>OO\<Esc>"
+ bwipe!
+ bwipe!
+endfunc
+
func Test_visual_mode_put()
new
diff --git a/src/window.c b/src/window.c
index 5b407d5..bb17167 100644
--- a/src/window.c
+++ b/src/window.c
@@ -1661,6 +1661,11 @@ win_exchange(long Prenum)
(void)win_comp_pos(); // recompute window positions
+ if (wp->w_buffer != curbuf)
+ reset_VIsual_and_resel();
+ else if (VIsual_active)
+ wp->w_cursor = curwin->w_cursor;
+
win_enter(wp, TRUE);
redraw_all_later(NOT_VALID);
}
@@ -5114,7 +5119,7 @@ frame_remove(frame_T *frp)
win_alloc_lines(win_T *wp)
{
wp->w_lines_valid = 0;
- wp->w_lines = ALLOC_CLEAR_MULT(wline_T, Rows );
+ wp->w_lines = ALLOC_CLEAR_MULT(wline_T, Rows);
if (wp->w_lines == NULL)
return FAIL;
return OK;
--
2.27.0

78
backport-CVE-2022-0351.patch
View File

@ -1,78 +0,0 @@
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 24 Jan 2022 18:16:12 +0000
Subject: [PATCH] patch 8.2.4206: condition with many "(" causes a crash
Problem: Condition with many "(" causes a crash.
Solution: Limit recursion to 1000.
---
src/eval.c | 12 ++++++++++++
src/globals.h | 2 ++
src/testdir/test_eval_stuff.vim | 5 +++++
3 files changed, 19 insertions(+)
diff --git a/src/eval.c b/src/eval.c
index 3b563f7..95dda90 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -2495,6 +2495,7 @@ eval7(
char_u *start_leader, *end_leader;
int ret = OK;
char_u *alias;
+ static int recurse = 0;
/*
* Initialise variable so that clear_tv() can't mistake this for a
@@ -2521,6 +2522,15 @@ eval7(
return FAIL;
}
+ // Limit recursion to 1000 levels. At least at 10000 we run out of stack
+ // and crash.
+ if (recurse == 1000)
+ {
+ semsg(_(e_expression_too_recursive_str), *arg);
+ return FAIL;
+ }
+ ++recurse;
+
switch (**arg)
{
/*
@@ -2761,6 +2771,8 @@ eval7(
*/
if (ret == OK && evaluate && end_leader > start_leader)
ret = eval7_leader(rettv, start_leader, &end_leader);
+
+ --recurse;
return ret;
}
diff --git a/src/globals.h b/src/globals.h
index 75092b7..659bad6 100644
--- a/src/globals.h
+++ b/src/globals.h
@@ -1464,6 +1464,8 @@ EXTERN char e_endwhile[] INIT(= N_("E170: Missing :endwhile"));
EXTERN char e_endfor[] INIT(= N_("E170: Missing :endfor"));
EXTERN char e_while[] INIT(= N_("E588: :endwhile without :while"));
EXTERN char e_for[] INIT(= N_("E588: :endfor without :for"));
+EXTERN char e_expression_too_recursive_str[]
+ INIT(= N_("E1169: Expression too recursive: %s"));
#endif
EXTERN char e_exists[] INIT(= N_("E13: File exists (add ! to override)"));
EXTERN char e_failed[] INIT(= N_("E472: Command failed"));
diff --git a/src/testdir/test_eval_stuff.vim b/src/testdir/test_eval_stuff.vim
index ec566da..32a5411 100644
--- a/src/testdir/test_eval_stuff.vim
+++ b/src/testdir/test_eval_stuff.vim
@@ -216,3 +216,8 @@ func Test_scriptversion_fail()
call assert_fails('source Xversionscript', 'E999:')
call delete('Xversionscript')
endfunc
+
+func Test_deep_recursion()
+ " this was running out of stack
+ call assert_fails("exe 'if ' .. repeat('(', 1002)", 'E1169: Expression too recursive: ((')
+endfunc
--
1.8.3.1

28
backport-CVE-2022-0359.patch
View File

@ -1,28 +0,0 @@
From 85b6747abc15a7a81086db31289cf1b8b17e6cb1 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 25 Jan 2022 11:55:02 +0000
Subject: [PATCH] patch 8.2.4214: illegal memory access with large 'tabstop' in
Ex mode
Problem: Illegal memory access with large 'tabstop' in Ex mode.
Solution: Allocate enough memory.
---
src/ex_getln.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/ex_getln.c b/src/ex_getln.c
index 769dcb8..68b4757 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -856,7 +856,7 @@ getcmdline_int(
ccline.cmdindent = (firstc > 0 ? indent : 0);
// alloc initial ccline.cmdbuff
- alloc_cmdbuff(exmode_active ? 250 : indent + 1);
+ alloc_cmdbuff(indent + 50);
if (ccline.cmdbuff == NULL)
goto theend; // out of memory
ccline.cmdlen = ccline.cmdpos = 0;
--
1.8.3.1

60
backport-CVE-2022-0361.patch
View File

@ -1,60 +0,0 @@
From dc5490e2cbc8c16022a23b449b48c1bd0083f366 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 25 Jan 2022 13:52:53 +0000
Subject: [PATCH] patch 8.2.4215: illegal memory access when copying lines in
Visual mode
Problem: Illegal memory access when copying lines in Visual mode.
Solution: Adjust the Visual position after copying lines.
---
src/ex_cmds.c | 2 ++
src/testdir/test_visual.vim | 13 +++++++++++--
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index fea6dfa..aa97b40 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -864,6 +864,8 @@ ex_copy(linenr_T line1, linenr_T line2, linenr_T n)
}
appended_lines_mark(n, count);
+ if (VIsual_active)
+ check_pos(curbuf, &VIsual);
msgmore((long)count);
}
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index 3ed927a..f82d75b 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -658,8 +658,6 @@ func Test_linewise_select_mode()
call append('$', ['a', 'b', 'c'])
exe "normal GkkgH\<Del>"
call assert_equal(['', 'b', 'c'], getline(1, '$'))
-
-
" linewise select mode: delete middle two lines
call deletebufline('', 1, '$')
call append('$', ['a', 'b', 'c'])
@@ -681,6 +679,17 @@ func Test_linewise_select_mode()
bwipe!
endfunc
+" this was leaving the end of the Visual area beyond the end of a line
+func Test_visual_ex_copy_line()
+ new
+ call setline(1, ["aaa", "bbbbbbbbbxbb"])
+ /x
+ exe "normal ggvjfxO"
+ t0
+ normal gNU
+ bwipe!
+endfunc
+
func Test_visual_mode_put()
new
--
2.27.0

55
backport-CVE-2022-0368.patch
View File

@ -1,55 +0,0 @@
From 8d02ce1ed75d008c34a5c9aaa51b67cbb9d33baa Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 25 Jan 2022 18:24:00 +0000
Subject: [PATCH] patch 8.2.4217: illegal memory access when undo makes Visual
area invalid
Problem: Illegal memory access when undo makes Visual area invalid.
Solution: Correct the Visual area after undo.
---
src/testdir/test_visual.vim | 15 +++++++++++++++
src/undo.c | 2 ++
2 files changed, 17 insertions(+)
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index f82d75b..fcf6473 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -690,6 +690,21 @@ func Test_visual_ex_copy_line()
bwipe!
endfunc
+" This was leaving the end of the Visual area beyond the end of a line.
+" Set 'undolevels' to start a new undo block.
+func Test_visual_undo_deletes_last_line()
+ new
+ call setline(1, ["aaa", "ccc", "dyd"])
+ set undolevels=100
+ exe "normal obbbbbbbbbxbb\<Esc>"
+ set undolevels=100
+ /y
+ exe "normal ggvjfxO"
+ undo
+ normal gNU
+ bwipe!
+endfunc
+
func Test_visual_mode_put()
new
diff --git a/src/undo.c b/src/undo.c
index 54a6e1c..706dee9 100644
--- a/src/undo.c
+++ b/src/undo.c
@@ -2985,6 +2985,8 @@ u_undo_end(
}
}
#endif
+ if (VIsual_active)
+ check_pos(curbuf, &VIsual);
smsg_attr_keep(0, _("%ld %s; %s #%ld %s"),
u_oldcount < 0 ? -u_oldcount : u_oldcount,
--
2.27.0

50
backport-CVE-2022-0392.patch
View File

@ -1,50 +0,0 @@
From 806d037671e133bd28a7864248763f643967973a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 25 Jan 2022 20:45:16 +0000
Subject: [PATCH] patch 8.2.4218: illegal memory access with bracketed paste in
Ex mode
Problem: Illegal memory access with bracketed paste in Ex mode.
Solution: Reserve space for the trailing NUL.
---
src/edit.c | 3 ++-
src/testdir/test_paste.vim | 11 +++++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/edit.c b/src/edit.c
index c67f67c..3767769 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -4984,7 +4984,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
break;
case PASTE_EX:
- if (gap != NULL && ga_grow(gap, idx) == OK)
+ // add one for the NUL that is going to be appended
+ if (gap != NULL && ga_grow(gap, idx + 1) == OK)
{
mch_memmove((char *)gap->ga_data + gap->ga_len,
buf, (size_t)idx);
diff --git a/src/testdir/test_paste.vim b/src/testdir/test_paste.vim
index c30140f..263f084 100644
--- a/src/testdir/test_paste.vim
+++ b/src/testdir/test_paste.vim
@@ -134,3 +134,14 @@ func Test_xrestore()
bwipe!
endfunc
+
+" bracketed paste in Ex-mode
+func Test_paste_ex_mode()
+ unlet! foo
+ call feedkeys("Qlet foo=\"\<Esc>[200~foo\<CR>bar\<Esc>[201~\"\<CR>vi\<CR>", 'xt')
+ call assert_equal("foo\rbar", foo)
+
+
+ " pasting more than 40 bytes
+ exe "norm Q\<PasteStart>0000000000000000000000000000000000000000000000000000000000000000000000\<C-C>"
+endfunc
--
2.27.0

92
backport-CVE-2022-0408.patch
View File

@ -1,92 +0,0 @@
From 06f15416bb8d5636200a10776f1752c4d6e49f31 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 29 Jan 2022 10:51:59 +0000
Subject: [PATCH] patch 8.2.4247: stack corruption when looking for spell
suggestions
Problem: Stack corruption when looking for spell suggestions.
Solution: Prevent the depth increased too much. Add a five second time
limit to finding suggestions.
---
src/spellsuggest.c | 17 +++++++++++++++--
src/testdir/test_spell.vim | 8 ++++++++
2 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/src/spellsuggest.c b/src/spellsuggest.c
index 8615d52..a73e695 100644
--- a/src/spellsuggest.c
+++ b/src/spellsuggest.c
@@ -1187,7 +1187,7 @@ suggest_try_change(suginfo_T *su)
// Check the maximum score, if we go over it we won't try this change.
#define TRY_DEEPER(su, stack, depth, add) \
- (stack[depth].ts_score + (add) < su->su_maxscore)
+ (depth < MAXWLEN && stack[depth].ts_score + (add) < su->su_maxscore)
/*
* Try finding suggestions by adding/removing/swapping letters.
@@ -1259,6 +1259,9 @@ suggest_trie_walk(
char_u changename[MAXWLEN][80];
#endif
int breakcheckcount = 1000;
+#ifdef FEAT_RELTIME
+ proftime_T time_limit;
+#endif
int compound_ok;
// Go through the whole case-fold tree, try changes at each node.
@@ -1303,6 +1306,11 @@ suggest_trie_walk(
sp->ts_state = STATE_START;
}
}
+#ifdef FEAT_RELTIME
+ // The loop may take an indefinite amount of time. Break out after five
+ // sectonds. TODO: add an option for the time limit.
+ profile_setlimit(5000, &time_limit);
+#endif
// Loop to find all suggestions. At each round we either:
// - For the current state try one operation, advance "ts_curi",
@@ -1337,7 +1345,8 @@ suggest_trie_walk(
// At end of a prefix or at start of prefixtree: check for
// following word.
- if (byts[arridx] == 0 || n == (int)STATE_NOPREFIX)
+ if (depth < MAXWLEN
+ && (byts[arridx] == 0 || n == (int)STATE_NOPREFIX))
{
// Set su->su_badflags to the caps type at this position.
// Use the caps type until here for the prefix itself.
@@ -2630,6 +2639,10 @@ suggest_trie_walk(
{
ui_breakcheck();
breakcheckcount = 1000;
+#ifdef FEAT_RELTIME
+ if (profile_passed_limit(&time_limit))
+ got_int = TRUE;
+#endif
}
}
}
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index e435e91..271d034 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -427,6 +427,14 @@ func Test_spell_long_word()
set nospell
endfunc
+func Test_spellsuggest_too_deep()
+ " This was incrementing "depth" over MAXWLEN.
+ new
+ norm s000G00ý000000000000
+ sil norm ..vzG................vvzG0 v z=
+ bwipe!
+endfunc
+
func LoadAffAndDic(aff_contents, dic_contents)
set enc=latin1
set spellfile=
--
1.8.3.1

85
backport-CVE-2022-0413.patch
View File

@ -1,85 +0,0 @@
From 37f47958b8a2a44abc60614271d9537e7f14e51a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 29 Jan 2022 14:21:51 +0000
Subject: [PATCH] patch 8.2.4253: using freed memory when substitute with
function call
Problem: Using freed memory when substitute uses a recursive function call.
Solution: Make a copy of the substitute text.
---
src/ex_cmds.c | 19 +++++++++++++++----
src/testdir/test_substitute.vim | 16 ++++++++++++++++
2 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index cccdf47..aa97b40 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -3577,6 +3577,7 @@ do_sub(exarg_T *eap)
int save_do_all; // remember user specified 'g' flag
int save_do_ask; // remember user specified 'c' flag
char_u *pat = NULL, *sub = NULL; // init for GCC
+ char_u *sub_copy = NULL;
int delimiter;
int sublen;
int got_quit = FALSE;
@@ -3866,11 +3867,20 @@ do_sub(exarg_T *eap)
sub_firstline = NULL;
/*
- * ~ in the substitute pattern is replaced with the old pattern.
- * We do it here once to avoid it to be replaced over and over again.
- * But don't do it when it starts with "\=", then it's an expression.
+ * If the substitute pattern starts with "\=" then it's an expression.
+ * Make a copy, a recursive function may free it.
+ * Otherwise, '~' in the substitute pattern is replaced with the old
+ * pattern. We do it here once to avoid it to be replaced over and over
+ * again.
*/
- if (!(sub[0] == '\\' && sub[1] == '='))
+ if (sub[0] == '\\' && sub[1] == '=')
+ {
+ sub = vim_strsave(sub);
+ if (sub == NULL)
+ return;
+ sub_copy = sub;
+ }
+ else
sub = regtilde(sub, p_magic);
/*
@@ -4670,6 +4680,7 @@ outofmem:
#endif
vim_regfree(regmatch.regprog);
+ vim_free(sub_copy);
// Restore the flag values, they can be used for ":&&".
subflags.do_all = save_do_all;
diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
index c7532fb..3e6bc5c 100644
--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
@@ -745,3 +745,19 @@ func Test_sub_beyond_end()
call assert_equal('#', getline(1))
bwipe!
endfunc
+
+" This was using "old_sub" after it was freed.
+func Test_using_old_sub()
+ set compatible maxfuncdepth=10
+ new
+ call setline(1, 'some text.')
+ func Repl()
+ ~
+ s/
+ endfunc
+ silent! s/\%')/\=Repl()
+
+ delfunc Repl
+ bwipe!
+ set nocompatible
+endfunc
--
1.8.3.1

117
backport-CVE-2022-0417.patch
View File

@ -1,117 +0,0 @@
From 652dee448618589de5528a9e9a36995803f5557a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 28 Jan 2022 20:47:49 +0000
Subject: [PATCH] patch 8.2.4245: ":retab 0" may cause illegal memory access
Problem: ":retab 0" may cause illegal memory access.
Solution: Limit the value of 'tabstop' to 10000.
---
src/indent.c | 4 ++--
src/option.c | 16 +++++++++-------
src/testdir/test_options.vim | 2 ++
src/vim.h | 2 ++
4 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/src/indent.c b/src/indent.c
index 7d04373..e8e93b9 100644
--- a/src/indent.c
+++ b/src/indent.c
@@ -71,7 +71,7 @@ tabstop_set(char_u *var, int **array)
int n = atoi((char *)cp);
// Catch negative values, overflow and ridiculous big values.
- if (n < 0 || n > 9999)
+ if (n < 0 || n > TABSTOP_MAX)
{
semsg(_(e_invarg2), cp);
vim_free(*array);
@@ -1590,7 +1590,7 @@ ex_retab(exarg_T *eap)
emsg(_(e_positive));
return;
}
- if (new_ts < 0 || new_ts > 9999)
+ if (new_ts < 0 || new_ts > TABSTOP_MAX)
{
semsg(_(e_invarg2), eap->arg);
return;
diff --git a/src/option.c b/src/option.c
index e9598d6..382b01b 100644
--- a/src/option.c
+++ b/src/option.c
@@ -3557,6 +3557,11 @@ set_num_option(
errmsg = e_positive;
curbuf->b_p_ts = 8;
}
+ else if (curbuf->b_p_ts > TABSTOP_MAX)
+ {
+ errmsg = e_invalid_argument;
+ curbuf->b_p_ts = 8;
+ }
if (p_tm < 0)
{
errmsg = e_positive;
@@ -5758,7 +5763,7 @@ buf_copy_options(buf_T *buf, int flags)
if (p_vsts && p_vsts != empty_option)
(void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
else
- buf->b_p_vsts_array = 0;
+ buf->b_p_vsts_array = NULL;
buf->b_p_vsts_nopaste = p_vsts_nopaste
? vim_strsave(p_vsts_nopaste) : NULL;
#endif
@@ -6583,9 +6588,7 @@ paste_option_changed(void)
if (buf->b_p_vsts)
free_string_option(buf->b_p_vsts);
buf->b_p_vsts = empty_option;
- if (buf->b_p_vsts_array)
- vim_free(buf->b_p_vsts_array);
- buf->b_p_vsts_array = 0;
+ VIM_CLEAR(buf->b_p_vsts_array);
#endif
}
@@ -6631,12 +6634,11 @@ paste_option_changed(void)
free_string_option(buf->b_p_vsts);
buf->b_p_vsts = buf->b_p_vsts_nopaste
? vim_strsave(buf->b_p_vsts_nopaste) : empty_option;
- if (buf->b_p_vsts_array)
- vim_free(buf->b_p_vsts_array);
+ vim_free(buf->b_p_vsts_array);
if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
(void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
else
- buf->b_p_vsts_array = 0;
+ buf->b_p_vsts_array = NULL;
#endif
}
diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim
index 65600ee..d4213c1 100644
--- a/src/testdir/test_options.vim
+++ b/src/testdir/test_options.vim
@@ -263,6 +263,8 @@ func Test_set_errors()
call assert_fails('set shiftwidth=-1', 'E487:')
call assert_fails('set sidescroll=-1', 'E487:')
call assert_fails('set tabstop=-1', 'E487:')
+ call assert_fails('set tabstop=10000', 'E474:')
+ call assert_fails('set tabstop=5500000000', 'E474:')
call assert_fails('set textwidth=-1', 'E487:')
call assert_fails('set timeoutlen=-1', 'E487:')
call assert_fails('set updatecount=-1', 'E487:')
diff --git a/src/vim.h b/src/vim.h
index 68e2de1..cd917a3 100644
--- a/src/vim.h
+++ b/src/vim.h
@@ -2031,6 +2031,8 @@ typedef int sock_T;
#define DICT_MAXNEST 100 // maximum nesting of lists and dicts
+#define TABSTOP_MAX 9999
+
#ifdef FEAT_CLIPBOARD
// VIM_ATOM_NAME is the older Vim-specific selection type for X11. Still
--
2.27.0

91
backport-CVE-2022-0443.patch
View File

@ -1,91 +0,0 @@
From 9b4a80a66544f2782040b641498754bcb5b8d461 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 1 Feb 2022 13:54:17 +0000
Subject: [PATCH] patch 8.2.4281: using freed memory with :lopen and :bwipe
Problem: Using freed memory with :lopen and :bwipe.
Solution: Do not use a wiped out buffer.
---
src/buffer.c | 14 ++++++++++----
src/testdir/test_quickfix.vim | 16 ++++++++++++++++
2 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/src/buffer.c b/src/buffer.c
index b4992dd..0f4957d 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -1666,6 +1666,7 @@ set_curbuf(buf_T *buf, int action)
#endif
bufref_T newbufref;
bufref_T prevbufref;
+ int valid;
setpcmark();
if (!cmdmod.keepalt)
@@ -1717,13 +1718,19 @@ set_curbuf(buf_T *buf, int action)
// An autocommand may have deleted "buf", already entered it (e.g., when
// it did ":bunload") or aborted the script processing.
// If curwin->w_buffer is null, enter_buffer() will make it valid again
- if ((buf_valid(buf) && buf != curbuf
+ valid = buf_valid(buf);
+ if ((valid && buf != curbuf
#ifdef FEAT_EVAL
&& !aborting()
#endif
) || curwin->w_buffer == NULL)
{
- enter_buffer(buf);
+ // If the buffer is not valid but curwin->w_buffer is NULL we must
+ // enter some buffer. Using the last one is hopefully OK.
+ if (!valid)
+ enter_buffer(lastbuf);
+ else
+ enter_buffer(buf);
#ifdef FEAT_SYN_HL
if (old_tw != curbuf->b_p_tw)
check_colorcolumn(curwin);
@@ -2236,8 +2243,7 @@ free_buf_options(
clear_string_option(&buf->b_p_vsts);
vim_free(buf->b_p_vsts_nopaste);
buf->b_p_vsts_nopaste = NULL;
- vim_free(buf->b_p_vsts_array);
- buf->b_p_vsts_array = NULL;
+ VIM_CLEAR(buf->b_p_vsts_array);
clear_string_option(&buf->b_p_vts);
VIM_CLEAR(buf->b_p_vts_array);
#endif
diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
index f7c73f4..38a5236 100644
--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
@@ -876,6 +876,7 @@ func Test_locationlist_curwin_was_closed()
call assert_fails('lrewind', 'E924:')
augroup! testgroup
+ delfunc R
endfunc
func Test_locationlist_cross_tab_jump()
@@ -4674,4 +4675,19 @@ func Test_search_in_dirstack()
call delete('Xtestdir', 'rf')
endfunc
+" Weird sequence of commands that caused entering a wiped-out buffer
+func Test_lopen_bwipe()
+ func R()
+ silent! tab lopen
+ e x
+ silent! lfile
+ endfunc
+
+ cal R()
+ cal R()
+ cal R()
+ bw!
+ delfunc R
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0

113
backport-CVE-2022-0554.patch
View File

@ -1,113 +0,0 @@
From e3537aec2f8d6470010547af28dcbd83d41461b8 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 8 Feb 2022 15:05:20 +0000
Subject: [PATCH] patch 8.2.4327: may end up with no current buffer
Problem: May end up with no current buffer.
Solution: When deleting the current buffer to not pick a quickfix buffer as
the new current buffer
Reference:https://github.com/vim/vim/commit/e3537aec2f8d6470010547af28dcbd83d41461b8
Conflict:NA
---
src/buffer.c | 26 ++++++++++++++++++++++----
src/testdir/test_quickfix.vim | 25 +++++++++++++++++++++++++
2 files changed, 47 insertions(+), 4 deletions(-)
diff --git a/src/buffer.c b/src/buffer.c
index e5f6a9b..3617c63 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -1520,8 +1520,14 @@ do_buffer(
buf = buflist_findnr(curwin->w_jumplist[jumpidx].fmark.fnum);
if (buf != NULL)
{
- if (buf == curbuf || !buf->b_p_bl)
- buf = NULL; // skip current and unlisted bufs
+ // Skip current and unlisted bufs. Also skip a quickfix
+ // buffer, it might be deleted soon.
+ if (buf == curbuf || !buf->b_p_bl
+#if defined(FEAT_QUICKFIX)
+ || bt_quickfix(buf)
+#endif
+ )
+ buf = NULL;
else if (buf->b_ml.ml_mfp == NULL)
{
// skip unloaded buf, but may keep it for later
@@ -1558,7 +1564,11 @@ do_buffer(
continue;
}
// in non-help buffer, try to skip help buffers, and vv
- if (buf->b_help == curbuf->b_help && buf->b_p_bl)
+ if (buf->b_help == curbuf->b_help && buf->b_p_bl
+#if defined(FEAT_QUICKFIX)
+ && !bt_quickfix(buf)
+#endif
+ )
{
if (buf->b_ml.ml_mfp != NULL) // found loaded buffer
break;
@@ -1576,7 +1586,11 @@ do_buffer(
if (buf == NULL) // No loaded buffer, find listed one
{
FOR_ALL_BUFFERS(buf)
- if (buf->b_p_bl && buf != curbuf)
+ if (buf->b_p_bl && buf != curbuf
+#if defined(FEAT_QUICKFIX)
+ && !bt_quickfix(buf)
+#endif
+ )
break;
}
if (buf == NULL) // Still no buffer, just take one
@@ -1585,6 +1599,10 @@ do_buffer(
buf = curbuf->b_next;
else
buf = curbuf->b_prev;
+#if defined(FEAT_QUICKFIX)
+ if (bt_quickfix(buf))
+ buf = NULL;
+#endif
}
}
diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
index 38a5236..72f3172 100644
--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
@@ -325,6 +325,31 @@ func Test_copenHeight_tabline()
set tabline& showtabline&
endfunc
+" Another sequence of commands that caused all buffers to be wiped out
+func Test_lopen_bwipe_all()
+ let lines =<< trim END
+ func R()
+ silent! tab lopen
+ e foo
+ silent! lfile
+ endfunc
+ cal R()
+ exe "norm \<C-W>\<C-V>0"
+ cal R()
+ bwipe
+
+ call writefile(['done'], 'Xresult')
+ qall!
+ END
+ call writefile(lines, 'Xscript')
+ if RunVim([], [], '-u NONE -n -X -Z -e -m -s -S Xscript')
+ call assert_equal(['done'], readfile('Xresult'))
+ endif
+
+ call delete('Xscript')
+ call delete('Xresult')
+endfunc
+
" Tests for the :cfile, :lfile, :caddfile, :laddfile, :cgetfile and :lgetfile
" commands.
--
2.27.0

66
backport-CVE-2022-0572.patch
View File

@ -1,66 +0,0 @@
From 6e28703a8e41f775f64e442c5d11ce1ff599aa3f Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 12 Feb 2022 15:42:18 +0000
Subject: [PATCH] patch 8.2.4359: crash when repeatedly using :retab
Problem: crash when repeatedly using :retab.
Solution: Bail out when the line is getting too long.
---
src/indent.c | 5 +++++
src/testdir/test_retab.vim | 20 ++++++++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/src/indent.c b/src/indent.c
index e8e93b9..075802c 100644
--- a/src/indent.c
+++ b/src/indent.c
@@ -1689,6 +1689,11 @@ ex_retab(exarg_T *eap)
if (ptr[col] == NUL)
break;
vcol += chartabsize(ptr + col, (colnr_T)vcol);
+ if (vcol >= MAXCOL)
+ {
+ emsg(_(e_resulting_text_too_long));
+ break;
+ }
if (has_mbyte)
col += (*mb_ptr2len)(ptr + col);
else
diff --git a/src/testdir/test_retab.vim b/src/testdir/test_retab.vim
index e7b8946..5376f92 100644
--- a/src/testdir/test_retab.vim
+++ b/src/testdir/test_retab.vim
@@ -69,6 +69,8 @@ func Test_retab()
call assert_equal(" a b c ", Retab('!', 3))
call assert_equal(" a b c ", Retab('', 5))
call assert_equal(" a b c ", Retab('!', 5))
+
+ set tabstop& expandtab&
endfunc
func Test_retab_error()
@@ -78,3 +80,21 @@ func Test_retab_error()
call assert_fails('ret 10000', 'E475:')
call assert_fails('ret 80000000000000000000', 'E475:')
endfunc
+
+func Test_retab_endless()
+ new
+ call setline(1, "\t0\t")
+ let caught = 'no'
+ try
+ while 1
+ set ts=4000
+ retab 4
+ endwhile
+ catch /E1240/
+ let caught = 'yes'
+ endtry
+ bwipe!
+ set tabstop&
+endfunc
+
+" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0

48
backport-CVE-2022-0629.patch
View File

@ -1,48 +0,0 @@
From 34f8117dec685ace52cd9e578e2729db278163fc Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 16 Feb 2022 12:16:19 +0000
Subject: [PATCH] patch 8.2.4397: crash when using many composing characters in
error message
Problem: Crash when using many composing characters in error message.
Solution: Use mb_cptr2char_adv() instead of mb_ptr2char_adv().
---
src/testdir/test_assert.vim | 8 ++++++++
src/testing.c | 2 +-
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim
index 1b1f9e5..1e7d66f 100644
--- a/src/testdir/test_assert.vim
+++ b/src/testdir/test_assert.vim
@@ -45,6 +45,14 @@ func Test_assert_equal()
call assert_equal('XxxxxxxxxxxxxxxxxxxxxxX', 'XyyyyyyyyyyyyyyyyyyyyyyyyyX')
call assert_match("Expected 'X\\\\\\[x occurs 21 times]X' but got 'X\\\\\\[y occurs 25 times]X'", v:errors[0])
call remove(v:errors, 0)
+
+ " many composing characters are handled properly
+ call setline(1, ' ')
+ norm 100gr݀
+ call assert_equal(1, getline(1))
+ call assert_match("Expected 1 but got '.* occurs 100 times]'", v:errors[0])
+ call remove(v:errors, 0)
+ bwipe!
endfunc
func Test_assert_equalfile()
diff --git a/src/testing.c b/src/testing.c
index f879f1e..f19481f 100644
--- a/src/testing.c
+++ b/src/testing.c
@@ -99,7 +99,7 @@ ga_concat_shorten_esc(garray_T *gap, char_u *str)
{
same_len = 1;
s = p;
- c = mb_ptr2char_adv(&s);
+ c = mb_cptr2char_adv(&s);
clen = s - p;
while (*s != NUL && c == mb_ptr2char(s))
{
--
2.27.0

85
backport-CVE-2022-0685.patch
View File

@ -1,85 +0,0 @@
From 5921aeb5741fc6e84c870d68c7c35b93ad0c9f87 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 19 Feb 2022 11:20:12 +0000
Subject: [PATCH] patch 8.2.4418: crash when using special multi-byte character
Problem: Crash when using special multi-byte character.
Solution: Don't use isalpha() for an arbitrary character.
Conflict:
upstream patches:
+ call assert_fails('tc űŤŤŤ¦*', 'E344:')
openEuler patches:
+ call assert_fails('tc űŤŤŤ¦*', 'E472:')
---
src/charset.c | 6 ++++++
src/filepath.c | 2 +-
src/proto/charset.pro | 2 +-
src/testdir/test_autochdir.vim | 7 +++++++
4 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/charset.c b/src/charset.c
index a768c17..847a01a 100644
--- a/src/charset.c
+++ b/src/charset.c
@@ -1654,6 +1654,12 @@ vim_isupper(int c)
return isupper(c);
}
+ int
+vim_isalpha(int c)
+{
+ return vim_islower(c) || vim_isupper(c);
+}
+
int
vim_toupper(int c)
{
diff --git a/src/filepath.c b/src/filepath.c
index 01d2dcb..c7f0265 100644
--- a/src/filepath.c
+++ b/src/filepath.c
@@ -3300,7 +3300,7 @@ unix_expandpath(
else if (path_end >= path + wildoff
&& (vim_strchr((char_u *)"*?[{~$", *path_end) != NULL
|| (!p_fic && (flags & EW_ICASE)
- && isalpha(PTR2CHAR(path_end)))))
+ && vim_isalpha(PTR2CHAR(path_end)))))
e = p;
if (has_mbyte)
{
diff --git a/src/proto/charset.pro b/src/proto/charset.pro
index c582a8c..2a928e3 100644
--- a/src/proto/charset.pro
+++ b/src/proto/charset.pro
@@ -47,6 +47,7 @@ int vim_isxdigit(int c);
int vim_isbdigit(int c);
int vim_islower(int c);
int vim_isupper(int c);
+int vim_isalpha(int c);
int vim_toupper(int c);
int vim_tolower(int c);
char_u *skiptowhite(char_u *p);
@@ -59,5 +60,4 @@ int hexhex2nr(char_u *p);
int rem_backslash(char_u *str);
void backslash_halve(char_u *p);
char_u *backslash_halve_save(char_u *p);
-void ebcdic2ascii(char_u *buffer, int len);
/* vim: set ft=c : */
diff --git a/src/testdir/test_autochdir.vim b/src/testdir/test_autochdir.vim
index 1473854..99fc9ae 100644
--- a/src/testdir/test_autochdir.vim
+++ b/src/testdir/test_autochdir.vim
@@ -24,3 +24,10 @@ func Test_set_filename()
call chdir(cwd)
call delete('samples/Xtest')
endfunc
+
+func Test_multibyte()
+ " using an invalid character should not cause a crash
+ set wic
+ call assert_fails('tc űŤŤŤ¦*', 'E472:')
+ set nowic
+endfunc
--
2.27.0

51
backport-CVE-2022-0714.patch
View File

@ -1,51 +0,0 @@
From 4e889f98e95ac05d7c8bd3ee933ab4d47820fdfa Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 21 Feb 2022 19:36:12 +0000
Subject: [PATCH] patch 8.2.4436: crash with weird 'vartabstop' value
Problem: Crash with weird 'vartabstop' value.
Solution: Check for running into the end of the line.
---
src/indent.c | 2 ++
src/testdir/test_vartabs.vim | 14 ++++++++++++++
2 files changed, 16 insertions(+)
diff --git a/src/indent.c b/src/indent.c
index 075802c..6b8900f 100644
--- a/src/indent.c
+++ b/src/indent.c
@@ -1279,6 +1279,8 @@ change_indent(
new_cursor_col += (*mb_ptr2len)(ptr + new_cursor_col);
else
++new_cursor_col;
+ if (ptr[new_cursor_col] == NUL)
+ break;
vcol += lbr_chartabsize(ptr, ptr + new_cursor_col, (colnr_T)vcol);
}
vcol = last_vcol;
diff --git a/src/testdir/test_vartabs.vim b/src/testdir/test_vartabs.vim
index 47844fb..c2919d8 100644
--- a/src/testdir/test_vartabs.vim
+++ b/src/testdir/test_vartabs.vim
@@ -378,3 +378,17 @@ func Test_vartabs_reset()
set all&
call assert_equal('', &vts)
endfunc
+
+func Test_vartabstop_latin1()
+ let save_encoding = &encoding
+ new
+ set encoding=iso8859
+ silent norm :se 
+ set vartabstop=400
+ norm i00 
+ bwipe!
+ let &encoding = save_encoding
+endfunc
+
+
+" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0

47
backport-CVE-2022-0729.patch
View File

@ -1,47 +0,0 @@
From 6456fae9ba8e72c74b2c0c499eaf09974604ff30 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 22 Feb 2022 13:37:31 +0000
Subject: [PATCH] patch 8.2.4440: crash with specific regexp pattern and string
Problem: Crash with specific regexp pattern and string.
Solution: Stop at the start of the string.
---
src/regexp_bt.c | 5 +++++
src/testdir/test_regexp_utf8.vim | 7 +++++++
2 files changed, 12 insertions(+)
diff --git a/src/regexp_bt.c b/src/regexp_bt.c
index b71b862..e017ba5 100644
--- a/src/regexp_bt.c
+++ b/src/regexp_bt.c
@@ -4431,6 +4431,11 @@ regmatch(
if (rex.input == rex.line)
{
// backup to last char of previous line
+ if (rex.lnum == 0)
+ {
+ status = RA_NOMATCH;
+ break;
+ }
--rex.lnum;
rex.line = reg_getline(rex.lnum);
// Just in case regrepeat() didn't count
diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim
index 6d0ce59..5d1bd47 100644
--- a/src/testdir/test_regexp_utf8.vim
+++ b/src/testdir/test_regexp_utf8.vim
@@ -223,3 +223,10 @@ func Test_match_invalid_byte()
call delete('Xinvalid')
endfunc
+func Test_match_too_complicated()
+ set regexpengine=1
+ exe "vsplit \xeb\xdb\x99"
+ silent! buf \&\zs*\zs*0
+ bwipe!
+ set regexpengine=0
+endfunc
--
2.27.0

57
backport-CVE-2022-0943.patch
View File

@ -1,57 +0,0 @@
From 5c68617d395f9d7b824f68475b24ce3e38d653a3 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 13 Mar 2022 20:12:25 +0000
Subject: [PATCH] patch 8.2.4563: "z=" in Visual mode may go beyond the end of
the line
Problem: "z=" in Visual mode may go beyond the end of the line.
Solution: Adjust "badlen".
---
src/spellsuggest.c | 4 ++++
src/testdir/test_spell.vim | 15 +++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/src/spellsuggest.c b/src/spellsuggest.c
index cd28798..429e292 100644
--- a/src/spellsuggest.c
+++ b/src/spellsuggest.c
@@ -501,6 +501,10 @@ spell_suggest(int count)
curwin->w_cursor.col = VIsual.col;
++badlen;
end_visual_mode();
+ // make sure we don't include the NUL at the end of the line
+ line = ml_get_curline();
+ if (badlen > STRLEN(line) - curwin->w_cursor.col)
+ badlen = STRLEN(line) - curwin->w_cursor.col;
}
// Find the start of the badly spelled word.
else if (spell_move_to(curwin, FORWARD, TRUE, TRUE, NULL) == 0
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index de49b42..49118a9 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -131,6 +131,21 @@ func Test_spellreall()
bwipe!
endfunc
+func Test_spellsuggest_visual_end_of_line()
+ let enc_save = &encoding
+ set encoding=iso8859
+
+ " This was reading beyond the end of the line.
+ norm R00000000000
+ sil norm 0
+ sil! norm i00000)
+ sil! norm i00000)
+ call feedkeys("\<CR>")
+ norm z=
+
+ let &encoding = enc_save
+endfunc
+
func Test_spellinfo()
new
let runtime = substitute($VIMRUNTIME, '\\', '/', 'g')
--
2.27.0

59
backport-CVE-2022-1154.patch
View File

@ -1,59 +0,0 @@
From b55986c52d4cd88a22d0b0b0e8a79547ba13e1d5 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 29 Mar 2022 13:24:58 +0100
Subject: [PATCH] patch 8.2.4646: using buffer line after it has been freed
Problem: Using buffer line after it has been freed in old regexp engine.
Solution: After getting mark get the line again.
---
src/regexp_bt.c | 9 +++++++++
src/testdir/test_regexp_latin.vim | 7 +++++++
2 files changed, 16 insertions(+)
diff --git a/src/regexp_bt.c b/src/regexp_bt.c
index e017ba5..ff92576 100644
--- a/src/regexp_bt.c
+++ b/src/regexp_bt.c
@@ -3188,8 +3188,17 @@ regmatch(
int mark = OPERAND(scan)[0];
int cmp = OPERAND(scan)[1];
pos_T *pos;
+ size_t col = REG_MULTI ? rex.input - rex.line : 0;
pos = getmark_buf(rex.reg_buf, mark, FALSE);
+
+ // Line may have been freed, get it again.
+ if (REG_MULTI)
+ {
+ rex.line = reg_getline(rex.lnum);
+ rex.input = rex.line + col;
+ }
+
if (pos == NULL // mark doesn't exist
|| pos->lnum <= 0 // mark isn't set in reg_buf
|| (pos->lnum == rex.lnum + rex.reg_firstlnum
diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim
index 5b1db5a..a242d91 100644
--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
@@ -152,10 +152,17 @@ endfunc
func Test_using_mark_position()
" this was using freed memory
+ " new engine
new
norm O0
call assert_fails("s/\\%')", 'E486:')
bwipe!
+
+ " old engine
+ new
+ norm O0
+ call assert_fails("s/\\%#=1\\%')", 'E486:')
+ bwipe!
endfunc
func Test_using_invalid_visual_position()
--
1.8.3.1

58
backport-CVE-2022-1616.patch
View File

@ -1,58 +0,0 @@
From d88934406c5375d88f8f1b65331c9f0cab68cc6c Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 6 May 2022 20:38:47 +0100
Subject: [PATCH] patch 8.2.4895: buffer overflow with invalid command with
composing chars
Problem: Buffer overflow with invalid command with composing chars.
Solution: Check that the whole character fits in the buffer.
---
src/ex_docmd.c | 4 +++-
src/testdir/test_cmdline.vim | 11 +++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index dfcbf37..f142c46 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -3092,7 +3092,7 @@ append_command(char_u *cmd)
STRCAT(IObuff, ": ");
d = IObuff + STRLEN(IObuff);
- while (*s != NUL && d - IObuff < IOSIZE - 7)
+ while (*s != NUL && d - IObuff + 5 < IOSIZE)
{
if (enc_utf8 ? (s[0] == 0xc2 && s[1] == 0xa0) : *s == 0xa0)
{
@@ -3100,6 +3100,8 @@ append_command(char_u *cmd)
STRCPY(d, "<a0>");
d += 4;
}
+ else if (d - IObuff + (*mb_ptr2len)(s) + 1 >= IOSIZE)
+ break;
else
MB_COPY_CHAR(s, d);
}
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index 5297951..41a73d2 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -870,4 +870,15 @@ func Test_cmdwin_cedit()
delfunc CmdWinType
endfunc
+" this was going over the end of IObuff
+func Test_report_error_with_composing()
+ let caught = 'no'
+ try
+ exe repeat('0', 987) .. "0\xdd\x80\xdd\x80\xdd\x80\xdd\x80"
+ catch /E492:/
+ let caught = 'yes'
+ endtry
+ call assert_equal('yes', caught)
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0

53
backport-CVE-2022-1619.patch
View File

@ -1,53 +0,0 @@
From ef02f16609ff0a26ffc6e20263523424980898fe Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 7 May 2022 10:49:10 +0100
Subject: [PATCH] patch 8.2.4899: with latin1 encoding CTRL-W might go before
the cmdline
Problem: With latin1 encoding CTRL-W might go before the start of the
command line.
Solution: Check already being at the start of the command line.
---
src/ex_getln.c | 11 +++++++----
src/testdir/test_cmdline.vim | 3 +++
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/ex_getln.c b/src/ex_getln.c
index 68b4757..771a9cd 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -1583,10 +1583,13 @@ getcmdline_int(
{
while (p > ccline.cmdbuff && vim_isspace(p[-1]))
--p;
- i = vim_iswordc(p[-1]);
- while (p > ccline.cmdbuff && !vim_isspace(p[-1])
- && vim_iswordc(p[-1]) == i)
- --p;
+ if (p > ccline.cmdbuff)
+ {
+ i = vim_iswordc(p[-1]);
+ while (p > ccline.cmdbuff && !vim_isspace(p[-1])
+ && vim_iswordc(p[-1]) == i)
+ --p;
+ }
}
else
--p;
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index cbf7986..1ccdbe2 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -476,6 +476,9 @@ func Test_cmdline_remove_char()
call feedkeys(":abc def\<S-Left>\<C-U>\<C-B>\"\<CR>", 'tx')
call assert_equal('"def', @:, e)
+
+ " This was going before the start in latin1.
+ call feedkeys(": \<C-W>\<CR>", 'tx')
endfor
let &encoding = encoding_save
--
1.8.3.1

45
backport-CVE-2022-1620.patch
View File

@ -1,45 +0,0 @@
From 8e4b76da1d7e987d43ca960dfbc372d1c617466f Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 7 May 2022 11:28:06 +0100
Subject: [PATCH] patch 8.2.4901: NULL pointer access when using invalid
pattern
Problem: NULL pointer access when using invalid pattern.
Solution: Check for failed regexp program.
---
src/buffer.c | 2 +-
src/testdir/test_buffer.vim | 7 +++++++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/buffer.c b/src/buffer.c
index 5801bce..758d920 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -2830,7 +2830,7 @@ fname_match(
rmp->rm_ic = p_fic || ignore_case;
if (vim_regexec(rmp, name, (colnr_T)0))
match = name;
- else
+ else if (rmp->regprog != NULL)
{
// Replace $(HOME) with '~' and try matching again.
p = home_replace_save(NULL, name);
diff --git a/src/testdir/test_buffer.vim b/src/testdir/test_buffer.vim
index dc35bb4..8300f3d 100644
--- a/src/testdir/test_buffer.vim
+++ b/src/testdir/test_buffer.vim
@@ -63,4 +63,11 @@ func Test_bunload_with_offset()
call delete('b4')
endfunc
+" this was using a NULL pointer after failing to use the pattern
+func Test_buf_pattern_invalid()
+ vsplit 0000000
+ silent! buf [0--]\&\zs*\zs*e
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

85
backport-CVE-2022-1621.patch
View File

@ -1,85 +0,0 @@
From 7c824682d2028432ee082703ef0ab399867a089b Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 8 May 2022 22:32:58 +0100
Subject: [PATCH] patch 8.2.4919: can add invalid bytes with :spellgood
Problem: Can add invalid bytes with :spellgood.
Solution: Check for a valid word string.
---
src/globals.h | 5 +++++
src/mbyte.c | 2 +-
src/spellfile.c | 10 ++++++++++
src/testdir/test_spellfile.vim | 6 ++++++
4 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/src/globals.h b/src/globals.h
index 7be3bfd..086d04e 100644
--- a/src/globals.h
+++ b/src/globals.h
@@ -1745,3 +1745,8 @@ EXTERN int did_repeated_msg INIT(= 0);
# define REPEATED_MSG_LOOKING 1
# define REPEATED_MSG_SAFESTATE 2
#endif
+
+#ifdef FEAT_SPELL
+EXTERN char e_illegal_character_in_word[]
+ INIT(= N_("E1280: Illegal character in word"));
+#endif
diff --git a/src/mbyte.c b/src/mbyte.c
index 5dd2562..28c5e85 100644
--- a/src/mbyte.c
+++ b/src/mbyte.c
@@ -4045,7 +4045,7 @@ theend:
convert_setup(&vimconv, NULL, NULL);
}
-#if defined(FEAT_GUI_GTK) || defined(PROTO)
+#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO)
/*
* Return TRUE if string "s" is a valid utf-8 string.
* When "end" is NULL stop at the first NUL.
diff --git a/src/spellfile.c b/src/spellfile.c
index b9451ec..5171572 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -4366,6 +4366,10 @@ store_word(
int res = OK;
char_u *p;
+ // Avoid adding illegal bytes to the word tree.
+ if (enc_utf8 && !utf_valid_string(word, NULL))
+ return FAIL;
+
(void)spell_casefold(word, len, foldword, MAXWLEN);
for (p = pfxlist; res == OK; ++p)
{
@@ -6167,6 +6171,12 @@ spell_add_word(
int i;
char_u *spf;
+ if (enc_utf8 && !utf_valid_string(word, NULL))
+ {
+ emsg(_(e_illegal_character_in_word));
+ return;
+ }
+
if (idx == 0) // use internal wordlist
{
if (int_wordlist == NULL)
diff --git a/src/testdir/test_spellfile.vim b/src/testdir/test_spellfile.vim
index 53eca84..1382c02 100644
--- a/src/testdir/test_spellfile.vim
+++ b/src/testdir/test_spellfile.vim
@@ -170,3 +170,9 @@ func Test_spell_normal()
set spellfile=
bw!
endfunc
+
+" Invalid bytes may cause trouble when creating the word list.
+func Test_check_for_valid_word()
+ call assert_fails("spellgood! 0^B\xac", 'E1280:')
+endfunc
+
--
1.8.3.1

56
backport-CVE-2022-1629.patch
View File

@ -1,56 +0,0 @@
From 53a70289c2712808e6d4e88927e03cac01b470dd Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 9 May 2022 13:15:07 +0100
Subject: [PATCH] patch 8.2.4925: trailing backslash may cause reading past end
of line
Problem: Trailing backslash may cause reading past end of line.
Solution: Check for NUL after backslash.
---
src/search.c | 4 ++++
src/testdir/test_textobjects.vim | 10 +++++++++-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/search.c b/src/search.c
index 1a5dc1a..75f0c59 100644
--- a/src/search.c
+++ b/src/search.c
@@ -4457,7 +4457,11 @@ find_next_quote(
if (c == NUL)
return -1;
else if (escape != NULL && vim_strchr(escape, c))
+ {
++col;
+ if (line[col] == NUL)
+ return -1;
+ }
else if (c == quotechar)
break;
if (has_mbyte)
diff --git a/src/testdir/test_textobjects.vim b/src/testdir/test_textobjects.vim
index 49fc9c8..3fc0283 100644
--- a/src/testdir/test_textobjects.vim
+++ b/src/testdir/test_textobjects.vim
@@ -154,10 +154,18 @@ func Test_string_html_objects()
call assert_equal('-<b></b>', getline('.'), e)
set quoteescape&
+
+ " this was going beyond the end of the line
+ %del
+ sil! norm i"\
+ sil! norm i"\
+ sil! norm i"\
+ call assert_equal('"\', getline(1))
+
+ bwipe!
endfor
set enc=utf-8
- bwipe!
endfunc
func Test_empty_html_tag()
--
1.8.3.1

44
backport-CVE-2022-1674.patch
View File

@ -1,44 +0,0 @@
From a59f2dfd0cf9ee1a584d3de5b7c2d47648e79060 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 11 May 2022 11:42:28 +0100
Subject: [PATCH] patch 8.2.4938: crash when matching buffer with invalid
pattern
Problem: Crash when matching buffer with invalid pattern.
Solution: Check for NULL regprog.
---
src/buffer.c | 2 +-
src/testdir/test_buffer.vim | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/buffer.c b/src/buffer.c
index 758d920..88094ee 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -2805,7 +2805,7 @@ buflist_match(
// First try the short file name, then the long file name.
match = fname_match(rmp, buf->b_sfname, ignore_case);
- if (match == NULL)
+ if (match == NULL && rmp->regprog != NULL)
match = fname_match(rmp, buf->b_ffname, ignore_case);
return match;
diff --git a/src/testdir/test_buffer.vim b/src/testdir/test_buffer.vim
index 8300f3d..6039ff8 100644
--- a/src/testdir/test_buffer.vim
+++ b/src/testdir/test_buffer.vim
@@ -68,6 +68,10 @@ func Test_buf_pattern_invalid()
vsplit 0000000
silent! buf [0--]\&\zs*\zs*e
bwipe!
+
+ vsplit 00000000000000000000000000
+ silent! buf [0--]\&\zs*\zs*e
+ bwipe!
endfunc
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

66
backport-CVE-2022-1720.patch
View File

@ -1,66 +0,0 @@
From 395bd1f6d3edc9f7edb5d1f2d7deaf5a9e3ab93c Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 14 May 2022 21:29:44 +0100
Subject: [PATCH] patch 8.2.4956: reading past end of line with "gf" in Visual
block mode
Problem: Reading past end of line with "gf" in Visual block mode.
Solution: Do not include the NUL in the length.
---
src/normal.c | 13 ++++++++++---
src/testdir/test_gf.vim | 15 +++++++++++++++
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/src/normal.c b/src/normal.c
index d33a56a..898c836 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -3791,9 +3791,16 @@ get_visual_text(
}
if (**pp == NUL)
*lenp = 0;
- if (has_mbyte && *lenp > 0)
- // Correct the length to include all bytes of the last character.
- *lenp += (*mb_ptr2len)(*pp + (*lenp - 1)) - 1;
+ if (*lenp > 0)
+ {
+ if (has_mbyte)
+ // Correct the length to include all bytes of the last
+ // character.
+ *lenp += (*mb_ptr2len)(*pp + (*lenp - 1)) - 1;
+ else if ((*pp)[*lenp - 1] == NUL)
+ // Do not include a trailing NUL.
+ *lenp -= 1;
+ }
}
reset_VIsual_and_resel();
return OK;
diff --git a/src/testdir/test_gf.vim b/src/testdir/test_gf.vim
index d301874..596f3e8 100644
--- a/src/testdir/test_gf.vim
+++ b/src/testdir/test_gf.vim
@@ -106,6 +106,21 @@ func Test_gf_visual()
call setline(1, 'XXXtest_gf_visualXXX')
set hidden
+ " do not include the NUL at the end
+ call writefile(['x'], 'X')
+ let save_enc = &enc
+ for enc in ['latin1', 'utf-8']
+ exe "set enc=" .. enc
+ new
+ call setline(1, 'X')
+ set nomodified
+ exe "normal \<C-V>$gf"
+ call assert_equal('X', bufname())
+ bwipe!
+ endfor
+ let &enc = save_enc
+ call delete('X')
+
" Visually select Xtest_gf_visual and use gf to go to that file
norm! ttvtXgf
call assert_equal('Xtest_gf_visual', bufname('%'))
--
1.8.3.1

119
backport-CVE-2022-1725.patch
View File

@ -1,119 +0,0 @@
From b62dc5e7825bc195efe3041d5b3a9f1528359e1c Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 15 May 2022 14:50:12 +0100
Subject: [PATCH] patch 8.2.4959: using NULL regexp program
Problem: Using NULL regexp program.
Solution: Check for regexp program becoming NULL in more places.
---
src/buffer.c | 32 +++++++++++++++++++-------------
src/testdir/test_buffer.vim | 6 ++++++
2 files changed, 25 insertions(+), 13 deletions(-)
diff --git a/src/buffer.c b/src/buffer.c
index 8fabbdb..f66c234 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -2583,13 +2583,15 @@ buflist_findpat(
if (*p == '^' && !(attempt & 1)) // add/remove '^'
++p;
regmatch.regprog = vim_regcomp(p, p_magic ? RE_MAGIC : 0);
- if (regmatch.regprog == NULL)
- {
- vim_free(pat);
- return -1;
- }
for (buf = lastbuf; buf != NULL; buf = buf->b_prev)
+ {
+ if (regmatch.regprog == NULL)
+ {
+ // invalid pattern, possibly after switching engine
+ vim_free(pat);
+ return -1;
+ }
if (buf->b_p_bl == find_listed
#ifdef FEAT_DIFF
&& (!diffmode || diff_mode_buf(buf))
@@ -2615,6 +2617,7 @@ buflist_findpat(
}
match = buf->b_fnum; // remember first match
}
+ }
vim_regfree(regmatch.regprog);
if (match >= 0) // found one match
@@ -2693,12 +2696,6 @@ ExpandBufnames(
if (attempt > 0 && patc == pat)
break; // there was no anchor, no need to try again
regmatch.regprog = vim_regcomp(patc + attempt * 11, RE_MAGIC);
- if (regmatch.regprog == NULL)
- {
- if (patc != pat)
- vim_free(patc);
- return FAIL;
- }
/*
* round == 1: Count the matches.
@@ -2711,6 +2708,12 @@ ExpandBufnames(
{
if (!buf->b_p_bl) // skip unlisted buffers
continue;
+ if (regmatch.regprog == NULL)
+ {
+ if (patc != pat)
+ vim_free(patc);
+ return FAIL;
+ }
p = buflist_match(&regmatch, buf, p_wic);
if (p != NULL)
{
@@ -2789,6 +2792,7 @@ ExpandBufnames(
/*
* Check for a match on the file name for buffer "buf" with regprog "prog".
+ * Note that rmp->regprog may become NULL when switching regexp engine.
*/
static char_u *
buflist_match(
@@ -2807,7 +2811,8 @@ buflist_match(
}
/*
- * Try matching the regexp in "prog" with file name "name".
+ * Try matching the regexp in "rmp->regprog" with file name "name".
+ * Note that rmp->regprog may become NULL when switching regexp engine.
* Return "name" when there is a match, NULL when not.
*/
static char_u *
@@ -2819,7 +2824,8 @@ fname_match(
char_u *match = NULL;
char_u *p;
- if (name != NULL)
+ // extra check for valid arguments
+ if (name != NULL && rmp->regprog != NULL)
{
// Ignore case when 'fileignorecase' or the argument is set.
rmp->rm_ic = p_fic || ignore_case;
diff --git a/src/testdir/test_buffer.vim b/src/testdir/test_buffer.vim
index 6039ff8..cef0213 100644
--- a/src/testdir/test_buffer.vim
+++ b/src/testdir/test_buffer.vim
@@ -72,6 +72,12 @@ func Test_buf_pattern_invalid()
vsplit 00000000000000000000000000
silent! buf [0--]\&\zs*\zs*e
bwipe!
+
+ " similar case with different code path
+ split 0
+ edit ÿ
+ silent! buf [0--]\&\zs*\zs*0
+ bwipe!
endfunc
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0

44
backport-CVE-2022-1733.patch
View File

@ -1,44 +0,0 @@
From 60ae0e71490c97f2871a6344aca61cacf220f813 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 16 May 2022 18:06:15 +0100
Subject: [PATCH] patch 8.2.4968: reading past end of the line when C-indenting
Problem: Reading past end of the line when C-indenting.
Solution: Check for NUL.
---
src/cindent.c | 2 +-
src/testdir/test_cindent.vim | 7 +++++++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/cindent.c b/src/cindent.c
index 28d1558..1b2763f 100644
--- a/src/cindent.c
+++ b/src/cindent.c
@@ -91,7 +91,7 @@ skip_string(char_u *p)
while (vim_isdigit(p[i - 1])) // '\000'
++i;
}
- if (p[i] == '\'') // check for trailing '
+ if (p[i - 1] != NUL && p[i] == '\'') // check for trailing '
{
p += i;
continue;
diff --git a/src/testdir/test_cindent.vim b/src/testdir/test_cindent.vim
index 2a87460..3b2200a 100644
--- a/src/testdir/test_cindent.vim
+++ b/src/testdir/test_cindent.vim
@@ -5263,4 +5263,11 @@ func Test_find_brace_backwards()
endfunc
+" This was reading past the end of the line
+func Test_cindent_check_funcdecl()
+ new
+ sil norm o0('\0=L
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

122
backport-CVE-2022-1735.patch
View File

@ -1,122 +0,0 @@
From 7ce5b2b590256ce53d6af28c1d203fb3bc1d2d97 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 16 May 2022 19:40:59 +0100
Subject: [PATCH] patch 8.2.4969: changing text in Visual mode may cause
invalid memory access
Problem: Changing text in Visual mode may cause invalid memory access.
Solution: Check the Visual position after making a change.
---
src/change.c | 3 +++
src/edit.c | 12 ++----------
src/misc2.c | 25 +++++++++++++++++++++++++
src/proto/misc2.pro | 1 +
src/testdir/test_visual.vim | 10 ++++++++++
5 files changed, 41 insertions(+), 10 deletions(-)
diff --git a/src/change.c b/src/change.c
index f2dfc93..a5ebbdf 100644
--- a/src/change.c
+++ b/src/change.c
@@ -523,6 +523,9 @@ changed_common(
#endif
}
+ if (VIsual_active)
+ check_visual_pos();
+
FOR_ALL_TAB_WINDOWS(tp, wp)
{
if (wp->w_buffer == curbuf)
diff --git a/src/edit.c b/src/edit.c
index f77cc05..0dd6b93 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -3101,16 +3101,8 @@ stop_insert(
// <C-S-Right> may have started Visual mode, adjust the position for
// deleted characters.
- if (VIsual_active && VIsual.lnum == curwin->w_cursor.lnum)
- {
- int len = (int)STRLEN(ml_get_curline());
-
- if (VIsual.col > len)
- {
- VIsual.col = len;
- VIsual.coladd = 0;
- }
- }
+ if (VIsual_active)
+ check_visual_pos();
}
}
did_ai = FALSE;
diff --git a/src/misc2.c b/src/misc2.c
index 80731f0..51244da 100644
--- a/src/misc2.c
+++ b/src/misc2.c
@@ -618,6 +618,31 @@ check_cursor(void)
check_cursor_col();
}
+/*
+ * Check if VIsual position is valid, correct it if not.
+ * Can be called when in Visual mode and a change has been made.
+ */
+ void
+check_visual_pos(void)
+{
+ if (VIsual.lnum > curbuf->b_ml.ml_line_count)
+ {
+ VIsual.lnum = curbuf->b_ml.ml_line_count;
+ VIsual.col = 0;
+ VIsual.coladd = 0;
+ }
+ else
+ {
+ int len = (int)STRLEN(ml_get(VIsual.lnum));
+
+ if (VIsual.col > len)
+ {
+ VIsual.col = len;
+ VIsual.coladd = 0;
+ }
+ }
+}
+
#if defined(FEAT_TEXTOBJ) || defined(PROTO)
/*
* Make sure curwin->w_cursor is not on the NUL at the end of the line.
diff --git a/src/proto/misc2.pro b/src/proto/misc2.pro
index a52b462..6e6e22d 100644
--- a/src/proto/misc2.pro
+++ b/src/proto/misc2.pro
@@ -17,6 +17,7 @@ void check_cursor_lnum(void);
void check_cursor_col(void);
void check_cursor_col_win(win_T *win);
void check_cursor(void);
+void check_visual_pos(void);
void adjust_cursor_col(void);
int leftcol_changed(void);
void vim_mem_profile_dump(void);
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index 4f8f056..d21f8f1 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -956,3 +956,13 @@ func Test_visual_block_insert_round_off()
bwipe!
endfunc
+func Test_visual_block_with_substitute()
+ " this was reading beyond the end of the line
+ new
+ norm a0)
+ sil! norm  O
+ s/)
+ sil! norm 
+ bwipe!
+endfunc
+
--
1.8.3.1

96
backport-CVE-2022-1771.patch
View File

@ -1,96 +0,0 @@
From 51f0bfb88a3554ca2dde777d78a59880d1ee37a8 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 17 May 2022 20:11:02 +0100
Subject: [PATCH] patch 8.2.4975: recursive command line loop may cause a crash
Problem: Recursive command line loop may cause a crash.
Solution: Limit recursion of getcmdline().
Reference:https://github.com/vim/vim/commit/51f0bfb88a3554ca2dde777d78a59880d1ee37a8
Conflict:(1)The src/version.c file is not modified
(2)add e_command_too_recursive in src/globals.h
---
src/ex_getln.c | 12 ++++++++++++
src/globals.h | 3 +++
src/testdir/test_cmdline.vim | 11 +++++++++++
3 files changed, 26 insertions(+)
diff --git a/src/ex_getln.c b/src/ex_getln.c
index 7571ae2..aa01f80 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -791,6 +791,7 @@ getcmdline_int(
int indent, // indent for inside conditionals
int init_ccline) // clear ccline first
{
+ static int depth = 0; // call depth
int c;
int i;
int j;
@@ -820,6 +821,9 @@ getcmdline_int(
int did_save_ccline = FALSE;
int cmdline_type;
+ // one recursion level deeper
+ ++depth;
+
if (ccline.cmdbuff != NULL)
{
// Being called recursively. Since ccline is global, we need to save
@@ -873,6 +877,13 @@ getcmdline_int(
ccline.cmdlen = indent;
}
+ if (depth == 50)
+ {
+ // Somehow got into a loop recursively calling getcmdline(), bail out.
+ emsg(_(e_command_too_recursive));
+ goto theend;
+ }
+
ExpandInit(&xpc);
ccline.xpc = &xpc;
@@ -2425,6 +2436,7 @@ theend:
{
char_u *p = ccline.cmdbuff;
+ --depth;
if (did_save_ccline)
restore_cmdline(&save_ccline);
else
diff --git a/src/globals.h b/src/globals.h
index 54f68b3..01ebbb8 100644
--- a/src/globals.h
+++ b/src/globals.h
@@ -1755,3 +1755,6 @@ EXTERN int did_repeated_msg INIT(= 0);
EXTERN char e_illegal_character_in_word[]
INIT(= N_("E1280: Illegal character in word"));
#endif
+
+EXTERN char e_command_too_recursive[]
+ INIT(= N_("E169: Command too recursive"));
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index c55ee0b..4665c75 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -913,5 +913,16 @@ func Test_zero_line_search()
q!
endfunc
+func Test_recursive_register()
+ let @= = ''
+ silent! ?e/
+ let caught = 'no'
+ try
+ normal //
+ catch /E169:/
+ let caught = 'yes'
+ endtry
+ call assert_equal('yes', caught)
+endfunc
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0

76
backport-CVE-2022-1785.patch
View File

@ -1,76 +0,0 @@
From e2bd8600b873d2cd1f9d667c28cba8b1dba18839 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 18 May 2022 13:11:57 +0100
Subject: [PATCH] patch 8.2.4977: memory access error when substitute
expression changes window
Problem: Memory access error when substitute expression changes window.
Solution: Disallow changing window in substitute expression.
---
src/ex_cmds.c | 11 +++++++++++
src/testdir/test_substitute.vim | 14 ++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index aa97b40..0a22f59 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4289,12 +4289,17 @@ do_sub(exarg_T *eap)
// Save flags for recursion. They can change for e.g.
// :s/^/\=execute("s#^##gn")
subflags_save = subflags;
+
+ // Disallow changing text or switching window in an expression.
+ ++textwinlock;
#endif
// get length of substitution part
sublen = vim_regsub_multi(&regmatch,
sub_firstlnum - regmatch.startpos[0].lnum,
sub, sub_firstline, FALSE, p_magic, TRUE);
#ifdef FEAT_EVAL
+ --textwinlock;
+
// If getting the substitute string caused an error, don't do
// the replacement.
// Don't keep flags set by a recursive call.
@@ -4395,9 +4400,15 @@ do_sub(exarg_T *eap)
mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
new_end += copy_len;
+#ifdef FEAT_EVAL
+ ++textwinlock;
+#endif
(void)vim_regsub_multi(&regmatch,
sub_firstlnum - regmatch.startpos[0].lnum,
sub, new_end, TRUE, p_magic, TRUE);
+#ifdef FEAT_EVAL
+ --textwinlock;
+#endif
sub_nsubs++;
did_sub = TRUE;
diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
index 3e6bc5c..bda96f6 100644
--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
@@ -761,3 +761,17 @@ func Test_using_old_sub()
bwipe!
set nocompatible
endfunc
+
+" This was switching windows in between computing the length and using it.
+func Test_sub_change_window()
+ silent! lfile
+ sil! norm o0000000000000000000000000000000000000000000000000000
+ func Repl()
+ lopen
+ endfunc
+ silent! s/\%')/\=Repl()
+ bwipe!
+ bwipe!
+ delfunc Repl
+endfunc
+
--
1.8.3.1

54
backport-CVE-2022-1796.patch
View File

@ -1,54 +0,0 @@
From 28d032cc688ccfda18c5bbcab8b50aba6e18cde5 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 18 May 2022 16:29:08 +0100
Subject: [PATCH] patch 8.2.4979: accessing freed memory when line is flushed
Problem: Accessing freed memory when line is flushed.
Solution: Make a copy of the pattern to search for.
---
src/testdir/test_tagjump.vim | 9 +++++++++
src/window.c | 7 +++++++
2 files changed, 16 insertions(+)
diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
index 14ba1f7..24df68f 100644
--- a/src/testdir/test_tagjump.vim
+++ b/src/testdir/test_tagjump.vim
@@ -556,4 +556,13 @@ func Test_tagline()
set tags&
endfunc
+func Test_define_search()
+ " this was accessing freed memory
+ new
+ call setline(1, ['first line', '', '#define something 0'])
+ sil norm o0
+ sil! norm 
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/window.c b/src/window.c
index bb17167..ee2a374 100644
--- a/src/window.c
+++ b/src/window.c
@@ -554,9 +554,16 @@ wingotofile:
CHECK_CMDWIN;
if ((len = find_ident_under_cursor(&ptr, FIND_IDENT)) == 0)
break;
+
+ // Make a copy, if the line was changed it will be freed.
+ ptr = vim_strnsave(ptr, len);
+ if (ptr == NULL)
+ break;
+
find_pattern_in_path(ptr, 0, len, TRUE,
Prenum == 0 ? TRUE : FALSE, type,
Prenum1, ACTION_SPLIT, (linenr_T)1, (linenr_T)MAXLNUM);
+ vim_free(ptr);
curwin->w_set_curswant = TRUE;
break;
#endif
--
1.8.3.1

54
backport-CVE-2022-1851.patch
View File

@ -1,54 +0,0 @@
From 78d52883e10d71f23ab72a3d8b9733b00da8c9ad Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 24 May 2022 13:57:54 +0100
Subject: [PATCH] patch 8.2.5013: after text formatting cursor may be in an
invalid position
Problem: After text formatting the cursor may be in an invalid position.
Solution: Correct the cursor position after formatting.
Reference:https://github.com/vim/vim/commit/78d52883e10d71f23ab72a3d8b9733b00da8c9ad
Conflict: delete src/version.c and change src/ops.c file
---
src/ops.c | 3 +++
src/testdir/test_textformat.vim | 12 ++++++++++++
2 files changed, 15 insertions(+)
diff --git a/src/ops.c b/src/ops.c
index a79ef92..2a64db0 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -2296,6 +2296,9 @@ op_format(
{
curwin->w_cursor = saved_cursor;
saved_cursor.lnum = 0;
+
+ // formatting may have made the cursor position invalid
+ check_cursor();
}
if (oap->is_VIsual)
diff --git a/src/testdir/test_textformat.vim b/src/testdir/test_textformat.vim
index 3a0552b..5e1d335 100644
--- a/src/testdir/test_textformat.vim
+++ b/src/testdir/test_textformat.vim
@@ -509,3 +509,15 @@ func Test_crash_github_issue_5095()
augroup END
augroup! testing
endfunc
+
+" This was leaving the cursor after the end of a line. Complicated way to
+" have the problem show up with valgrind.
+func Test_correct_cursor_position()
+ set encoding=iso8859
+ new
+ norm a000“0
+ sil! norm gggg0i0gw0gg
+
+ bwipe!
+ set encoding=utf8
+endfunc
--
2.27.0

52
backport-CVE-2022-1886.patch
View File

@ -1,52 +0,0 @@
From 2a585c85013be22f59f184d49612074fd9b115d7 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 25 May 2022 15:15:38 +0100
Subject: [PATCH] patch 8.2.5016: access before start of text with a put
command
Problem: Access before start of text with a put command.
Solution: Check the length is more than zero.
---
src/register.c | 7 +++++--
src/testdir/test_put.vim | 9 +++++++++
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/src/register.c b/src/register.c
index 7f77ada..87689f7 100644
--- a/src/register.c
+++ b/src/register.c
@@ -2078,9 +2078,12 @@ error:
len = STRLEN(y_array[y_size - 1]);
col = (colnr_T)len - lendiff;
if (col > 1)
- curbuf->b_op_end.col = col - 1
- - mb_head_off(y_array[y_size - 1],
+ {
+ curbuf->b_op_end.col = col - 1;
+ if (len > 0)
+ curbuf->b_op_end.col -= mb_head_off(y_array[y_size - 1],
y_array[y_size - 1] + len - 1);
+ }
else
curbuf->b_op_end.col = 0;
diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim
index 07f6387..6df04cf 100644
--- a/src/testdir/test_put.vim
+++ b/src/testdir/test_put.vim
@@ -143,3 +143,12 @@ func Test_multibyte_op_end_mark()
bwipe!
endfunc
+" this was putting a mark before the start of a line
+func Test_put_empty_register()
+ new
+ norm yy
+ norm [Pi00ggv)s0
+ sil! norm [P
+ bwipe!
+endfunc
+
--
1.8.3.1

139
backport-CVE-2022-1897.patch
View File

@ -1,139 +0,0 @@
From 338f1fc0ee3ca929387448fe464579d6113fa76a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 26 May 2022 15:56:23 +0100
Subject: [PATCH] patch 8.2.5023: substitute overwrites allocated buffer
Problem: Substitute overwrites allocated buffer.
Solution: Disallow undo when in a substitute command.
---
src/normal.c | 42 ++++++++++++++++++++---------------------
src/testdir/test_substitute.vim | 23 ++++++++++++++++++++++
src/undo.c | 6 ++++++
3 files changed, 50 insertions(+), 21 deletions(-)
diff --git a/src/normal.c b/src/normal.c
index f122627..d33a56a 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -161,6 +161,22 @@ typedef void (*nv_func_T)(cmdarg_T *cap);
*/
/*
+ * If currently editing a cmdline or text is locked: beep and give an error
+ * message, return TRUE.
+ */
+ static int
+check_text_locked(oparg_T *oap)
+{
+ if (text_locked())
+ {
+ clearopbeep(oap);
+ text_locked_msg();
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/*
* This table contains one entry for every Normal or Visual mode command.
* The order doesn't matter, init_normal_cmds() will create a sorted index.
* It is faster when all keys from zero to '~' are present.
@@ -738,14 +754,9 @@ getcount:
goto normal_end;
}
- if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW))
- {
- // This command is not allowed while editing a cmdline: beep.
- clearopbeep(oap);
- text_locked_msg();
- goto normal_end;
- }
- if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked())
+ if ((nv_cmds[idx].cmd_flags & NV_NCW)
+ && (check_text_locked(oap) || curbuf_locked()))
+ // this command is not allowed now
goto normal_end;
/*
@@ -4155,12 +4166,8 @@ nv_gotofile(cmdarg_T *cap)
char_u *ptr;
linenr_T lnum = -1;
- if (text_locked())
- {
- clearopbeep(cap->oap);
- text_locked_msg();
+ if (check_text_locked(cap->oap))
return;
- }
if (curbuf_locked())
{
clearop(cap->oap);
@@ -6288,14 +6295,7 @@ nv_g_cmd(cmdarg_T *cap)
// "gQ": improved Ex mode
case 'Q':
- if (text_locked())
- {
- clearopbeep(cap->oap);
- text_locked_msg();
- break;
- }
-
- if (!checkclearopq(oap))
+ if (!check_text_locked(cap->oap) && !checkclearopq(oap))
do_exmode(TRUE);
break;
diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
index 2404b32..be7aaa8 100644
--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
@@ -800,3 +800,26 @@ func Test_sub_open_cmdline_win()
call delete('Xscript')
call delete('Xresult')
endfunc
+
+" This was undoign a change in between computing the length and using it.
+func Do_Test_sub_undo_change()
+ new
+ norm o0000000000000000000000000000000000000000000000000000
+ silent! s/\%')/\=Repl()
+ bwipe!
+endfunc
+
+func Test_sub_undo_change()
+ func Repl()
+ silent! norm g-
+ endfunc
+ call Do_Test_sub_undo_change()
+
+ func! Repl()
+ silent earlier
+ endfunc
+ call Do_Test_sub_undo_change()
+
+ delfunc Repl
+endfunc
+
diff --git a/src/undo.c b/src/undo.c
index 3dcf277..b3a91b5 100644
--- a/src/undo.c
+++ b/src/undo.c
@@ -2283,6 +2283,12 @@ undo_time(
int above = FALSE;
int did_undo = TRUE;
+ if (text_locked())
+ {
+ text_locked_msg();
+ return;
+ }
+
// First make sure the current undoable change is synced.
if (curbuf->b_u_synced == FALSE)
u_sync(TRUE);
--
1.8.3.1

57
backport-CVE-2022-1898.patch
View File

@ -1,57 +0,0 @@
From e2fa213cf571041dbd04ab0329303ffdc980678a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 26 May 2022 16:32:44 +0100
Subject: [PATCH] patch 8.2.5024: using freed memory with "]d"
Problem: Using freed memory with "]d".
Solution: Copy the pattern before searching.
---
src/normal.c | 6 ++++++
src/testdir/test_tagjump.vim | 6 ++++++
2 files changed, 12 insertions(+)
diff --git a/src/normal.c b/src/normal.c
index e9e587d..f122627 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -4425,6 +4425,11 @@ nv_brackets(cmdarg_T *cap)
clearop(cap->oap);
else
{
+ // Make a copy, if the line was changed it will be freed.
+ ptr = vim_strnsave(ptr, len);
+ if (ptr == NULL)
+ return;
+
find_pattern_in_path(ptr, 0, len, TRUE,
cap->count0 == 0 ? !isupper(cap->nchar) : FALSE,
((cap->nchar & 0xf) == ('d' & 0xf)) ? FIND_DEFINE : FIND_ANY,
@@ -4433,6 +4438,7 @@ nv_brackets(cmdarg_T *cap)
islower(cap->nchar) ? ACTION_SHOW : ACTION_GOTO,
cap->cmdchar == ']' ? curwin->w_cursor.lnum + 1 : (linenr_T)1,
(linenr_T)MAXLNUM);
+ vim_free(ptr);
curwin->w_set_curswant = TRUE;
}
}
diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
index 24df68f..c682682 100644
--- a/src/testdir/test_tagjump.vim
+++ b/src/testdir/test_tagjump.vim
@@ -563,6 +563,12 @@ func Test_define_search()
sil norm o0
sil! norm 
bwipe!
+
+ new somefile
+ call setline(1, ['first line', '', '#define something 0'])
+ sil norm 0o0
+ sil! norm ]d
+ bwipe!
endfunc
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0

123
backport-CVE-2022-1927.patch
View File

@ -1,123 +0,0 @@
From 4d97a565ae8be0d4debba04ebd2ac3e75a0c8010 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 28 May 2022 14:25:35 +0100
Subject: [PATCH] patch 8.2.5037: cursor position may be invalid after "0;"
range
Problem: Cursor position may be invalid after "0;" range.
Solution: Check the cursor position when it was set by ";" in the range.
---
src/ex_docmd.c | 24 +++++++++++++++++-------
src/testdir/test_excmd.vim | 9 +++++++++
2 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index a5ff463..b552440 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -2876,6 +2876,8 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
{
int address_count = 1;
linenr_T lnum;
+ int need_check_cursor = FALSE;
+ int ret = FAIL;
// Repeat for all ',' or ';' separated addresses.
for (;;)
@@ -2925,7 +2927,7 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
lnum = get_address(eap, &eap->cmd, eap->addr_type, eap->skip, silent,
eap->addr_count == 0, address_count++);
if (eap->cmd == NULL) // error detected
- return FAIL;
+ goto theend;
if (lnum == MAXLNUM)
{
if (*eap->cmd == '%') // '%' - all lines
@@ -2970,14 +2972,14 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
// there is no Vim command which uses '%' and
// ADDR_WINDOWS or ADDR_TABS
*errormsg = _(e_invrange);
- return FAIL;
+ goto theend;
}
break;
case ADDR_TABS_RELATIVE:
case ADDR_UNSIGNED:
case ADDR_QUICKFIX:
*errormsg = _(e_invrange);
- return FAIL;
+ goto theend;
case ADDR_ARGUMENTS:
if (ARGCOUNT == 0)
eap->line1 = eap->line2 = 0;
@@ -3009,7 +3011,7 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
if (eap->addr_type != ADDR_LINES)
{
*errormsg = _(e_invrange);
- return FAIL;
+ goto theend;
}
++eap->cmd;
@@ -3017,11 +3019,11 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
{
fp = getmark('<', FALSE);
if (check_mark(fp) == FAIL)
- return FAIL;
+ goto theend;
eap->line1 = fp->lnum;
fp = getmark('>', FALSE);
if (check_mark(fp) == FAIL)
- return FAIL;
+ goto theend;
eap->line2 = fp->lnum;
++eap->addr_count;
}
@@ -3036,10 +3038,13 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
if (!eap->skip)
{
curwin->w_cursor.lnum = eap->line2;
+
// Don't leave the cursor on an illegal line or column, but do
// accept zero as address, so 0;/PATTERN/ works correctly.
+ // Check the cursor position before returning.
if (eap->line2 > 0)
check_cursor();
+ need_check_cursor = TRUE;
}
}
else if (*eap->cmd != ',')
@@ -3055,7 +3060,12 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
if (lnum == MAXLNUM)
eap->addr_count = 0;
}
- return OK;
+ ret = OK;
+
+theend:
+ if (need_check_cursor)
+ check_cursor();
+ return ret;
}
/*
diff --git a/src/testdir/test_excmd.vim b/src/testdir/test_excmd.vim
index 992fc3d..aafee84 100644
--- a/src/testdir/test_excmd.vim
+++ b/src/testdir/test_excmd.vim
@@ -44,3 +44,12 @@ func Test_buffers_lastused()
bwipeout bufb
bwipeout bufc
endfunc
+
+" This was leaving the cursor in line zero
+func Test_using_zero_in_range()
+ new
+ norm o00
+ silent! 0;s/\%')
+ bwipe!
+endfunc
+
--
1.8.3.1

140
backport-CVE-2022-1942.patch
View File

@ -1,140 +0,0 @@
From 71223e2db87c2bf3b09aecb46266b56cda26191d Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 30 May 2022 15:23:09 +0100
Subject: [PATCH] patch 8.2.5043: can open a cmdline window from a substitute
expression
Problem: Can open a cmdline window from a substitute expression.
Solution: Disallow opening a command line window when text or buffer is
locked.
---
src/buffer.c | 7 +------
src/ex_getln.c | 19 +++++++++++++++++++
src/proto/ex_getln.pro | 1 +
src/testdir/test_substitute.vim | 24 ++++++++++++++++++++++++
src/window.c | 5 +----
5 files changed, 46 insertions(+), 10 deletions(-)
diff --git a/src/buffer.c b/src/buffer.c
index 88094ee..8fabbdb 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -2364,12 +2364,7 @@ buflist_getfile(
if (buf == curbuf)
return OK;
- if (text_locked())
- {
- text_locked_msg();
- return FAIL;
- }
- if (curbuf_locked())
+ if (text_or_buf_locked())
return FAIL;
// altfpos may be changed by getfile(), get it now
diff --git a/src/ex_getln.c b/src/ex_getln.c
index 64b393d..d5fc38d 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -2588,6 +2588,21 @@ text_locked(void)
return text_and_win_locked() || textlock != 0;
}
+/*
+ * Check for text, window or buffer locked.
+ * Give an error message and return TRUE if something is locked.
+ */
+ int
+text_or_buf_locked(void)
+{
+ if (text_locked())
+ {
+ text_locked_msg();
+ return TRUE;
+ }
+ return curbuf_locked();
+}
+
/*
* Check if "curbuf_lock" or "allbuf_lock" is set and return TRUE when it is
* and give an error message.
@@ -4170,6 +4185,10 @@ open_cmdwin(void)
int save_KeyTyped;
#endif
+ // Can't do this when text or buffer is locked.
+ if (text_or_buf_locked())
+ return K_IGNORE;
+
// Can't do this recursively. Can't do it when typing a password.
if (cmdwin_type != 0
# if defined(FEAT_CRYPT) || defined(FEAT_EVAL)
diff --git a/src/proto/ex_getln.pro b/src/proto/ex_getln.pro
index f64bb1f..7597457 100644
--- a/src/proto/ex_getln.pro
+++ b/src/proto/ex_getln.pro
@@ -7,6 +7,7 @@ int text_and_win_locked(void);
void text_locked_msg(void);
char *get_text_locked_msg(void);
int text_locked(void);
+int text_or_buf_locked(void);
int curbuf_locked(void);
int allbuf_locked(void);
char_u *getexline(int c, void *cookie, int indent, int do_concat);
diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
index bda96f6..ebc0839 100644
--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
@@ -775,3 +775,27 @@ func Test_sub_change_window()
delfunc Repl
endfunc
+" This was opening a command line window from the expression
+func Test_sub_open_cmdline_win()
+ " the error only happens in a very specific setup, run a new Vim instance to
+ " get a clean starting point.
+ let lines =<< trim [SCRIPT]
+ norm o0000000000000000000000000000000000000000000000000000
+ func Replace()
+ norm q/
+ endfunc
+ s/\%')/\=Replace()
+ redir >Xresult
+ messages
+ redir END
+ qall!
+ [SCRIPT]
+ call writefile(lines, 'Xscript')
+ if RunVim([], [], '-u NONE -S Xscript')
+ let messages = readfile('Xresult')
+ call assert_match('E565: Not allowed to change text or change window', messages[3])
+ endif
+
+ call delete('Xscript')
+ call delete('Xresult')
+endfunc
diff --git a/src/window.c b/src/window.c
index 0a154b0..d8091f9 100644
--- a/src/window.c
+++ b/src/window.c
@@ -4343,14 +4343,11 @@ win_goto(win_T *wp)
if (ERROR_IF_POPUP_WINDOW)
return;
- if (text_and_win_locked())
+ if (text_or_buf_locked())
{
beep_flush();
- text_locked_msg();
return;
}
- if (curbuf_locked())
- return;
if (wp->w_buffer != curbuf)
reset_VIsual_and_resel();
--
2.27.0

89
backport-CVE-2022-1968.patch
View File

@ -1,89 +0,0 @@
From 409510c588b1eec1ae33511ae97a21eb8e110895 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 1 Jun 2022 15:23:13 +0100
Subject: [PATCH] patch 8.2.5050: using freed memory when searching for pattern
in path
Problem: Using freed memory when searching for pattern in path.
Solution: Make a copy of the line.
---
src/search.c | 21 ++++++++++++++++++---
src/testdir/test_tagjump.vim | 11 +++++++++++
2 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/src/search.c b/src/search.c
index 75f0c59..701a8ed 100644
--- a/src/search.c
+++ b/src/search.c
@@ -5143,6 +5143,21 @@ search_stat(
}
#if defined(FEAT_FIND_ID) || defined(PROTO)
+
+/*
+ * Get line "lnum" and copy it into "buf[LSIZE]".
+ * The copy is made because the regexp may make the line invalid when using a
+ * mark.
+ */
+ static char_u *
+get_line_and_copy(linenr_T lnum, char_u *buf)
+{
+ char_u *line = ml_get(lnum);
+
+ vim_strncpy(buf, line, LSIZE - 1);
+ return buf;
+}
+
/*
* Find identifiers or defines in included files.
* If p_ic && (compl_cont_status & CONT_SOL) then ptr must be in lowercase.
@@ -5245,7 +5260,7 @@ find_pattern_in_path(
end_lnum = curbuf->b_ml.ml_line_count;
if (lnum > end_lnum) // do at least one line
lnum = end_lnum;
- line = ml_get(lnum);
+ line = get_line_and_copy(lnum, file_line);
for (;;)
{
@@ -5573,7 +5588,7 @@ search_line:
{
if (lnum >= end_lnum)
goto exit_matched;
- line = ml_get(++lnum);
+ line = get_line_and_copy(++lnum, file_line);
}
else if (vim_fgets(line = file_line,
LSIZE, files[depth].fp))
@@ -5783,7 +5798,7 @@ exit_matched:
{
if (++lnum > end_lnum)
break;
- line = ml_get(lnum);
+ line = get_line_and_copy(lnum, file_line);
}
already = NULL;
}
diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
index c682682..18a7f9b 100644
--- a/src/testdir/test_tagjump.vim
+++ b/src/testdir/test_tagjump.vim
@@ -571,4 +571,15 @@ func Test_define_search()
bwipe!
endfunc
+" this was using a line from ml_get() freed by the regexp
+func Test_isearch_copy_line()
+ new
+ norm o
+ norm 0
+ 0norm o
+ sil! norm bc0
+ sil! isearch \%')
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

54
backport-CVE-2022-2000.patch
View File

@ -1,54 +0,0 @@
From 44a3f3353e0407e9fffee138125a6927d1c9e7e5 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 6 Jun 2022 15:38:21 +0100
Subject: [PATCH] patch 8.2.5063: error for a command may go over the end of
IObuff
Problem: Error for a command may go over the end of IObuff.
Solution: Truncate the message.
---
src/ex_docmd.c | 12 ++++++++++--
src/testdir/test_cmdline.vim | 5 +++++
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index 1644573..7c00a26 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -3098,9 +3098,17 @@ checkforcmd(
static void
append_command(char_u *cmd)
{
- char_u *s = cmd;
- char_u *d;
+ size_t len = STRLEN(IObuff);
+ char_u *s = cmd;
+ char_u *d;
+ if (len > IOSIZE - 100)
+ {
+ // Not enough space, truncate and put in "...".
+ d = IObuff + IOSIZE - 100;
+ d -= mb_head_off(IObuff, d);
+ STRCPY(d, "...");
+ }
STRCAT(IObuff, ": ");
d = IObuff + STRLEN(IObuff);
while (*s != NUL && d - IObuff + 5 < IOSIZE)
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index 2588a0d..735b0a5 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -930,4 +930,9 @@ func Test_cmdline_expr_register()
exe "sil! norm! ?\<C-\>e0\<C-R>0\<Esc>?\<C-\>e0\<CR>"
endfunc
+func Test_long_error_message()
+ " the error should be truncated, not overrun IObuff
+ silent! norm Q00000000000000     000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000                                                                                                                                                                                                                        
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

83
backport-CVE-2022-2042.patch
View File

@ -1,83 +0,0 @@
From 2813f38e021c6e6581c0c88fcf107e41788bc835 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 9 Jun 2022 19:54:24 +0100
Subject: [PATCH] patch 8.2.5072: using uninitialized value and freed memory in
spell command
Problem: Using uninitialized value and freed memory in spell command.
Solution: Initialize "attr". Check for empty line early.
---
src/spell.c | 10 +++++++---
src/testdir/test_spell_utf8.vim | 15 +++++++++++++++
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/src/spell.c b/src/spell.c
index d8310fa..5b25950 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -1254,7 +1254,7 @@ spell_move_to(
char_u *line;
char_u *p;
char_u *endp;
- hlf_T attr;
+ hlf_T attr = 0;
int len;
#ifdef FEAT_SYN_HL
int has_syntax = syntax_present(wp);
@@ -1287,6 +1287,8 @@ spell_move_to(
while (!got_int)
{
+ int empty_line;
+
line = ml_get_buf(wp->w_buffer, lnum, FALSE);
len = (int)STRLEN(line);
@@ -1319,7 +1321,9 @@ spell_move_to(
}
// Copy the line into "buf" and append the start of the next line if
- // possible.
+ // possible. Note: this ml_get_buf() may make "line" invalid, check
+ // for empty line first.
+ empty_line = *skipwhite(line) == NUL;
STRCPY(buf, line);
if (lnum < wp->w_buffer->b_ml.ml_line_count)
spell_cat_line(buf + STRLEN(buf),
@@ -1467,7 +1471,7 @@ spell_move_to(
--capcol;
// But after empty line check first word in next line
- if (*skipwhite(line) == NUL)
+ if (empty_line)
capcol = 0;
}
diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim
index 491a406..efdecdc 100644
--- a/src/testdir/test_spell_utf8.vim
+++ b/src/testdir/test_spell_utf8.vim
@@ -797,5 +797,20 @@ func Test_word_index()
call delete('Xtmpfile')
endfunc
+func Test_check_empty_line()
+ " This was using freed memory
+ enew
+ spellgood! fl
+ norm z=
+ norm yy
+ sil! norm P]svc
+ norm P]s
+
+ " set 'encoding' to clear the wordt list
+ set enc=latin1
+ set enc=utf-8
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

35
backport-CVE-2022-2124.patch
View File

@ -1,35 +0,0 @@
From e4463991b2c9243ae93462118b6d6f648852bb0c Mon Sep 17 00:00:00 2001
From: lauk001 <liukuo@kylinos.cn>
Date: Tue, 21 Jun 2022 13:43:57 +0800
Subject: [PATCH] CVE-2022-2124
Signed-off-by: lauk001 <liukuo@kylinos.cn>
---
src/search.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/search.c b/src/search.c
index 75f0c59..87acb33 100644
--- a/src/search.c
+++ b/src/search.c
@@ -4589,11 +4589,17 @@ current_quote(
// Find out if we have a quote in the selection.
while (i <= col_end)
+ {
+ // check for going over the end of the line, which can happen if
+ // the line was changed after the Visual area was selected.
+ if (line[i] == NUL)
+ break;
if (line[i++] == quotechar)
{
selected_quote = TRUE;
break;
}
+ }
}
if (!vis_empty && line[col_start] == quotechar)
--
2.33.0

48
backport-CVE-2022-2125.patch
View File

@ -1,48 +0,0 @@
From 0e8e938d497260dd57be67b4966cb27a5f72376f Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 18 Jun 2022 12:51:11 +0100
Subject: [PATCH] patch 8.2.5122: lisp indenting my run over the end of the
line
Problem: Lisp indenting my run over the end of the line.
Solution: Check for NUL earlier.
---
src/indent.c | 2 ++
src/testdir/test_indent.vim | 10 ++++++++++
2 files changed, 12 insertions(+)
diff --git a/src/indent.c b/src/indent.c
index 4677d29..2d07e2e 100644
--- a/src/indent.c
+++ b/src/indent.c
@@ -1920,6 +1920,8 @@ get_lisp_indent(void)
}
}
}
+ if (*that == NUL)
+ break;
}
if (*that == '(' || *that == '[')
++parencount;
diff --git a/src/testdir/test_indent.vim b/src/testdir/test_indent.vim
index 91e801a..f3b8b6b 100644
--- a/src/testdir/test_indent.vim
+++ b/src/testdir/test_indent.vim
@@ -98,4 +98,14 @@ func Test_copyindent()
close!
endfunc
+func Test_lisp_indent_quoted()
+ " This was going past the end of the line
+ new
+ setlocal lisp autoindent
+ call setline(1, ['"[', '='])
+ normal Gvk=
+
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

51
backport-CVE-2022-2126.patch
View File

@ -1,51 +0,0 @@
From 156d3911952d73b03d7420dc3540215247db0fe8 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 18 Jun 2022 14:09:08 +0100
Subject: [PATCH] patch 8.2.5123: using invalid index when looking for spell
suggestions
Problem: Using invalid index when looking for spell suggestions.
Solution: Do not decrement the index when it is zero.
---
src/spellsuggest.c | 3 ++-
src/testdir/test_spell.vim | 10 ++++++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/spellsuggest.c b/src/spellsuggest.c
index 2b7d13b..379d9ba 100644
--- a/src/spellsuggest.c
+++ b/src/spellsuggest.c
@@ -1944,7 +1944,8 @@ suggest_trie_walk(
sp->ts_isdiff = (newscore != 0)
? DIFF_YES : DIFF_NONE;
}
- else if (sp->ts_isdiff == DIFF_INSERT)
+ else if (sp->ts_isdiff == DIFF_INSERT
+ && sp->ts_fidx > 0)
// When inserting trail bytes don't advance in the
// bad word.
--sp->ts_fidx;
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index c09137a..b6117aa 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -70,6 +70,16 @@ func Test_z_equal_on_invalid_utf8_word()
bwipe!
endfunc
+func Test_z_equal_on_single_character()
+ " this was decrementing the index below zero
+ new
+ norm a0\Ê
+ norm zW
+ norm z=
+
+ bwipe!
+endfunc
+
" Test spellbadword() with argument
func Test_spellbadword()
set spell
--
1.8.3.1

68
backport-CVE-2022-2175.patch
View File

@ -1,68 +0,0 @@
From 6046aded8da002b08d380db29de2ba0268b6616e Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 22 Jun 2022 13:51:54 +0100
Subject: [PATCH] patch 8.2.5148: invalid memory access when using expression
on command line
Problem: Invalid memory access when using an expression on the command line.
Solution: Make sure the position does not go negative.
---
src/ex_getln.c | 6 ++++--
src/testdir/test_cmdline.vim | 5 +++++
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/ex_getln.c b/src/ex_getln.c
index aa01f80..887b47d 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -820,6 +820,7 @@ getcmdline_int(
cmdline_info_T save_ccline;
int did_save_ccline = FALSE;
int cmdline_type;
+ int save_new_cmdpos;
// one recursion level deeper
++depth;
@@ -1757,6 +1758,7 @@ getcmdline_int(
goto returncmd; // back to cmd mode
case Ctrl_R: // insert register
+ save_new_cmdpos = new_cmdpos;
#ifdef USE_ON_FLY_SCROLL
dont_scroll = TRUE; // disallow scrolling here
#endif
@@ -1774,8 +1776,6 @@ getcmdline_int(
#ifdef FEAT_EVAL
/*
* Insert the result of an expression.
- * Need to save the current command line, to be able to enter
- * a new one...
*/
new_cmdpos = -1;
if (c == '=')
@@ -1816,6 +1816,8 @@ getcmdline_int(
}
#endif
}
+ new_cmdpos = save_new_cmdpos;
+
redrawcmd();
goto cmdline_changed;
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index 4665c75..2588a0d 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -925,4 +925,9 @@ func Test_recursive_register()
call assert_equal('yes', caught)
endfunc
+" This was making the insert position negative
+func Test_cmdline_expr_register()
+ exe "sil! norm! ?\<C-\>e0\<C-R>0\<Esc>?\<C-\>e0\<CR>"
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

59
backport-CVE-2022-2183.patch
View File

@ -1,59 +0,0 @@
From 8eba2bd291b347e3008aa9e565652d51ad638cfa Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 22 Jun 2022 19:59:28 +0100
Subject: [PATCH] patch 8.2.5151: reading beyond the end of the line with lisp
indenting
Problem: Reading beyond the end of the line with lisp indenting.
Solution: Avoid going over the NUL at the end of the line.
---
src/indent.c | 7 +++++--
src/testdir/test_lispwords.vim | 12 +++++++++++-
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/src/indent.c b/src/indent.c
index 2d07e2e..a58d6ea 100644
--- a/src/indent.c
+++ b/src/indent.c
@@ -1967,8 +1967,11 @@ get_lisp_indent(void)
amount += 2;
else
{
- that++;
- amount++;
+ if (*that != NUL)
+ {
+ that++;
+ amount++;
+ }
firsttry = amount;
while (VIM_ISWHITE(*that))
diff --git a/src/testdir/test_lispwords.vim b/src/testdir/test_lispwords.vim
index ff710b2..4144fb0 100644
--- a/src/testdir/test_lispwords.vim
+++ b/src/testdir/test_lispwords.vim
@@ -1,4 +1,5 @@
-" Tests for 'lispwords' settings being global-local
+" Tests for 'lispwords' settings being global-local.
+" And other lisp indent stuff.
set nocompatible viminfo+=nviminfo
@@ -85,4 +86,13 @@ func Test_lisp_indent()
set nolisp
endfunc
+func Test_lisp_indent_works()
+ " This was reading beyond the end of the line
+ new
+ exe "norm a\tü(\<CR>="
+ set lisp
+ norm ==
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0

32
backport-CVE-2022-2206.patch
View File

@ -1,32 +0,0 @@
From e178af5a586ea023622d460779fdcabbbfac0908 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 25 Jun 2022 19:54:09 +0100
Subject: [PATCH] patch 8.2.5160: accessing invalid memory after changing
terminal size
Problem: Accessing invalid memory after changing terminal size.
Solution: Adjust cmdline_row and msg_row to the value of Rows.
---
src/term.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/term.c b/src/term.c
index 77cfa7d..307e3bf 100644
--- a/src/term.c
+++ b/src/term.c
@@ -3223,6 +3223,12 @@ check_shellsize(void)
if (Rows < min_rows()) // need room for one window and command line
Rows = min_rows();
limit_screen_size();
+
+ // make sure these values are not invalid
+ if (cmdline_row >= Rows)
+ cmdline_row = Rows - 1;
+ if (msg_row >= Rows)
+ msg_row = Rows - 1;
}
/*
--
1.8.3.1

29
backport-CVE-2022-2207.patch
View File

@ -1,29 +0,0 @@
From 0971c7a4e537ea120a6bb2195960be8d0815e97b Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 26 Jun 2022 12:59:02 +0100
Subject: [PATCH] patch 8.2.5162: reading before the start of the line with BS
in Replace mode
Problem: Reading before the start of the line with BS in Replace mode.
Solution: Check the cursor column is more than zero.
---
src/edit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/edit.c b/src/edit.c
index c4ede2b..bc0b7dc 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -4761,7 +4761,7 @@ ins_bs(
#endif
// delete characters until we are at or before want_vcol
- while (vcol > want_vcol
+ while (vcol > want_vcol && curwin->w_cursor.col > 0
&& (cc = *(ml_get_cursor() - 1), VIM_ISWHITE(cc)))
ins_bs_one(&vcol);
--
2.27.0

63
backport-CVE-2022-2208.patch
View File

@ -1,63 +0,0 @@
From cd38bb4d83c942c4bad596835c6766cbf32e5195 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 26 Jun 2022 14:04:07 +0100
Subject: [PATCH] patch 8.2.5163: crash when deleting buffers in diff mode
Problem: Crash when deleting buffers in diff mode.
Solution: Recompute diffs later. Skip window without a valid buffer.
---
src/diff.c | 10 ++++++++--
src/testdir/test_diffmode.vim | 12 ++++++++++++
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/src/diff.c b/src/diff.c
index f996904..8569a9f 100644
--- a/src/diff.c
+++ b/src/diff.c
@@ -107,7 +107,12 @@ diff_buf_delete(buf_T *buf)
tp->tp_diffbuf[i] = NULL;
tp->tp_diff_invalid = TRUE;
if (tp == curtab)
- diff_redraw(TRUE);
+ {
+ // don't redraw right away, more might change or buffer state
+ // is invalid right now
+ need_diff_redraw = TRUE;
+ redraw_later(VALID);
+ }
}
}
}
@@ -655,7 +660,8 @@ diff_redraw(
need_diff_redraw = FALSE;
FOR_ALL_WINDOWS(wp)
- if (wp->w_p_diff)
+ // when closing windows or wiping buffers skip invalid window
+ if (wp->w_p_diff && buf_valid(wp->w_buffer))
{
redraw_win_later(wp, SOME_VALID);
#ifdef FEAT_FOLDING
diff --git a/src/testdir/test_diffmode.vim b/src/testdir/test_diffmode.vim
index 61edbe2..5b48a75 100644
--- a/src/testdir/test_diffmode.vim
+++ b/src/testdir/test_diffmode.vim
@@ -827,3 +827,15 @@ func Test_diff_maintains_change_mark()
bwipe!
bwipe!
endfunc
+
+" This was trying to update diffs for a buffer being closed
+func Test_diff_only()
+ silent! lfile
+ set diff
+ lopen
+ norm o
+ silent! norm o
+
+ set nodiff
+ %bwipe!
+endfunc
--
2.27.0

67
backport-CVE-2022-2210.patch
View File

@ -1,67 +0,0 @@
From c101abff4c6756db4f5e740fde289decb9452efa Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 26 Jun 2022 16:53:34 +0100
Subject: [PATCH] patch 8.2.5164: invalid memory access after diff buffer
manipulations
Problem: Invalid memory access after diff buffer manipulations.
Solution: Use zero offset when change removes all lines in a diff block.
---
src/diff.c | 4 ++--
src/testdir/test_diffmode.vim | 12 ++++++++++++
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/src/diff.c b/src/diff.c
index eddf33165628..91e5ae2f2f68 100644
--- a/src/diff.c
+++ b/src/diff.c
@@ -391,9 +391,9 @@ diff_mark_adjust_tp(
// 2. 3. 4. 5.: inserted/deleted lines touching this diff.
if (deleted > 0)
{
+ off = 0;
if (dp->df_lnum[idx] >= line1)
{
- off = dp->df_lnum[idx] - lnum_deleted;
if (last <= line2)
{
// 4. delete all lines of diff
@@ -414,6 +414,7 @@ diff_mark_adjust_tp(
else
{
// 5. delete lines at or just before top of diff
+ off = dp->df_lnum[idx] - lnum_deleted;
n = off;
dp->df_count[idx] -= line2 - dp->df_lnum[idx] + 1;
check_unchanged = TRUE;
@@ -422,7 +423,6 @@ diff_mark_adjust_tp(
}
else
{
- off = 0;
if (last < line2)
{
// 2. delete at end of diff
diff --git a/src/testdir/test_diffmode.vim b/src/testdir/test_diffmode.vim
index afa8f891be55..4c7aff5ccb6e 100644
--- a/src/testdir/test_diffmode.vim
+++ b/src/testdir/test_diffmode.vim
@@ -1021,3 +1021,15 @@ func Test_diff_only()
set nodiff
%bwipe!
endfunc
+
+" This was causing invalid diff block values
+" FIXME: somehow this causes a valgrind error when run directly but not when
+" run as a test.
+func Test_diff_manipulations()
+ set diff
+ split 0
+ sil! norm R doobdeuR doobdeuR doobdeu
+
+ set nodiff
+ %bwipe!
+endfunc
--
2.33.0

30
backport-CVE-2022-2257.patch
View File

@ -8,33 +8,32 @@ Problem: Going past the end of a menu item with only modifier.
Solution: Check for NUL.
---
src/message.c | 4 ++--
src/testdir/test_menu.vim | 14 ++++++++++++++
2 files changed, 16 insertions(+), 2 deletions(-)
src/testdir/test_menu.vim | 13 +++++++++++++
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/message.c b/src/message.c
index 363dbe1..679a992 100644
index 02380e9..becb280 100644
--- a/src/message.c
+++ b/src/message.c
@@ -1735,8 +1735,8 @@ str2special(
*sp = str + 1;
@@ -1820,8 +1820,8 @@ str2special(
*sp = str + 1;
}
else
- // single-byte character or illegal byte
- // single-byte character or illegal byte
- *sp = str + 1;
+ // single-byte character, NUL or illegal byte
+ *sp = str + (*str == NUL ? 0 : 1);
+ // single-byte character, NUL or illegal byte
+ *sp = str + (*str == NUL ? 0 : 1);
/* Make special keys and C0 control characters in <> form, also <M-Space>.
* Use <Space> only for lhs of a mapping. */
// Make special keys and C0 control characters in <> form, also <M-Space>.
// Use <Space> only for lhs of a mapping.
diff --git a/src/testdir/test_menu.vim b/src/testdir/test_menu.vim
index 0d6b78e..7e411cf 100644
index c867162..df717cc 100644
--- a/src/testdir/test_menu.vim
+++ b/src/testdir/test_menu.vim
@@ -84,3 +84,17 @@ func Test_menu_commands()
@@ -528,4 +528,17 @@ func Test_tmenu()
tunmenu Test
endfunc
unlet g:did_menu
endfun
+
+func Test_only_modifier()
+ exe "tmenu a.b \x80\xfc0"
+ let exp =<< trim [TEXT]
@ -48,6 +47,7 @@ index 0d6b78e..7e411cf 100644
+ tunmenu a.b
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

12
backport-CVE-2022-2264.patch
View File

@ -15,20 +15,20 @@ diff --git a/src/register.c b/src/register.c
index 87689f7..51c14b8 100644
--- a/src/register.c
+++ b/src/register.c
@@ -1819,6 +1819,8 @@ do_put(
@@ -1918,6 +1918,8 @@ do_put(
vim_memset(ptr, ' ', (size_t)spaces);
ptr += spaces;
}
+ else
+ totlen -= spaces; // didn't use these spaces
+ else
+ totlen -= spaces; // didn't use these spaces
}
// may insert some spaces after the new text
vim_memset(ptr, ' ', (size_t)bd.endspaces);
diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim
index 6df04cf..c8d306a 100644
--- a/src/testdir/test_put.vim
+++ b/src/testdir/test_put.vim
@@ -152,3 +152,15 @@ func Test_put_empty_register()
@@ -219,5 +219,17 @@ func Test_put_empty_register()
bwipe!
endfunc
@ -44,6 +44,8 @@ index 6df04cf..c8d306a 100644
+ set selection&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

13
backport-CVE-2022-2284.patch
View File

@ -1,7 +1,8 @@
From 3d51ce18ab1be4f9f6061568a4e7fabf00b21794 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 1 Jul 2022 15:26:15 +0100
Subject: [PATCH] patch 9.0.0017: accessing memory beyond the end of the line
Subject: [PATCH] patch 9.0.0017: accessing memory beyond the end of the
line
Problem: Accessing memory beyond the end of the line.
Solution: Stop Visual mode when closing a window.
@ -11,10 +12,10 @@ Solution: Stop Visual mode when closing a window.
2 files changed, 14 insertions(+)
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index d21f8f1..ebb6f27 100644
index c323062..e965266 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -966,3 +966,15 @@ func Test_visual_block_with_substitute()
@@ -1469,5 +1469,17 @@ func Test_visual_paste_clipboard()
bwipe!
endfunc
@ -30,11 +31,13 @@ index d21f8f1..ebb6f27 100644
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/window.c b/src/window.c
index d8091f9..e0df540 100644
index 992593b..c91ebbc 100644
--- a/src/window.c
+++ b/src/window.c
@@ -2506,6 +2506,8 @@ win_close(win_T *win, int free_buf)
@@ -2594,6 +2594,8 @@ win_close(win_T *win, int free_buf)
*/
if (wp->w_buffer != curbuf)
{

24
backport-CVE-2022-2285.patch
View File

@ -6,16 +6,16 @@ Subject: [PATCH] patch 9.0.0018: going over the end of the typahead
Problem: Going over the end of the typahead.
Solution: Put a NUL after the typeahead.
---
src/term.c | 1 +
src/testdir/test_mapping.vim | 9 +++++++++
2 files changed, 10 insertions(+)
src/term.c | 1 +
src/testdir/test_mapping.vim | 10 ++++++++++
2 files changed, 11 insertions(+)
diff --git a/src/term.c b/src/term.c
index 307e3bf..ee80f0f 100644
index 754ef82..7d7b84b 100644
--- a/src/term.c
+++ b/src/term.c
@@ -4419,6 +4419,7 @@ check_termcode(
if (*tp == ESC && !p_ek && (State & INSERT))
@@ -5393,6 +5393,7 @@ check_termcode(
if (*tp == ESC && !p_ek && (State & MODE_INSERT))
continue;
+ tp[len] = NUL;
@ -23,14 +23,13 @@ index 307e3bf..ee80f0f 100644
key_name[1] = NUL; // no key name found yet
modifiers = 0; // no modifiers yet
diff --git a/src/testdir/test_mapping.vim b/src/testdir/test_mapping.vim
index d3abaff..55e6af0 100644
index ace6453..2927ba7 100644
--- a/src/testdir/test_mapping.vim
+++ b/src/testdir/test_mapping.vim
@@ -492,3 +492,12 @@ func Test_expr_map_restore_cursor()
call StopVimInTerminal(buf)
call delete('XtestExprMap')
@@ -1715,4 +1715,14 @@ func Test_map_after_timed_out_nop()
call delete('Xtest_map_after_timed_out_nop')
endfunc
+
+func Test_using_past_typeahead()
+ nnoremap :00 0
+ exe "norm :set \x80\xfb0=0\<CR>"
@ -39,6 +38,9 @@ index d3abaff..55e6af0 100644
+ exe "norm :set \x80\xfb0=\<CR>"
+ nunmap :00
+endfunc
+
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

56
backport-CVE-2022-2286.patch
View File

@ -8,43 +8,43 @@ Problem: With some completion reading past end of string.
Solution: Check the length of the string.
---
src/insexpand.c | 14 ++++++++++++--
src/testdir/test_ins_complete.vim | 7 +++++++
2 files changed, 19 insertions(+), 2 deletions(-)
src/testdir/test_ins_complete.vim | 8 ++++++++
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/src/insexpand.c b/src/insexpand.c
index 50e0579..66a836e 100644
index 4a5feac..734550f 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -2038,11 +2038,21 @@ ins_compl_prep(int c)
// but only do this, if the Popup is still visible
if (c == Ctrl_E)
{
+ char_u *p = NULL;
@@ -2209,11 +2209,21 @@ ins_compl_stop(int c, int prev_mode, int retval)
// but only do this, if the Popup is still visible
if (c == Ctrl_E)
{
+ char_u *p = NULL;
+
ins_compl_delete();
if (compl_leader != NULL)
- ins_bytes(compl_leader + ins_compl_len());
+ p = compl_leader;
else if (compl_first_match != NULL)
- ins_bytes(compl_orig_text + ins_compl_len());
+ p = compl_orig_text;
+ if (p != NULL)
+ {
+ int compl_len = ins_compl_len();
+ int len = (int)STRLEN(p);
ins_compl_delete();
if (compl_leader != NULL)
- ins_bytes(compl_leader + get_compl_len());
+ p = compl_leader;
else if (compl_first_match != NULL)
- ins_bytes(compl_orig_text + get_compl_len());
+ p = compl_orig_text;
+ if (p != NULL)
+ {
+ int compl_len = get_compl_len();
+ int len = (int)STRLEN(p);
+
+ if (len > compl_len)
+ ins_bytes_len(p + compl_len, len - compl_len);
+ }
retval = TRUE;
}
+ if (len > compl_len)
+ ins_bytes_len(p + compl_len, len - compl_len);
+ }
retval = TRUE;
}
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 8f584d3..b7cfd29 100644
index 365c646..20c2b4f 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -390,3 +390,10 @@ func Test_ins_complete_add()
bwipe!
@@ -2184,4 +2184,12 @@ func Test_complete_smartindent()
delfunction! FooBarComplete
endfunc
+func Test_complete_overrun()
@ -54,6 +54,8 @@ index 8f584d3..b7cfd29 100644
+ bwipe!
+endfunc
+
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

28
backport-CVE-2022-2287.patch
View File

@ -5,19 +5,19 @@ Subject: [PATCH] patch 9.0.0021: invalid memory access when adding word to
spell word list
Problem: Invalid memory access when adding word with a control character to
the internal spell word list.
the internal spell word list.
Solution: Disallow adding a word with control characters or a trailing
slash.
slash.
---
src/spellfile.c | 21 +++++++++++++++++++--
src/testdir/test_spell.vim | 15 +++++++++++++++
2 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/src/spellfile.c b/src/spellfile.c
index 5171572..aeeb6ad 100644
index f0d6d96..4a0de52 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -4343,6 +4343,23 @@ wordtree_alloc(spellinfo_T *spin)
@@ -4367,6 +4367,23 @@ wordtree_alloc(spellinfo_T *spin)
}
/*
@ -41,16 +41,16 @@ index 5171572..aeeb6ad 100644
* Store a word in the tree(s).
* Always store it in the case-folded tree. For a keep-case word this is
* useful when the word can also be used with all caps (no WF_FIXCAP flag) and
@@ -4367,7 +4384,7 @@ store_word(
@@ -4391,7 +4408,7 @@ store_word(
char_u *p;
// Avoid adding illegal bytes to the word tree.
- if (enc_utf8 && !utf_valid_string(word, NULL))
+ if (!valid_spell_word(word))
return FAIL;
return FAIL;
(void)spell_casefold(word, len, foldword, MAXWLEN);
@@ -6171,7 +6188,7 @@ spell_add_word(
(void)spell_casefold(curwin, word, len, foldword, MAXWLEN);
@@ -6194,7 +6211,7 @@ spell_add_word(
int i;
char_u *spf;
@ -60,11 +60,11 @@ index 5171572..aeeb6ad 100644
emsg(_(e_illegal_character_in_word));
return;
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index 1f79907..bc4f41d 100644
index 0fd5ed9..0187a17 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -574,6 +574,21 @@ func Test_spell_screendump()
call delete('XtestSpell')
@@ -854,6 +854,21 @@ func Test_spellsuggest_too_deep()
bwipe!
endfunc
+func Test_spell_good_word_invalid()
@ -82,9 +82,9 @@ index 1f79907..bc4f41d 100644
+ set enc=utf-8
+endfunc
+
let g:test_data_aff1 = [
\"SET ISO8859-1",
\"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",
func LoadAffAndDic(aff_contents, dic_contents)
set enc=latin1
set spellfile=
--
1.8.3.1

54
backport-CVE-2022-2288.patch Normal file
View File

@ -0,0 +1,54 @@
From c6fdb15d423df22e1776844811d082322475e48a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 2 Jul 2022 13:43:21 +0100
Subject: [PATCH] patch 9.0.0025: accessing beyond allocated memory with the
cmdline window
Problem: Accessing beyond allocated memory when using the cmdline window in
Ex mode.
Solution: Use "*" instead of "'<,'>" for Visual mode.
---
src/ex_docmd.c | 6 ++++--
src/testdir/test_cmdline.vim | 8 ++++++++
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index 271e7e2..697337c 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -3118,9 +3118,11 @@ parse_command_modifiers(
size_t len = STRLEN(cmd_start);
// Special case: empty command uses "+":
- // "'<,'>mods" -> "mods'<,'>+
+ // "'<,'>mods" -> "mods *+
+ // Use "*" instead of "'<,'>" to avoid the command getting
+ // longer, in case is was allocated.
mch_memmove(orig_cmd, cmd_start, len);
- STRCPY(orig_cmd + len, "'<,'>+");
+ STRCPY(orig_cmd + len, " *+");
}
else
{
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index 3685336..f0498a1 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -2103,6 +2103,14 @@ func Test_cmdwin_insert_mode_close()
call assert_equal(1, winnr('$'))
endfunc
+func Test_cmdwin_ex_mode_with_modifier()
+ " this was accessing memory after allocated text in Ex mode
+ new
+ call setline(1, ['some', 'text', 'lines'])
+ silent! call feedkeys("gQnormal vq:atopleft\<C-V>\<CR>\<CR>", 'xt')
+ bwipe!
+endfunc
+
" test that ";" works to find a match at the start of the first line
func Test_zero_line_search()
new
--
1.8.3.1

20
backport-CVE-2022-2289.patch
View File

@ -6,18 +6,17 @@ Subject: [PATCH] patch 9.0.0026: accessing freed memory with diff put
Problem: Accessing freed memory with diff put.
Solution: Bail out when diff pointer is no longer valid.
---
src/diff.c | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
src/diff.c | 24 ++++++++++++++++++++++--
1 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/src/diff.c b/src/diff.c
index 8569a9f..d79dfee 100644
index 91e5ae2..e4bafe2 100644
--- a/src/diff.c
+++ b/src/diff.c
@@ -2560,6 +2560,20 @@ nv_diffgetput(int put, long count)
ex_diffgetput(&ea);
@@ -2643,6 +2643,20 @@ nv_diffgetput(int put, long count)
}
+/*
/*
+ * Return TRUE if "diff" appears in the list of diff blocks of the current tab.
+ */
+ static int
@ -31,10 +30,11 @@ index 8569a9f..d79dfee 100644
+ return FALSE;
+}
+
/*
+/*
* ":diffget"
* ":diffput"
@@ -2817,9 +2831,9 @@ ex_diffgetput(exarg_T *eap)
*/
@@ -2899,9 +2913,9 @@ ex_diffgetput(exarg_T *eap)
}
}
@ -45,7 +45,7 @@ index 8569a9f..d79dfee 100644
mark_adjust(lnum, lnum + count - 1, (long)MAXLNUM, (long)added);
if (curwin->w_cursor.lnum >= lnum)
{
@@ -2841,7 +2855,13 @@ ex_diffgetput(exarg_T *eap)
@@ -2923,7 +2937,13 @@ ex_diffgetput(exarg_T *eap)
#endif
vim_free(dfree);
}
@ -61,5 +61,5 @@ index 8569a9f..d79dfee 100644
dp->df_count[idx_to] = new_count;
--
2.27.0
1.8.3.1

14
backport-CVE-2022-2304.patch
View File

@ -11,10 +11,10 @@ Solution: Limit the word length.
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/spell.c b/src/spell.c
index 5b25950..1d7a1ae 100644
index d866a2d..24abce4 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -3958,9 +3958,10 @@ spell_dump_compl(
@@ -3996,9 +3996,10 @@ spell_dump_compl(
n = arridx[depth] + curi[depth];
++curi[depth];
c = byts[n];
@ -28,10 +28,10 @@ index 5b25950..1d7a1ae 100644
// they will appear in the keep-case tree.
// Only use the word when the region matches.
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index ff50ecd..1f79907 100644
index d3f56d8..a291eb5 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -141,6 +141,18 @@ func Test_spellreall()
@@ -285,6 +285,18 @@ func Test_spellreall()
bwipe!
endfunc
@ -47,9 +47,9 @@ index ff50ecd..1f79907 100644
+ nunmap 0
+endfunc
+
func Test_spellsuggest_visual_end_of_line()
let enc_save = &encoding
set encoding=iso8859
" Test spellsuggest({word} [, {max} [, {capital}]])
func Test_spellsuggest()
" Verify suggestions are given even when spell checking is not enabled.
--
1.8.3.1

41
backport-CVE-2022-2343.patch
View File

@ -1,22 +1,22 @@
From caea66442d86e7bbba3bf3dc202c3c0d549b9853 Mon Sep 17 00:00:00 2001
FROM CAEA66442D86E7BBBA3BF3DC202C3C0D549B9853 MON SEP 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 7 Jul 2022 19:42:04 +0100
Subject: [PATCH] patch 9.0.0045: reading past end of completion with a long
line
Subject: [PATCH] patch 9.0.0045: reading past end of completion with a
long line
Problem: Reading past end of completion with a long line and 'infercase'
set.
Solution: Allocate the string if needed.
---
src/insexpand.c | 96 +++++++++++++++++++++++++++------------
src/testdir/test_ins_complete.vim | 14 ++++++
2 files changed, 81 insertions(+), 29 deletions(-)
src/insexpand.c | 94 ++++++++++++++++++++++---------
src/testdir/test_ins_complete.vim | 16 ++++++
2 files changed, 82 insertions(+), 28 deletions(-)
diff --git a/src/insexpand.c b/src/insexpand.c
index 3b4d530..e8ba82e 100644
index 734550f..0ecb656 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -408,29 +408,32 @@ ins_compl_accept_char(int c)
@@ -524,29 +524,32 @@ ins_compl_accept_char(int c)
/*
* Get the completed text by inferring the case of the originally typed text.
@ -54,7 +54,7 @@ index 3b4d530..e8ba82e 100644
if (has_mbyte)
wca[i] = mb_ptr2char_adv(&p);
else
@@ -450,7 +453,7 @@ ins_compl_infercase_gettext(
@@ -566,7 +569,7 @@ ins_compl_infercase_gettext(
if (MB_ISUPPER(wca[i]))
{
// Rule 1 is satisfied.
@ -63,7 +63,7 @@ index 3b4d530..e8ba82e 100644
wca[i] = MB_TOLOWER(wca[i]);
break;
}
@@ -471,7 +474,7 @@ ins_compl_infercase_gettext(
@@ -587,7 +590,7 @@ ins_compl_infercase_gettext(
if (was_letter && MB_ISUPPER(c) && MB_ISLOWER(wca[i]))
{
// Rule 2 is satisfied.
@ -72,7 +72,7 @@ index 3b4d530..e8ba82e 100644
wca[i] = MB_TOUPPER(wca[i]);
break;
}
@@ -494,20 +497,52 @@ ins_compl_infercase_gettext(
@@ -610,20 +613,52 @@ ins_compl_infercase_gettext(
}
// Generate encoding specific output from wide character array.
@ -132,7 +132,7 @@ index 3b4d530..e8ba82e 100644
return IObuff;
}
@@ -528,10 +563,12 @@ ins_compl_add_infercase(
@@ -644,10 +679,12 @@ ins_compl_add_infercase(
{
char_u *str = str_arg;
char_u *p;
@ -147,7 +147,7 @@ index 3b4d530..e8ba82e 100644
if (p_ic && curbuf->b_p_inf && len > 0)
{
@@ -541,44 +578,45 @@ ins_compl_add_infercase(
@@ -657,44 +694,45 @@ ins_compl_add_infercase(
if (has_mbyte)
{
p = str;
@ -198,21 +198,21 @@ index 3b4d530..e8ba82e 100644
if (icase)
flags |= CP_ICASE;
- return ins_compl_add(str, len, fname, NULL, dir, flags, FALSE);
+ res = ins_compl_add(str, len, fname, NULL, dir, flags, FALSE);
- return ins_compl_add(str, len, fname, NULL, NULL, dir, flags, FALSE);
+ res = ins_compl_add(str, len, fname, NULL, NULL, dir, flags, FALSE);
+ vim_free(tofree);
+ return res;
}
/*
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index b7cfd29..aa054f2 100644
index 20c2b4f..f2daa02 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -397,3 +397,17 @@ func Test_complete_overrun()
bwipe!
@@ -2192,4 +2192,20 @@ func Test_complete_overrun()
endfunc
+func Test_infercase_very_long_line()
+ " this was truncating the line when inferring case
+ new
@ -227,6 +227,9 @@ index b7cfd29..aa054f2 100644
+ bwipe!
+ set noic noinfercase
+endfunc
+
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1
2.36.1

20
backport-CVE-2022-2344.patch
View File

@ -1,8 +1,8 @@
From baefde14550231f6468ac2ed2ed495bc381c0c92 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 7 Jul 2022 19:59:49 +0100
Subject: [PATCH] patch 9.0.0046: reading past end of completion with duplicate
match
Subject: [PATCH] patch 9.0.0046: reading past end of completion with
duplicate match
Problem: Reading past end of completion with duplicate match.
Solution: Check string length
@ -12,25 +12,25 @@ Solution: Check string length
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/insexpand.c b/src/insexpand.c
index bf98cee..50e0579 100644
index 0ecb656..9c598a8 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -597,7 +597,8 @@ ins_compl_add(
@@ -786,7 +786,8 @@ ins_compl_add(
{
if ( !(match->cp_flags & CP_ORIGINAL_TEXT)
if (!match_at_original_text(match)
&& STRNCMP(match->cp_str, str, len) == 0
- && match->cp_str[len] == NUL)
+ && ((int)STRLEN(match->cp_str) <= len
+ || match->cp_str[len] == NUL))
return NOTDONE;
match = match->cp_next;
} while (match != NULL && match != compl_first_match);
} while (match != NULL && !is_first_match(match));
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index e48a72c..8f584d3 100644
index 5e5b1bb..2be6d06 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -380,3 +380,13 @@ func Test_ins_completeslash()
set completeslash=
@@ -2112,5 +2112,15 @@ func Test_infercase_very_long_line()
set noic noinfercase
endfunc
+func Test_ins_complete_add()
@ -43,6 +43,8 @@ index e48a72c..8f584d3 100644
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

29
backport-CVE-2022-2345.patch
View File

@ -1,27 +1,28 @@
From 32acf1f1a72ebb9d8942b9c9d80023bf1bb668ea Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 7 Jul 2022 22:20:31 +0100
Subject: [PATCH] patch 9.0.0047: using freed memory with recursive substitute
Subject: [PATCH] patch 9.0.0047: using freed memory with recursive
substitute
Problem: Using freed memory with recursive substitute.
Solution: Always make a copy for reg_prev_sub.
---
src/ex_cmds.c | 11 ++++++++++-
src/regexp.c | 8 ++++----
src/testdir/test_regexp_latin.vim | 12 ++++++++++++
3 files changed, 26 insertions(+), 5 deletions(-)
src/testdir/test_regexp_latin.vim | 11 +++++++++++
3 files changed, 25 insertions(+), 5 deletions(-)
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index 0a22f59..5a90c2f 100644
index eb3016f..5253863 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -3881,7 +3881,16 @@ do_sub(exarg_T *eap)
sub_copy = sub;
@@ -3994,7 +3994,16 @@ ex_substitute(exarg_T *eap)
sub_copy = sub;
}
else
- sub = regtilde(sub, p_magic);
- sub = regtilde(sub, magic_isset());
+ {
+ char_u *newsub = regtilde(sub, p_magic);
+ char_u *newsub = regtilde(sub, magic_isset());
+
+ if (newsub != sub)
+ {
@ -34,10 +35,10 @@ index 0a22f59..5a90c2f 100644
/*
* Check for a match on each line.
diff --git a/src/regexp.c b/src/regexp.c
index 6849cba..c2f29c8 100644
index 2cbe64e..f35a5e8 100644
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -1761,11 +1761,11 @@ regtilde(char_u *source, int magic)
@@ -1766,11 +1766,11 @@ regtilde(char_u *source, int magic)
}
}
@ -54,14 +55,13 @@ index 6849cba..c2f29c8 100644
}
diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim
index a242d91..b668f87 100644
index 1fe4699..dce6709 100644
--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
@@ -172,3 +172,15 @@ func Test_using_invalid_visual_position()
/\%V
@@ -1114,4 +1114,15 @@ func Test_using_two_engines_pattern()
bwipe!
endfunc
+
+func Test_recursive_substitute_expr()
+ new
+ func Repl()
@ -73,6 +73,7 @@ index a242d91..b668f87 100644
+ delfunc Repl
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

10
backport-CVE-2022-2522.patch
View File

@ -12,10 +12,10 @@ Solution: Terminate string with NUL.
2 files changed, 8 insertions(+)
diff --git a/src/insexpand.c b/src/insexpand.c
index b1114b5..88dbac6 100644
index b49a631..c505158 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -526,6 +526,7 @@ ins_compl_infercase_gettext(
@@ -642,6 +642,7 @@ ins_compl_infercase_gettext(
// growarray. Add the character in the next round.
if (ga_grow(&gap, IOSIZE) == FAIL)
return (char_u *)"[failed]";
@ -24,10 +24,10 @@ index b1114b5..88dbac6 100644
gap.ga_len = (int)STRLEN(IObuff);
}
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index aa054f2..5e7353c 100644
index 2be6d06..7bebc5d 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -408,6 +408,13 @@ func Test_infercase_very_long_line()
@@ -2108,6 +2108,13 @@ func Test_infercase_very_long_line()
exe "normal 2Go\<C-X>\<C-L>\<Esc>"
call assert_equal(longLine, getline(3))
@ -42,5 +42,5 @@ index aa054f2..5e7353c 100644
set noic noinfercase
endfunc
--
2.27.0
1.8.3.1

36
backport-CVE-2022-2571.patch
View File

@ -1,39 +1,37 @@
From a6f9e300161f4cb54713da22f65b261595e8e614 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 28 Jul 2022 21:51:37 +0100
Subject: [PATCH] patch 9.0.0102: reading past end of line with insert
mode
Subject: [PATCH] patch 9.0.0102: reading past end of line with insert mode
completion
Problem: Reading past end of line with insert mode completion.
Solution: Check text length.
---
src/insexpand.c | 2 +-
src/testdir/test_ins_complete.vim | 9 +++++++++
2 files changed, 10 insertions(+), 1 deletion(-)
src/testdir/test_ins_complete.vim | 8 ++++++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/insexpand.c b/src/insexpand.c
index 88dbac6..a23d2d6 100644
index 7339ce9..fc3eff0 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -2998,7 +2998,7 @@ ins_compl_get_exp(pos_T *ini)
{
char_u *tmp_ptr = ptr;
@@ -3501,7 +3501,7 @@ ins_comp_get_next_word_or_line(
{
char_u *tmp_ptr = ptr;
- if (compl_cont_status & CONT_ADDING)
+ if (compl_cont_status & CONT_ADDING && compl_length <= (int)STRLEN(tmp_ptr))
{
tmp_ptr += compl_length;
// Skip if already inside a word.
- if (compl_status_adding())
+ if (compl_status_adding() && compl_length <= (int)STRLEN(tmp_ptr))
{
tmp_ptr += compl_length;
// Skip if already inside a word.
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 5e7353c..39ece18 100644
index 35c5785..2b0a294 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -418,3 +418,12 @@ func Test_infercase_very_long_line()
@@ -2142,5 +2142,13 @@ func Test_ins_complete_add()
bwipe!
set noic noinfercase
endfunc
+
+func Test_ins_complete_end_of_line()
+ " this was reading past the end of the line
+ new
@ -42,6 +40,8 @@ index 5e7353c..39ece18 100644
+
+ bwipe!
+endfunc
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0
1.8.3.1

BIN
backport-CVE-2022-2580.patch Normal file
View File

Binary file not shown.

65
backport-CVE-2022-2581.patch Normal file
View File

@ -0,0 +1,65 @@
From f50940531dd57135fe60aa393ac9d3281f352d88 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 29 Jul 2022 16:22:25 +0100
Subject: [PATCH 002/123] patch 9.0.0105: illegal memory access when pattern
starts with illegal byte
Problem: Illegal memory access when pattern starts with illegal byte.
Solution: Do not match a character with an illegal byte.
---
src/regexp.c | 6 +++++-
src/testdir/test_regexp_utf8.vim | 15 +++++++++++++++
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/src/regexp.c b/src/regexp.c
index 1a5cfd0..bec0464 100644
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -1641,7 +1641,11 @@ cstrchr(char_u *s, int c)
{
if (enc_utf8 && c > 0x80)
{
- if (utf_fold(utf_ptr2char(p)) == cc)
+ int uc = utf_ptr2char(p);
+
+ // Do not match an illegal byte. E.g. 0xff matches 0xc3 0xbf,
+ // not 0xff.
+ if ((uc < 0x80 || uc != *p) && utf_fold(uc) == cc)
return p;
}
else if (*p == c || *p == cc)
diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim
index d88e263..e7672dd 100644
--- a/src/testdir/test_regexp_utf8.vim
+++ b/src/testdir/test_regexp_utf8.vim
@@ -1,5 +1,7 @@
" Tests for regexp in utf8 encoding
+source shared.vim
+
func s:equivalence_test()
let str = "AÀÁÂÃÄÅĀĂĄǍǞǠǺȂȦȺḀẠẢẤẦẨẪẬẮẰẲẴẶ BƁɃḂḄḆ CÇĆĈĊČƇȻḈꞒ DĎĐƊḊḌḎḐḒ EÈÉÊËĒĔĖĘĚȄȆȨɆḔḖḘḚḜẸẺẼẾỀỂỄỆ FƑḞ GĜĞĠĢƓǤǦǴḠꞠ HĤĦȞḢḤḦḨḪⱧ IÌÍÎÏĨĪĬĮİƗǏȈȊḬḮỈỊ JĴɈ KĶƘǨḰḲḴⱩꝀ LĹĻĽĿŁȽḶḸḺḼⱠ MḾṀṂ NÑŃŅŇǸṄṆṈṊꞤ OÒÓÔÕÖØŌŎŐƟƠǑǪǬǾȌȎȪȬȮȰṌṎṐṒỌỎỐỒỔỖỘỚỜỞỠỢ PƤṔṖⱣ QɊ RŔŖŘȐȒɌṘṚṜṞⱤꞦ SŚŜŞŠȘṠṢṤṦṨⱾꞨ TŢŤŦƬƮȚȾṪṬṮṰ UÙÚÛÜŨŪŬŮŰƯǕǙǛǓǗȔȖɄṲṴṶṸṺỤỦỨỪỬỮỰ VƲṼṾ WŴẀẂẄẆẈ XẊẌ YÝŶŸƳȲɎẎỲỴỶỸ ZŹŻŽƵẐẒẔⱫ aàáâãäåāăąǎǟǡǻȃȧᶏḁẚạảấầẩẫậắằẳẵặⱥ bƀɓᵬᶀḃḅḇ cçćĉċčƈȼḉꞓꞔ dďđɗᵭᶁᶑḋḍḏḑḓ eèéêëēĕėęěȅȇȩɇᶒḕḗḙḛḝẹẻẽếềểễệ fƒᵮᶂḟ gĝğġģǥǧǵɠḡꞡ hĥħȟḣḥḧḩḫẖⱨꞕ iìíîïĩīĭįǐȉȋɨᶖḭḯỉị jĵǰɉ kķƙǩᶄḱḳḵⱪꝁ lĺļľŀłƚḷḹḻḽⱡ mᵯḿṁṃ nñńņňʼnǹᵰᶇṅṇṉṋꞥ oòóôõöøōŏőơǒǫǭǿȍȏȫȭȯȱɵṍṏṑṓọỏốồổỗộớờởỡợ pƥᵱᵽᶈṕṗ qɋʠ rŕŗřȑȓɍɽᵲᵳᶉṛṝṟꞧ sśŝşšșȿᵴᶊṡṣṥṧṩꞩ tţťŧƫƭțʈᵵṫṭṯṱẗⱦ uùúûüũūŭůűųǚǖưǔǘǜȕȗʉᵾᶙṳṵṷṹṻụủứừửữự vʋṽṿ wŵẁẃẅẇẉẘ xẋẍ yýÿŷƴȳɏẏẙỳỵỷỹ zźżžƶᵶᶎẑẓẕⱬ"
let groups = split(str)
@@ -560,6 +562,19 @@ func Test_match_invalid_byte()
call delete('Xinvalid')
endfunc
+func Test_match_illegal_byte()
+ let lines =<< trim END
+ silent! buffer ÿ\c
+ next ÿ
+ 0scriptnames
+ source
+ END
+ call writefile(lines, 'Xregexp')
+ call system(GetVimCommand() .. ' -X -Z -e -s -S Xregexp -c qa!')
+
+ call delete('Xregexp')
+endfunc
+
func Test_match_too_complicated()
set regexpengine=1
exe "noswapfile vsplit \xeb\xdb\x99"
--
1.8.3.1

25
backport-CVE-2022-2598.patch
View File

@ -1,8 +1,7 @@
From 4e677b9c40ccbc5f090971b31dc2fe07bf05541d Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 28 Jul 2022 18:44:27 +0100
Subject: [PATCH] patch 9.0.0101: invalid memory access in diff mode with
"dp"
Subject: [PATCH] patch 9.0.0101: invalid memory access in diff mode with "dp"
and undo
Problem: Invalid memory access in diff mode with "dp" and undo.
@ -13,10 +12,10 @@ Solution: Make sure the line number does not go below one.
2 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/src/diff.c b/src/diff.c
index 2801c67..5328000 100644
index e4bafe2..fb43eee 100644
--- a/src/diff.c
+++ b/src/diff.c
@@ -452,7 +452,10 @@ diff_mark_adjust_tp(
@@ -464,7 +464,10 @@ diff_mark_adjust_tp(
for (i = 0; i < DB_COUNT; ++i)
if (tp->tp_diffbuf[i] != NULL && i != idx)
{
@ -28,26 +27,25 @@ index 2801c67..5328000 100644
dp->df_count[i] += n;
}
}
@@ -2781,8 +2784,8 @@ ex_diffgetput(exarg_T *eap)
@@ -2863,8 +2866,8 @@ ex_diffgetput(exarg_T *eap)
{
// remember deleting the last line of the buffer
buf_empty = curbuf->b_ml.ml_line_count == 1;
- ml_delete(lnum, FALSE);
- ml_delete(lnum);
- --added;
+ if (ml_delete(lnum, FALSE) == OK)
+ if (ml_delete(lnum) == OK)
+ --added;
}
for (i = 0; i < dp->df_count[idx_from] - start_skip - end_skip; ++i)
{
diff --git a/src/testdir/test_diffmode.vim b/src/testdir/test_diffmode.vim
index a75d0e5..d3b8f6c 100644
index dcacd55..41f7fe3 100644
--- a/src/testdir/test_diffmode.vim
+++ b/src/testdir/test_diffmode.vim
@@ -852,3 +852,17 @@ func Test_diff_manipulations()
set nodiff
@@ -1628,5 +1628,19 @@ func Test_diff_manipulations()
%bwipe!
endfunc
+
+" This was causing the line number in the diff block to go below one.
+" FIXME: somehow this causes a valgrind error when run directly but not when
+" run as a test.
@ -61,6 +59,9 @@ index a75d0e5..d3b8f6c 100644
+ bwipe!
+ set nodiff
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0
1.8.3.1

58
backport-CVE-2022-2816.patch Normal file
View File

@ -0,0 +1,58 @@
From dbdd16b62560413abcc3c8e893cc3010ccf31666 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 14 Aug 2022 21:46:07 +0100
Subject: [PATCH] patch 9.0.0212: invalid memory access when compiling :unlet
Problem: Invalid memory access when compiling :unlet.
Solution: Don't read past the end of the line.
---
src/testdir/test_vim9_cmd.vim | 11 +++++++++--
src/vim9cmds.c | 6 ++++++
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/testdir/test_vim9_cmd.vim b/src/testdir/test_vim9_cmd.vim
index 16f534e..a40f261 100644
--- a/src/testdir/test_vim9_cmd.vim
+++ b/src/testdir/test_vim9_cmd.vim
@@ -1704,12 +1704,19 @@ def Test_lockvar()
lines =<< trim END
def _()
- s:0([], s:0)
lockv
enddef
defcomp
END
- v9.CheckScriptFailure(lines, 'E179', 2)
+ v9.CheckScriptFailure(lines, 'E179', 1)
+
+ lines =<< trim END
+ def T()
+ unlet
+ enddef
+ defcomp
+ END
+ v9.CheckScriptFailure(lines, 'E179', 1)
enddef
def Test_substitute_expr()
diff --git a/src/vim9cmds.c b/src/vim9cmds.c
index 35a3821..93032d6 100644
--- a/src/vim9cmds.c
+++ b/src/vim9cmds.c
@@ -92,6 +92,12 @@ free_locals(cctx_T *cctx)
int
check_vim9_unlet(char_u *name)
{
+ if (*name == NUL)
+ {
+ semsg(_(e_argument_required_for_str), "unlet");
+ return FAIL;
+ }
+
if (name[1] != ':' || vim_strchr((char_u *)"gwtb", *name) == NULL)
{
// "unlet s:var" is allowed in legacy script.
--
2.36.1

75
backport-CVE-2022-2817.patch Normal file
View File

@ -0,0 +1,75 @@
From 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 14 Aug 2022 22:23:02 +0100
Subject: [PATCH] patch 9.0.0213: using freed memory with error in assert
argument
Problem: Using freed memory with error in assert argument.
Solution: Make a copy of the error.
---
src/testdir/test_assert.vim | 4 ++++
src/testing.c | 18 ++++++++++++------
2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim
index 27b2d73..7c9d090 100644
--- a/src/testdir/test_assert.vim
+++ b/src/testdir/test_assert.vim
@@ -291,6 +291,10 @@ func Test_assert_fail_fails()
let exp = v:exception
endtry
call assert_match("E1174: String required for argument 5", exp)
+
+ call assert_equal(1, assert_fails('c0', ['', '\1']))
+ call assert_match("Expected '\\\\\\\\1' but got 'E939: Positive count required: c0': c0", v:errors[0])
+ call remove(v:errors, 0)
endfunc
func Test_assert_fails_in_try_block()
diff --git a/src/testing.c b/src/testing.c
index c49df4b..43b8d20 100644
--- a/src/testing.c
+++ b/src/testing.c
@@ -597,6 +597,7 @@ f_assert_fails(typval_T *argvars, typval_T *rettv)
int save_trylevel = trylevel;
int called_emsg_before = called_emsg;
char *wrong_arg_msg = NULL;
+ char_u *tofree = NULL;
if (check_for_string_or_number_arg(argvars, 0) == FAIL
|| check_for_opt_string_or_list_arg(argvars, 1) == FAIL
@@ -660,13 +661,17 @@ f_assert_fails(typval_T *argvars, typval_T *rettv)
}
else if (list->lv_len == 2)
{
- tv = &list->lv_u.mat.lv_last->li_tv;
- actual = get_vim_var_str(VV_ERRMSG);
- expected = tv_get_string_buf_chk(tv, buf);
- if (!pattern_match(expected, actual, FALSE))
+ // make a copy, an error in pattern_match() may free it
+ tofree = actual = vim_strsave(get_vim_var_str(VV_ERRMSG));
+ if (actual != NULL)
{
- error_found = TRUE;
- expected_str = expected;
+ tv = &list->lv_u.mat.lv_last->li_tv;
+ expected = tv_get_string_buf_chk(tv, buf);
+ if (!pattern_match(expected, actual, FALSE))
+ {
+ error_found = TRUE;
+ expected_str = expected;
+ }
}
}
}
@@ -749,6 +754,7 @@ theend:
msg_scrolled = 0;
lines_left = Rows;
VIM_CLEAR(emsg_assert_fails_msg);
+ vim_free(tofree);
set_vim_var_string(VV_ERRMSG, NULL, 0);
if (wrong_arg_msg != NULL)
emsg(_(wrong_arg_msg));
--
2.36.1

66
backport-CVE-2022-2819.patch Normal file
View File

@ -0,0 +1,66 @@
From d1d8f6bacb489036d0fd479c9dd3c0102c988889 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 14 Aug 2022 21:28:32 +0100
Subject: [PATCH] patch 9.0.0211: invalid memory access when compiling :lockvar
Problem: Invalid memory access when compiling :lockvar.
Solution: Don't read past the end of the line.
---
src/testdir/test_vim9_cmd.vim | 9 +++++++++
src/vim9cmds.c | 9 +++++++--
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/testdir/test_vim9_cmd.vim b/src/testdir/test_vim9_cmd.vim
index 7db8e50..16f534e 100644
--- a/src/testdir/test_vim9_cmd.vim
+++ b/src/testdir/test_vim9_cmd.vim
@@ -1701,6 +1701,15 @@ def Test_lockvar()
UnLockIt()
END
v9.CheckScriptFailure(lines, 'E46', 1)
+
+ lines =<< trim END
+ def _()
+ s:0([], s:0)
+ lockv
+ enddef
+ defcomp
+ END
+ v9.CheckScriptFailure(lines, 'E179', 2)
enddef
def Test_substitute_expr()
diff --git a/src/vim9cmds.c b/src/vim9cmds.c
index ad32c32..35a3821 100644
--- a/src/vim9cmds.c
+++ b/src/vim9cmds.c
@@ -188,10 +188,17 @@ compile_lock_unlock(
size_t len;
char_u *buf;
isntype_T isn = ISN_EXEC;
+ char *cmd = eap->cmdidx == CMD_lockvar ? "lockvar" : "unlockvar";
if (cctx->ctx_skip == SKIP_YES)
return OK;
+ if (*p == NUL)
+ {
+ semsg(_(e_argument_required_for_str), cmd);
+ return FAIL;
+ }
+
// Cannot use :lockvar and :unlockvar on local variables.
if (p[1] != ':')
{
@@ -223,8 +230,6 @@ compile_lock_unlock(
ret = FAIL;
else
{
- char *cmd = eap->cmdidx == CMD_lockvar ? "lockvar" : "unlockvar";
-
if (deep < 0)
vim_snprintf((char *)buf, len, "%s! %s", cmd, p);
else
--
2.36.1

18
backport-CVE-2022-2845.patch
View File

@ -12,10 +12,10 @@ Solution: When displaying "$" check the column is not negative.
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/src/edit.c b/src/edit.c
index bc0b7dc..a20fd3d 100644
index a8e695c..96f47bd 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -1769,8 +1769,9 @@ edit_unputchar(void)
@@ -1741,8 +1741,9 @@ edit_unputchar(void)
* Only works when cursor is in the line that changes.
*/
void
@ -27,12 +27,12 @@ index bc0b7dc..a20fd3d 100644
if (!redrawing())
diff --git a/src/proto/edit.pro b/src/proto/edit.pro
index 49b9f4c..d0d3b17 100644
index a233e40..f35ec1e 100644
--- a/src/proto/edit.pro
+++ b/src/proto/edit.pro
@@ -7,7 +7,7 @@ void edit_putchar(int c, int highlight);
char_u *prompt_text(void);
int prompt_curpos_editable(void);
@@ -5,7 +5,7 @@ void ins_redraw(int ready);
void edit_putchar(int c, int highlight);
void set_insstart(linenr_T lnum, int col);
void edit_unputchar(void);
-void display_dollar(colnr_T col);
+void display_dollar(colnr_T col_arg);
@ -40,10 +40,10 @@ index 49b9f4c..d0d3b17 100644
void truncate_spaces(char_u *line);
void backspace_until_column(int col);
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index 735b0a5..33808d7 100644
index f0498a1..08e2de7 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -935,4 +935,12 @@ func Test_long_error_message()
@@ -3439,4 +3439,12 @@ func Test_long_error_message()
silent! norm Q00000000000000     000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000                                                                                                                                                                                                                        
endfunc
@ -57,5 +57,5 @@ index 735b0a5..33808d7 100644
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.33.0
2.36.1

103
backport-CVE-2022-2849.patch Normal file
View File

@ -0,0 +1,103 @@
From f6d39c31d2177549a986d170e192d8351bd571e2 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 16 Aug 2022 17:50:38 +0100
Subject: [PATCH] patch 9.0.0220: invalid memory access with for loop over NULL
string
Problem: Invalid memory access with for loop over NULL string.
Solution: Make sure mb_ptr2len() consistently returns zero for NUL.
---
src/globals.h | 3 ++-
src/mbyte.c | 21 +++++++++++++--------
src/testdir/test_eval_stuff.vim | 12 ++++++++++++
3 files changed, 27 insertions(+), 9 deletions(-)
diff --git a/src/globals.h b/src/globals.h
index 888f6e9..9b40be4 100644
--- a/src/globals.h
+++ b/src/globals.h
@@ -1033,7 +1033,8 @@ EXTERN vimconv_T output_conv; // type of output conversion
* (DBCS).
* The value is set in mb_init();
*/
-// length of char in bytes, including following composing chars
+// Length of char in bytes, including any following composing chars.
+// NUL has length zero.
EXTERN int (*mb_ptr2len)(char_u *p) INIT(= latin_ptr2len);
// idem, with limit on string length
diff --git a/src/mbyte.c b/src/mbyte.c
index 3656880..782a7ad 100644
--- a/src/mbyte.c
+++ b/src/mbyte.c
@@ -1077,24 +1077,28 @@ dbcs_char2bytes(int c, char_u *buf)
}
/*
- * mb_ptr2len() function pointer.
- * Get byte length of character at "*p" but stop at a NUL.
- * For UTF-8 this includes following composing characters.
- * Returns 0 when *p is NUL.
+ * Get byte length of character at "*p". Returns zero when "*p" is NUL.
+ * Used for mb_ptr2len() when 'encoding' latin.
*/
int
latin_ptr2len(char_u *p)
{
- return MB_BYTE2LEN(*p);
+ return *p == NUL ? 0 : 1;
}
+/*
+ * Get byte length of character at "*p". Returns zero when "*p" is NUL.
+ * Used for mb_ptr2len() when 'encoding' DBCS.
+ */
static int
-dbcs_ptr2len(
- char_u *p)
+dbcs_ptr2len(char_u *p)
{
int len;
- // Check if second byte is not missing.
+ if (*p == NUL)
+ return 0;
+
+ // if the second byte is missing the length is 1
len = MB_BYTE2LEN(*p);
if (len == 2 && p[1] == NUL)
len = 1;
@@ -2105,6 +2109,7 @@ utf_ptr2len_len(char_u *p, int size)
/*
* Return the number of bytes the UTF-8 encoding of the character at "p" takes.
* This includes following composing characters.
+ * Returns zero for NUL.
*/
int
utfc_ptr2len(char_u *p)
diff --git a/src/testdir/test_eval_stuff.vim b/src/testdir/test_eval_stuff.vim
index c63082e..313d791 100644
--- a/src/testdir/test_eval_stuff.vim
+++ b/src/testdir/test_eval_stuff.vim
@@ -75,6 +75,18 @@ func Test_for_invalid()
redraw
endfunc
+func Test_for_over_null_string()
+ let save_enc = &enc
+ set enc=iso8859
+ let cnt = 0
+ for c in test_null_string()
+ let cnt += 1
+ endfor
+ call assert_equal(0, cnt)
+
+ let &enc = save_enc
+endfunc
+
func Test_readfile_binary()
new
call setline(1, ['one', 'two', 'three'])
--
2.36.1

72
backport-CVE-2022-2862.patch Normal file
View File

@ -0,0 +1,72 @@
From 1889f499a4f248cd84e0e0bf6d0d820016774494 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 16 Aug 2022 19:34:44 +0100
Subject: [PATCH] patch 9.0.0221: accessing freed memory if compiling nested
function fails
Problem: Accessing freed memory if compiling nested function fails.
Solution: Mess up the variable name so that it won't be found.
---
src/testdir/test_vim9_func.vim | 12 ++++++++++++
src/vim9compile.c | 7 +++++--
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/src/testdir/test_vim9_func.vim b/src/testdir/test_vim9_func.vim
index 33a6615..426fde4 100644
--- a/src/testdir/test_vim9_func.vim
+++ b/src/testdir/test_vim9_func.vim
@@ -907,6 +907,18 @@ def Test_nested_function()
v9.CheckScriptFailure(lines, 'E1173: Text found after enddef: burp', 3)
enddef
+def Test_nested_function_fails()
+ var lines =<< trim END
+ def T()
+ def Func(g: string):string
+ enddef
+ Func()
+ enddef
+ silent! defcompile
+ END
+ v9.CheckScriptFailure(lines, 'E1069:')
+enddef
+
def Test_not_nested_function()
echo printf('%d',
function('len')('xxx'))
diff --git a/src/vim9compile.c b/src/vim9compile.c
index b7f590e..fb39997 100644
--- a/src/vim9compile.c
+++ b/src/vim9compile.c
@@ -822,6 +822,7 @@ compile_nested_function(exarg_T *eap, cctx_T *cctx, garray_T *lines_to_free)
int r = FAIL;
compiletype_T compile_type;
isn_T *funcref_isn = NULL;
+ lvar_T *lvar = NULL;
if (eap->forceit)
{
@@ -928,9 +929,8 @@ compile_nested_function(exarg_T *eap, cctx_T *cctx, garray_T *lines_to_free)
else
{
// Define a local variable for the function reference.
- lvar_T *lvar = reserve_local(cctx, func_name, name_end - name_start,
+ lvar = reserve_local(cctx, func_name, name_end - name_start,
TRUE, ufunc->uf_func_type);
-
if (lvar == NULL)
goto theend;
if (generate_FUNCREF(cctx, ufunc, &funcref_isn) == FAIL)
@@ -949,6 +949,9 @@ compile_nested_function(exarg_T *eap, cctx_T *cctx, garray_T *lines_to_free)
&& compile_def_function(ufunc, TRUE, compile_type, cctx) == FAIL)
{
func_ptr_unref(ufunc);
+ if (lvar != NULL)
+ // Now the local variable can't be used.
+ *lvar->lv_name = '/'; // impossible value
goto theend;
}
--
2.36.1

73
backport-CVE-2022-2874.patch Normal file
View File

@ -0,0 +1,73 @@
From 4875d6ab068f09df88d24d81de40dcd8d56e243d Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 17 Aug 2022 15:55:51 +0100
Subject: [PATCH] patch 9.0.0224: Using NULL pointer when skipping compiled
code
Problem: Using NULL pointer when skipping compiled code.
Solution: Check for skipping.
---
src/testdir/test_vim9_script.vim | 13 +++++++++++++
src/vim9compile.c | 14 ++++++++++----
2 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/src/testdir/test_vim9_script.vim b/src/testdir/test_vim9_script.vim
index fc0ef15..75b3e9c 100644
--- a/src/testdir/test_vim9_script.vim
+++ b/src/testdir/test_vim9_script.vim
@@ -2097,6 +2097,19 @@ def Test_for_skipped_block()
v9.CheckDefAndScriptSuccess(lines)
enddef
+def Test_skipped_redir()
+ var lines =<< trim END
+ def T()
+ if 0
+ redir =>l[0]
+ redir END
+ endif
+ enddef
+ defcompile
+ END
+ v9.CheckScriptSuccess(lines)
+enddef
+
def Test_for_loop()
var lines =<< trim END
var result = ''
diff --git a/src/vim9compile.c b/src/vim9compile.c
index fb39997..a8fa5dc 100644
--- a/src/vim9compile.c
+++ b/src/vim9compile.c
@@ -1157,11 +1157,14 @@ generate_loadvar(
generate_LOADV(cctx, name + 2);
break;
case dest_local:
- if (lvar->lv_from_outer > 0)
- generate_LOADOUTER(cctx, lvar->lv_idx, lvar->lv_from_outer,
+ if (cctx->ctx_skip != SKIP_YES)
+ {
+ if (lvar->lv_from_outer > 0)
+ generate_LOADOUTER(cctx, lvar->lv_idx, lvar->lv_from_outer,
type);
- else
- generate_LOAD(cctx, ISN_LOAD, lvar->lv_idx, NULL, type);
+ else
+ generate_LOAD(cctx, ISN_LOAD, lvar->lv_idx, NULL, type);
+ }
break;
case dest_expr:
// list or dict value should already be on the stack.
@@ -1944,6 +1947,9 @@ compile_assign_unlet(
}
}
+ if (cctx->ctx_skip == SKIP_YES)
+ return OK;
+
// Load the dict or list. On the stack we then have:
// - value (for assignment, not for :unlet)
// - index
--
2.36.1

245
backport-CVE-2022-2889.patch Normal file
View File

@ -0,0 +1,245 @@
From 91c7cbfe31bbef57d5fcf7d76989fc159f73ef15 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 18 Aug 2022 13:28:31 +0100
Subject: [PATCH] patch 9.0.0225: using freed memory with multiple line breaks
in expression
Problem: Using freed memory with multiple line breaks in expression.
Solution: Free eval_tofree later.
---
src/eval.c | 102 ++++++++++++++++++-------------
src/proto/eval.pro | 4 +-
src/testdir/test_vim9_script.vim | 13 ++++
src/userfunc.c | 15 -----
4 files changed, 75 insertions(+), 59 deletions(-)
diff --git a/src/eval.c b/src/eval.c
index 42b883e..60daca5 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -353,6 +353,63 @@ eval_to_string_skip(
return retval;
}
+/*
+ * Initialize "evalarg" for use.
+ */
+ void
+init_evalarg(evalarg_T *evalarg)
+{
+ CLEAR_POINTER(evalarg);
+ ga_init2(&evalarg->eval_tofree_ga, sizeof(char_u *), 20);
+}
+
+/*
+ * If "evalarg->eval_tofree" is not NULL free it later.
+ * Caller is expected to overwrite "evalarg->eval_tofree" next.
+ */
+ static void
+free_eval_tofree_later(evalarg_T *evalarg)
+{
+ if (evalarg->eval_tofree != NULL)
+ {
+ if (ga_grow(&evalarg->eval_tofree_ga, 1) == OK)
+ ((char_u **)evalarg->eval_tofree_ga.ga_data)
+ [evalarg->eval_tofree_ga.ga_len++]
+ = evalarg->eval_tofree;
+ else
+ vim_free(evalarg->eval_tofree);
+ }
+}
+
+/*
+ * After using "evalarg" filled from "eap": free the memory.
+ */
+ void
+clear_evalarg(evalarg_T *evalarg, exarg_T *eap)
+{
+ if (evalarg != NULL)
+ {
+ if (evalarg->eval_tofree != NULL)
+ {
+ if (eap != NULL)
+ {
+ // We may need to keep the original command line, e.g. for
+ // ":let" it has the variable names. But we may also need the
+ // new one, "nextcmd" points into it. Keep both.
+ vim_free(eap->cmdline_tofree);
+ eap->cmdline_tofree = *eap->cmdlinep;
+ *eap->cmdlinep = evalarg->eval_tofree;
+ }
+ else
+ vim_free(evalarg->eval_tofree);
+ evalarg->eval_tofree = NULL;
+ }
+
+ ga_clear_strings(&evalarg->eval_tofree_ga);
+ VIM_CLEAR(evalarg->eval_tofree_lambda);
+ }
+}
+
/*
* Skip over an expression at "*pp".
* Return FAIL for an error, OK otherwise.
@@ -435,8 +492,8 @@ skip_expr_concatenate(
// Do not free the first line, the caller can still use it.
*((char_u **)gap->ga_data) = NULL;
// Do not free the last line, "arg" points into it, free it
- // later.
- vim_free(evalarg->eval_tofree);
+ // later. Also free "eval_tofree" later if needed.
+ free_eval_tofree_later(evalarg);
evalarg->eval_tofree =
((char_u **)gap->ga_data)[gap->ga_len - 1];
((char_u **)gap->ga_data)[gap->ga_len - 1] = NULL;
@@ -2274,7 +2331,7 @@ eval_next_line(char_u *arg, evalarg_T *evalarg)
}
else if (evalarg->eval_cookie != NULL)
{
- vim_free(evalarg->eval_tofree);
+ free_eval_tofree_later(evalarg);
evalarg->eval_tofree = line;
}
@@ -2301,45 +2358,6 @@ skipwhite_and_linebreak(char_u *arg, evalarg_T *evalarg)
return p;
}
-/*
- * Initialize "evalarg" for use.
- */
- void
-init_evalarg(evalarg_T *evalarg)
-{
- CLEAR_POINTER(evalarg);
- ga_init2(&evalarg->eval_tofree_ga, sizeof(char_u *), 20);
-}
-
-/*
- * After using "evalarg" filled from "eap": free the memory.
- */
- void
-clear_evalarg(evalarg_T *evalarg, exarg_T *eap)
-{
- if (evalarg != NULL)
- {
- if (evalarg->eval_tofree != NULL)
- {
- if (eap != NULL)
- {
- // We may need to keep the original command line, e.g. for
- // ":let" it has the variable names. But we may also need the
- // new one, "nextcmd" points into it. Keep both.
- vim_free(eap->cmdline_tofree);
- eap->cmdline_tofree = *eap->cmdlinep;
- *eap->cmdlinep = evalarg->eval_tofree;
- }
- else
- vim_free(evalarg->eval_tofree);
- evalarg->eval_tofree = NULL;
- }
-
- ga_clear_strings(&evalarg->eval_tofree_ga);
- VIM_CLEAR(evalarg->eval_tofree_lambda);
- }
-}
-
/*
* The "evaluate" argument: When FALSE, the argument is only parsed but not
* executed. The function may return OK, but the rettv will be of type
diff --git a/src/proto/eval.pro b/src/proto/eval.pro
index e6cd892..27a13c9 100644
--- a/src/proto/eval.pro
+++ b/src/proto/eval.pro
@@ -9,6 +9,8 @@ int eval_expr_valid_arg(typval_T *tv);
int eval_expr_typval(typval_T *expr, typval_T *argv, int argc, typval_T *rettv);
int eval_expr_to_bool(typval_T *expr, int *error);
char_u *eval_to_string_skip(char_u *arg, exarg_T *eap, int skip);
+void init_evalarg(evalarg_T *evalarg);
+void clear_evalarg(evalarg_T *evalarg, exarg_T *eap);
int skip_expr(char_u **pp, evalarg_T *evalarg);
int skip_expr_concatenate(char_u **arg, char_u **start, char_u **end, evalarg_T *evalarg);
char_u *typval2string(typval_T *tv, int convert);
@@ -34,8 +36,6 @@ int pattern_match(char_u *pat, char_u *text, int ic);
char_u *eval_next_non_blank(char_u *arg, evalarg_T *evalarg, int *getnext);
char_u *eval_next_line(char_u *arg, evalarg_T *evalarg);
char_u *skipwhite_and_linebreak(char_u *arg, evalarg_T *evalarg);
-void init_evalarg(evalarg_T *evalarg);
-void clear_evalarg(evalarg_T *evalarg, exarg_T *eap);
int eval0(char_u *arg, typval_T *rettv, exarg_T *eap, evalarg_T *evalarg);
int eval0_retarg(char_u *arg, typval_T *rettv, exarg_T *eap, evalarg_T *evalarg, char_u **retarg);
int eval1(char_u **arg, typval_T *rettv, evalarg_T *evalarg);
diff --git a/src/testdir/test_vim9_script.vim b/src/testdir/test_vim9_script.vim
index 75b3e9c..c09c0d2 100644
--- a/src/testdir/test_vim9_script.vim
+++ b/src/testdir/test_vim9_script.vim
@@ -1560,6 +1560,19 @@ def Test_func_redefine_fails()
v9.CheckScriptFailure(lines, 'E1073:')
enddef
+def Test_lambda_split()
+ # this was using freed memory, because of the split expression
+ var lines =<< trim END
+ vim9script
+ try
+ 0
+ 0->(0
+ ->a.0(
+ ->u
+ END
+ v9.CheckScriptFailure(lines, 'E1050:')
+enddef
+
def Test_fixed_size_list()
# will be allocated as one piece of memory, check that changes work
var l = [1, 2, 3, 4]
diff --git a/src/userfunc.c b/src/userfunc.c
index 9b960b7..3777e03 100644
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -1371,7 +1371,6 @@ get_lambda_tv(
char_u *start, *end;
int *old_eval_lavars = eval_lavars_used;
int eval_lavars = FALSE;
- char_u *tofree1 = NULL;
char_u *tofree2 = NULL;
int equal_arrow = **arg == '(';
int white_error = FALSE;
@@ -1456,12 +1455,6 @@ get_lambda_tv(
ret = skip_expr_concatenate(arg, &start, &end, evalarg);
if (ret == FAIL)
goto errret;
- if (evalarg != NULL)
- {
- // avoid that the expression gets freed when another line break follows
- tofree1 = evalarg->eval_tofree;
- evalarg->eval_tofree = NULL;
- }
if (!equal_arrow)
{
@@ -1584,10 +1577,6 @@ get_lambda_tv(
theend:
eval_lavars_used = old_eval_lavars;
- if (evalarg != NULL && evalarg->eval_tofree == NULL)
- evalarg->eval_tofree = tofree1;
- else
- vim_free(tofree1);
vim_free(tofree2);
if (types_optional)
ga_clear_strings(&argtypes);
@@ -1606,10 +1595,6 @@ errret:
}
vim_free(fp);
vim_free(pt);
- if (evalarg != NULL && evalarg->eval_tofree == NULL)
- evalarg->eval_tofree = tofree1;
- else
- vim_free(tofree1);
vim_free(tofree2);
eval_lavars_used = old_eval_lavars;
return FAIL;
--
2.36.1

18
backport-CVE-2022-2923.patch
View File

@ -9,14 +9,14 @@ Problem: Crash when using ":mkspell" with an empty .dic file.
Solution: Check for an empty word tree.
---
src/spellfile.c | 4 +++-
src/testdir/test_spellfile.vim | 11 +++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
src/testdir/test_spellfile.vim | 12 ++++++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/src/spellfile.c b/src/spellfile.c
index aeeb6ad..08dcc1b 100644
index 4a0de52..a4407fa 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -5561,10 +5561,12 @@ sug_filltree(spellinfo_T *spin, slang_T *slang)
@@ -5585,10 +5585,12 @@ sug_filltree(spellinfo_T *spin, slang_T *slang)
/*
* Go through the whole case-folded tree, soundfold each word and put it
@ -31,11 +31,11 @@ index aeeb6ad..08dcc1b 100644
arridx[0] = 0;
curi[0] = 1;
diff --git a/src/testdir/test_spellfile.vim b/src/testdir/test_spellfile.vim
index 1382c02..4de7389 100644
index 38d1ec0..e81aa65 100644
--- a/src/testdir/test_spellfile.vim
+++ b/src/testdir/test_spellfile.vim
@@ -176,3 +176,14 @@ func Test_check_for_valid_word()
call assert_fails("spellgood! 0^B\xac", 'E1280:')
@@ -1160,4 +1160,16 @@ func Test_mkspellmem_opt()
call assert_fails('set mkspellmem=1000,50,0', 'E474:')
endfunc
+" this was using a NULL pointer
@ -49,6 +49,8 @@ index 1382c02..4de7389 100644
+ call delete('XtestEmpty.spl')
+endfunc
+
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0
2.36.1

22
backport-CVE-2022-2946.patch
View File

@ -12,18 +12,18 @@ Solution: Make a copy of the tag name.
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/src/tag.c b/src/tag.c
index c00f5fb..aceb6e4 100644
index 8a351cc..02f0818 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -161,6 +161,7 @@ do_tag(
@@ -281,6 +281,7 @@ do_tag(
char_u *buf_ffname = curbuf->b_ffname; // name to use for
// priority computation
int use_tfu = 1;
+ char_u *tofree = NULL;
int use_tfu = 1;
+ char_u *tofree = NULL;
// remember the matches for the last used tag
static int num_matches = 0;
@@ -510,7 +511,12 @@ do_tag(
@@ -630,7 +631,12 @@ do_tag(
* When desired match not found yet, try to find it (and others).
*/
if (use_tagstack)
@ -37,7 +37,7 @@ index c00f5fb..aceb6e4 100644
#if defined(FEAT_QUICKFIX)
else if (g_do_tagpreview != 0)
name = ptag_entry.tagname;
@@ -802,6 +808,7 @@ end_do_tag:
@@ -922,6 +928,7 @@ end_do_tag:
g_do_tagpreview = 0; // don't do tag preview next time
# endif
@ -46,11 +46,11 @@ index c00f5fb..aceb6e4 100644
return jumped_to_tag;
#else
diff --git a/src/testdir/test_tagfunc.vim b/src/testdir/test_tagfunc.vim
index 242aa3a..74ad3d1 100644
index 05d8473..9582612 100644
--- a/src/testdir/test_tagfunc.vim
+++ b/src/testdir/test_tagfunc.vim
@@ -81,4 +81,16 @@ func Test_tagfunc()
call delete('Xfile1')
@@ -389,4 +389,16 @@ func Test_tagfunc_callback()
%bw!
endfunc
+func Test_tagfunc_wipes_buffer()
@ -59,7 +59,7 @@ index 242aa3a..74ad3d1 100644
+ endfunc
+ set tagfunc=g:Tag0unc0
+ new
+ cal assert_fails('tag 0', 'E1299:')
+ cal assert_fails('tag 0', 'E987:')
+
+ delfunc g:Tag0unc0
+ set tagfunc=
@ -67,5 +67,5 @@ index 242aa3a..74ad3d1 100644
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0
1.8.3.1

27
backport-CVE-2022-2980.patch
View File

@ -6,15 +6,15 @@ Subject: [PATCH] patch 9.0.0259: crash with mouse click when not initialized
Problem: Crash with mouse click when not initialized.
Solution: Check TabPageIdxs[] is not NULL.
---
src/mouse.c | 107 ++++++++++++++++++-----------------
src/testdir/test_tabline.vim | 14 +++++
src/mouse.c | 107 ++++++++++++++++++++++---------------------
src/testdir/test_tabline.vim | 14 ++++++
2 files changed, 69 insertions(+), 52 deletions(-)
diff --git a/src/mouse.c b/src/mouse.c
index c94f322..4fdbdbd 100644
index c39f614..12895f8 100644
--- a/src/mouse.c
+++ b/src/mouse.c
@@ -448,74 +448,77 @@ do_mouse(
@@ -471,74 +471,77 @@ do_mouse(
start_visual.lnum = 0;
@ -61,7 +61,7 @@ index c94f322..4fdbdbd 100644
- if ((mod_mask & MOD_MASK_MULTI_CLICK) == MOD_MASK_2CLICK)
- {
- // double click opens new page
- end_visual_mode();
- end_visual_mode_keep_button();
- tabpage_new();
- tabpage_move(c1 == 0 ? 9999 : c1 - 1);
- }
@ -79,7 +79,7 @@ index c94f322..4fdbdbd 100644
+ if ((mod_mask & MOD_MASK_MULTI_CLICK) == MOD_MASK_2CLICK)
+ {
+ // double click opens new page
end_visual_mode();
end_visual_mode_keep_button();
- }
- }
- else
@ -99,7 +99,7 @@ index c94f322..4fdbdbd 100644
- tp = curtab;
+ // It's like clicking on the status line of a window.
+ if (curwin != old_curwin)
+ end_visual_mode();
+ end_visual_mode_keep_button();
+ }
+ }
else
@ -145,14 +145,13 @@ index c94f322..4fdbdbd 100644
// When 'mousemodel' is "popup" or "popup_setpos", translate mouse events:
diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim
index 383d239..d615429 100644
index e58a412..556b859 100644
--- a/src/testdir/test_tabline.vim
+++ b/src/testdir/test_tabline.vim
@@ -70,3 +70,17 @@ func Test_redrawtabline()
let &showtabline = showtabline_save
au! Bufadd
@@ -147,4 +147,18 @@ func Test_tabline_20_format_items_no_overrun()
set showtabline& tabline&
endfunc
+
+func Test_mouse_click_in_tab()
+ " This used to crash because TabPageIdxs[] was not initialized
+ let lines =<< trim END
@ -166,6 +165,8 @@ index 383d239..d615429 100644
+ call delete('Xclickscript')
+endfunc
+
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0
1.8.3.1

73
backport-CVE-2022-2982.patch Normal file
View File

@ -0,0 +1,73 @@
From d6c67629ed05aae436164eec474832daf8ba7420 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 24 Aug 2022 20:07:22 +0100
Subject: [PATCH] patch 9.0.0260: using freed memory when usinger
'quickfixtextfunc' recursivelyxe
Problem: Using freed memory when using 'quickfixtextfunc' recursively.
Solution: Do not allow for recursion.
---
src/quickfix.c | 9 +++++++++
src/testdir/test_quickfix.vim | 13 +++++++++++++
2 files changed, 22 insertions(+)
diff --git a/src/quickfix.c b/src/quickfix.c
index c37caa5..5547233 100644
--- a/src/quickfix.c
+++ b/src/quickfix.c
@@ -4656,6 +4656,11 @@ call_qftf_func(qf_list_T *qfl, int qf_winid, long start_idx, long end_idx)
{
callback_T *cb = &qftf_cb;
list_T *qftf_list = NULL;
+ static int recursive = FALSE;
+
+ if (recursive)
+ return NULL; // this doesn't work properly recursively
+ recursive = TRUE;
// If 'quickfixtextfunc' is set, then use the user-supplied function to get
// the text to display. Use the local value of 'quickfixtextfunc' if it is
@@ -4670,7 +4675,10 @@ call_qftf_func(qf_list_T *qfl, int qf_winid, long start_idx, long end_idx)
// create the dict argument
if ((d = dict_alloc_lock(VAR_FIXED)) == NULL)
+ {
+ recursive = FALSE;
return NULL;
+ }
dict_add_number(d, "quickfix", (long)IS_QF_LIST(qfl));
dict_add_number(d, "winid", (long)qf_winid);
dict_add_number(d, "id", (long)qfl->qf_id);
@@ -4693,6 +4701,7 @@ call_qftf_func(qf_list_T *qfl, int qf_winid, long start_idx, long end_idx)
dict_unref(d);
}
+ recursive = FALSE;
return qftf_list;
}
diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
index 182d570..46b2cb6 100644
--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
@@ -6334,4 +6334,17 @@ func Test_qflist_statusmsg()
%bw!
endfunc
+func Test_quickfixtextfunc_recursive()
+ func s:QFTfunc(o)
+ cgete '0'
+ endfunc
+ copen
+ let &quickfixtextfunc = 's:QFTfunc'
+ cex ""
+
+ let &quickfixtextfunc = ''
+ cclose
+endfunc
+
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.36.1

Some files were not shown because too many files have changed in this diff Show More