packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vim/backport-CVE-2022-1735.patch
shixuantong c79642a029 fix CVE-2022-1733 CVE-2022-1735
2022-05-31 09:55:59 +08:00

123 lines
3.0 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 7ce5b2b590256ce53d6af28c1d203fb3bc1d2d97 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 16 May 2022 19:40:59 +0100
Subject: [PATCH] patch 8.2.4969: changing text in Visual mode may cause
invalid memory access
Problem: Changing text in Visual mode may cause invalid memory access.
Solution: Check the Visual position after making a change.
---
src/change.c | 3 +++
src/edit.c | 12 ++----------
src/misc2.c | 25 +++++++++++++++++++++++++
src/proto/misc2.pro | 1 +
src/testdir/test_visual.vim | 10 ++++++++++
5 files changed, 41 insertions(+), 10 deletions(-)
diff --git a/src/change.c b/src/change.c
index f2dfc93..a5ebbdf 100644
--- a/src/change.c
+++ b/src/change.c
@@ -523,6 +523,9 @@ changed_common(
#endif
}
+ if (VIsual_active)
+ check_visual_pos();
+
FOR_ALL_TAB_WINDOWS(tp, wp)
{
if (wp->w_buffer == curbuf)
diff --git a/src/edit.c b/src/edit.c
index f77cc05..0dd6b93 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -3101,16 +3101,8 @@ stop_insert(
// <C-S-Right> may have started Visual mode, adjust the position for
// deleted characters.
- if (VIsual_active && VIsual.lnum == curwin->w_cursor.lnum)
- {
- int len = (int)STRLEN(ml_get_curline());
-
- if (VIsual.col > len)
- {
- VIsual.col = len;
- VIsual.coladd = 0;
- }
- }
+ if (VIsual_active)
+ check_visual_pos();
}
}
did_ai = FALSE;
diff --git a/src/misc2.c b/src/misc2.c
index 80731f0..51244da 100644
--- a/src/misc2.c
+++ b/src/misc2.c
@@ -618,6 +618,31 @@ check_cursor(void)
check_cursor_col();
}
+/*
+ * Check if VIsual position is valid, correct it if not.
+ * Can be called when in Visual mode and a change has been made.
+ */
+ void
+check_visual_pos(void)
+{
+ if (VIsual.lnum > curbuf->b_ml.ml_line_count)
+ {
+ VIsual.lnum = curbuf->b_ml.ml_line_count;
+ VIsual.col = 0;
+ VIsual.coladd = 0;
+ }
+ else
+ {
+ int len = (int)STRLEN(ml_get(VIsual.lnum));
+
+ if (VIsual.col > len)
+ {
+ VIsual.col = len;
+ VIsual.coladd = 0;
+ }
+ }
+}
+
#if defined(FEAT_TEXTOBJ) || defined(PROTO)
/*
* Make sure curwin->w_cursor is not on the NUL at the end of the line.
diff --git a/src/proto/misc2.pro b/src/proto/misc2.pro
index a52b462..6e6e22d 100644
--- a/src/proto/misc2.pro
+++ b/src/proto/misc2.pro
@@ -17,6 +17,7 @@ void check_cursor_lnum(void);
void check_cursor_col(void);
void check_cursor_col_win(win_T *win);
void check_cursor(void);
+void check_visual_pos(void);
void adjust_cursor_col(void);
int leftcol_changed(void);
void vim_mem_profile_dump(void);
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index 4f8f056..d21f8f1 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -956,3 +956,13 @@ func Test_visual_block_insert_round_off()
bwipe!
endfunc
+func Test_visual_block_with_substitute()
+ " this was reading beyond the end of the line
+ new
+ norm a0)
+ sil! norm  O
+ s/)
+ sil! norm 
+ bwipe!
+endfunc
+
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink