packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vim/backport-CVE-2022-1785.patch
rwx403335 3225c60546 fix CVE-2022-1785 
(cherry picked from commit 9d353b5e3a381197f33382a10a55111ac2b7db95)
2022-06-20 09:01:18 +08:00

77 lines
2.3 KiB
Diff
Raw Blame History

From e2bd8600b873d2cd1f9d667c28cba8b1dba18839 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 18 May 2022 13:11:57 +0100
Subject: [PATCH] patch 8.2.4977: memory access error when substitute
expression changes window
Problem: Memory access error when substitute expression changes window.
Solution: Disallow changing window in substitute expression.
---
src/ex_cmds.c | 11 +++++++++++
src/testdir/test_substitute.vim | 14 ++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index aa97b40..0a22f59 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4289,12 +4289,17 @@ do_sub(exarg_T *eap)
// Save flags for recursion. They can change for e.g.
// :s/^/\=execute("s#^##gn")
subflags_save = subflags;
+
+ // Disallow changing text or switching window in an expression.
+ ++textwinlock;
#endif
// get length of substitution part
sublen = vim_regsub_multi(&regmatch,
sub_firstlnum - regmatch.startpos[0].lnum,
sub, sub_firstline, FALSE, p_magic, TRUE);
#ifdef FEAT_EVAL
+ --textwinlock;
+
// If getting the substitute string caused an error, don't do
// the replacement.
// Don't keep flags set by a recursive call.
@@ -4395,9 +4400,15 @@ do_sub(exarg_T *eap)
mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
new_end += copy_len;
+#ifdef FEAT_EVAL
+ ++textwinlock;
+#endif
(void)vim_regsub_multi(&regmatch,
sub_firstlnum - regmatch.startpos[0].lnum,
sub, new_end, TRUE, p_magic, TRUE);
+#ifdef FEAT_EVAL
+ --textwinlock;
+#endif
sub_nsubs++;
did_sub = TRUE;
diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
index 3e6bc5c..bda96f6 100644
--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
@@ -761,3 +761,17 @@ func Test_using_old_sub()
bwipe!
set nocompatible
endfunc
+
+" This was switching windows in between computing the length and using it.
+func Test_sub_change_window()
+ silent! lfile
+ sil! norm o0000000000000000000000000000000000000000000000000000
+ func Repl()
+ lopen
+ endfunc
+ silent! s/\%')/\=Repl()
+ bwipe!
+ bwipe!
+ delfunc Repl
+endfunc
+
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink