vim/backport-CVE-2022-3099.patch

From 35d21c6830fc2d68aca838424a0e786821c5891c Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 2 Sep 2022 16:47:16 +0100
Subject: [PATCH] patch 9.0.0360: crash when invalid line number on :for is
 ignored

Problem:    Crash when invalid line number on :for is ignored.
Solution:   Do not check breakpoint for non-existing line.
---
 src/ex_docmd.c                  |  2 +-
 src/testdir/test_eval_stuff.vim | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index ae1f195..0b6b217 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -1068,7 +1068,7 @@ do_cmdline(
 
 		    // Check for the next breakpoint at or after the ":while"
 		    // or ":for".
-		    if (breakpoint != NULL)
+		    if (breakpoint != NULL && lines_ga.ga_len > current_line)
 		    {
 			*breakpoint = dbg_find_breakpoint(
 			       getline_equal(fgetline, cookie, getsourceline),
diff --git a/src/testdir/test_eval_stuff.vim b/src/testdir/test_eval_stuff.vim
index 313d791..934286b 100644
--- a/src/testdir/test_eval_stuff.vim
+++ b/src/testdir/test_eval_stuff.vim
@@ -1,6 +1,7 @@
 " Tests for various eval things.
 
 source view_util.vim
+source shared.vim
 
 function s:foo() abort
   try
@@ -634,4 +635,16 @@ func Test_eval_string_in_special_key()
   silent! echo 0{1-$"\<S--{>n|nö%
 endfunc
 
+func Test_for_invalid_line_count()
+  let lines =<< trim END
+      111111111111111111111111 for line in ['one']
+      endfor
+  END
+  call writefile(lines, 'XinvalidFor')
+  " only test that this doesn't crash
+  call RunVim([], [], '-u NONE -e -s -S XinvalidFor -c qa')
+
+  call delete('XinvalidFor')
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
-- 
1.8.3.1