vim/backport-CVE-2022-2580.patch

From 1e56bda9048a9625bce6e660938c834c5c15b07d Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 29 Jul 2022 15:28:27 +0100
Subject: [PATCH 001/123] patch 9.0.0104: going beyond allocated memory when
 evaluating string constant

Problem:    Going beyond allocated memory when evaluating string constant.
Solution:   Properly skip over <Key> form.
---
 src/testdir/test_eval_stuff.vim |  5 +++++
 src/typval.c                    | 12 ++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/src/testdir/test_eval_stuff.vim b/src/testdir/test_eval_stuff.vim
index 3c168f2..c63082e 100644
--- a/src/testdir/test_eval_stuff.vim
+++ b/src/testdir/test_eval_stuff.vim
@@ -617,4 +617,9 @@ func Test_modified_char_no_escape_special()
   nunmap <M-…>
 endfunc
 
+func Test_eval_string_in_special_key()
+  " this was using the '{' inside <> as the start of an interpolated string
+  silent! echo 0{1-$"\<S--{>n|nö%
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/typval.c b/src/typval.c
index a266330..8b69adf 100644
--- a/src/typval.c
+++ b/src/typval.c
@@ -2090,7 +2090,19 @@ eval_string(char_u **arg, typval_T *rettv, int evaluate, int interpolate)
 	    // to 9 characters (6 for the char and 3 for a modifier):
 	    // reserve space for 5 extra.
 	    if (*p == '<')
+	    {
+		int		modifiers = 0;
+		int		flags = FSK_KEYCODE | FSK_IN_STRING;
+
 		extra += 5;
+
+		// Skip to the '>' to avoid using '{' inside for string
+		// interpolation.
+		if (p[1] != '*')
+		    flags |= FSK_SIMPLIFY;
+		if (find_special_key(&p, &modifiers, flags, NULL) != 0)
+		    --p;  // leave "p" on the ">"
+	    }
 	}
 	else if (interpolate && (*p == '{' || *p == '}'))
 	{
-- 
1.8.3.1