vim/backport-CVE-2022-3324.patch

From 8279af514ca7e5fd3c31cf13b0864163d1a0bfeb Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 26 Sep 2022 23:08:22 +0100
Subject: [PATCH] patch 9.0.0598: using negative array index with negative
 width window

Problem:    Using negative array index with negative width window.
Solution:   Make sure the window width does not become negative.
---
 src/testdir/test_cmdline.vim | 22 ++++++++++++++++++++++
 src/window.c                 |  5 ++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index 440df96..ab3bfdf 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -3457,4 +3457,26 @@ func Test_cmdwin_freed_buffer_ptr()
   bwipe!
 endfunc
 
+" This was resulting in a window with negative width.
+" The test doesn't reproduce the illegal memory access though...
+func Test_cmdwin_split_often()
+  let lines = &lines
+  let columns = &columns
+  set t_WS=
+
+  try
+    set encoding=iso8859
+    set ruler
+    winsize 0 0
+    noremap 0 H
+    sil norm 0000000q:
+  catch /E36:/
+  endtry
+
+  bwipe!
+  set encoding=utf8
+  let &lines = lines
+  let &columns = columns
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/window.c b/src/window.c
index c91ebbc..73060db 100644
--- a/src/window.c
+++ b/src/window.c
@@ -2087,6 +2087,8 @@ win_equal_rec(
 		if (hnc)	    // add next_curwin size
 		{
 		    next_curwin_size -= p_wiw - (m - n);
+		    if (next_curwin_size < 0)
+			next_curwin_size = 0;
 		    new_size += next_curwin_size;
 		    room -= new_size - next_curwin_size;
 		}
@@ -6495,7 +6497,8 @@ scroll_to_fraction(win_T *wp, int prev_height)
     void
 win_new_width(win_T *wp, int width)
 {
-    wp->w_width = width;
+    // Should we give an error if width < 0?
+    wp->w_width = width < 0 ? 0 : width;
     wp->w_lines_valid = 0;
     changed_line_abv_curs_win(wp);
     invalidate_botline_win(wp);
-- 
2.27.0