packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vim/backport-CVE-2022-3235.patch
wangjiang 037eeee382 upgrade version to 9.0
2022-11-03 15:22:25 +08:00

76 lines
2.1 KiB
Diff
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 1c3dd8ddcba63c1af5112e567215b3cec2de11d0 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 17 Sep 2022 19:43:23 +0100
Subject: [PATCH] patch 9.0.0490: using freed memory with cmdwin and BufEnter
autocmd
Problem: Using freed memory with cmdwin and BufEnter autocmd.
Solution: Make sure pointer to b_p_iminsert is still valid.
---
src/ex_getln.c | 8 ++++++--
src/testdir/test_cmdline.vim | 10 ++++++++++
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/ex_getln.c b/src/ex_getln.c
index 8dc03dc..535bfb5 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -1607,6 +1607,7 @@ getcmdline_int(
#endif
expand_T xpc;
long *b_im_ptr = NULL;
+ buf_T *b_im_ptr_buf = NULL; // buffer where b_im_ptr is valid
cmdline_info_T save_ccline;
int did_save_ccline = FALSE;
int cmdline_type;
@@ -1703,6 +1704,7 @@ getcmdline_int(
b_im_ptr = &curbuf->b_p_iminsert;
else
b_im_ptr = &curbuf->b_p_imsearch;
+ b_im_ptr_buf = curbuf;
if (*b_im_ptr == B_IMODE_LMAP)
State |= MODE_LANGMAP;
#ifdef HAVE_INPUT_METHOD
@@ -2060,7 +2062,8 @@ getcmdline_int(
goto cmdline_not_changed;
case Ctrl_HAT:
- cmdline_toggle_langmap(b_im_ptr);
+ cmdline_toggle_langmap(
+ buf_valid(b_im_ptr_buf) ? b_im_ptr : NULL);
goto cmdline_not_changed;
// case '@': only in very old vi
@@ -2573,7 +2576,8 @@ returncmd:
#endif
#ifdef HAVE_INPUT_METHOD
- if (b_im_ptr != NULL && *b_im_ptr != B_IMODE_LMAP)
+ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf)
+ && *b_im_ptr != B_IMODE_LMAP)
im_save_status(b_im_ptr);
im_set_active(FALSE);
#endif
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index 08e2de7..440df96 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -3447,4 +3447,14 @@ func Test_cmdwin_virtual_edit()
set ve= cpo-=$
endfunc
+" This was using a pointer to a freed buffer
+func Test_cmdwin_freed_buffer_ptr()
+ au BufEnter * next 0| file
+ edit 0
+ silent! norm q/
+
+ au! BufEnter
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink