vim/backport-CVE-2022-1796.patch

From 28d032cc688ccfda18c5bbcab8b50aba6e18cde5 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 18 May 2022 16:29:08 +0100
Subject: [PATCH] patch 8.2.4979: accessing freed memory when line is flushed

Problem:    Accessing freed memory when line is flushed.
Solution:   Make a copy of the pattern to search for.
---
 src/testdir/test_tagjump.vim | 9 +++++++++
 src/window.c                 | 7 +++++++
 2 files changed, 16 insertions(+)

diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
index 14ba1f7..24df68f 100644
--- a/src/testdir/test_tagjump.vim
+++ b/src/testdir/test_tagjump.vim
@@ -556,4 +556,13 @@ func Test_tagline()
   set tags&
 endfunc
 
+func Test_define_search()
+  " this was accessing freed memory
+  new
+  call setline(1, ['first line', '', '#define something 0'])
+  sil norm o0
+  sil! norm 
+  bwipe!
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/window.c b/src/window.c
index bb17167..ee2a374 100644
--- a/src/window.c
+++ b/src/window.c
@@ -554,9 +554,16 @@ wingotofile:
 		CHECK_CMDWIN;
 		if ((len = find_ident_under_cursor(&ptr, FIND_IDENT)) == 0)
 		    break;
+
+		// Make a copy, if the line was changed it will be freed.
+		ptr = vim_strnsave(ptr, len);
+		if (ptr == NULL)
+		    break;
+
 		find_pattern_in_path(ptr, 0, len, TRUE,
 			Prenum == 0 ? TRUE : FALSE, type,
 			Prenum1, ACTION_SPLIT, (linenr_T)1, (linenr_T)MAXLNUM);
+		vim_free(ptr);
 		curwin->w_set_curswant = TRUE;
 		break;
 #endif
-- 
1.8.3.1