vim/backport-CVE-2022-2598.patch

From 4e677b9c40ccbc5f090971b31dc2fe07bf05541d Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 28 Jul 2022 18:44:27 +0100
Subject: [PATCH] patch 9.0.0101: invalid memory access in diff mode with
"dp"
 and undo

Problem:    Invalid memory access in diff mode with "dp" and undo.
Solution:   Make sure the line number does not go below one.
---
 src/diff.c                    |  9 ++++++---
 src/testdir/test_diffmode.vim | 14 ++++++++++++++
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/src/diff.c b/src/diff.c
index 2801c67..5328000 100644
--- a/src/diff.c
+++ b/src/diff.c
@@ -452,7 +452,10 @@ diff_mark_adjust_tp(
 		    for (i = 0; i < DB_COUNT; ++i)
 			if (tp->tp_diffbuf[i] != NULL && i != idx)
 			{
-			    dp->df_lnum[i] -= off;
+			    if (dp->df_lnum[i] > off)
+				dp->df_lnum[i] -= off;
+			    else
+				dp->df_lnum[i] = 1;
 			    dp->df_count[i] += n;
 			}
 		}
@@ -2781,8 +2784,8 @@ ex_diffgetput(exarg_T *eap)
 	    {
 		// remember deleting the last line of the buffer
 		buf_empty = curbuf->b_ml.ml_line_count == 1;
-		ml_delete(lnum, FALSE);
-		--added;
+		if (ml_delete(lnum, FALSE) == OK)
+		    --added;
 	    }
 	    for (i = 0; i < dp->df_count[idx_from] - start_skip - end_skip; ++i)
 	    {
diff --git a/src/testdir/test_diffmode.vim b/src/testdir/test_diffmode.vim
index a75d0e5..d3b8f6c 100644
--- a/src/testdir/test_diffmode.vim
+++ b/src/testdir/test_diffmode.vim
@@ -852,3 +852,17 @@ func Test_diff_manipulations()
   set nodiff
   %bwipe!
 endfunc
+
+" This was causing the line number in the diff block to go below one.
+" FIXME: somehow this causes a valgrind error when run directly but not when
+" run as a test.
+func Test_diff_put_and_undo()
+  set diff
+  next 0
+  split 00
+  sil! norm o0gguudpo0ggJuudp
+
+  bwipe!
+  bwipe!
+  set nodiff
+endfunc
-- 
2.27.0