master

分支 (13)

标签 (11)

管理

管理

master

openEuler-20.03-LTS-SP1

openEuler-22.03-LTS-Next

openEuler-20.03-LTS-SP3

openEuler-22.03-LTS

openEuler-21.09

openEuler-20.03-LTS-SP2

openEuler-20.03-LTS

openEuler-20.03-LTS-Next

openEuler-21.03

openEuler-20.09

openEuler1.0-base

openEuler1.0

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

vim
/
backport-CVE-2022-1735.patch

From 7ce5b2b590256ce53d6af28c1d203fb3bc1d2d97 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 16 May 2022 19:40:59 +0100
Subject: [PATCH] patch 8.2.4969: changing text in Visual mode may cause
 invalid memory access

Problem:    Changing text in Visual mode may cause invalid memory access.
Solution:   Check the Visual position after making a change.
---
 src/change.c                |  3 +++
 src/edit.c                  | 12 ++----------
 src/misc2.c                 | 25 +++++++++++++++++++++++++
 src/proto/misc2.pro         |  1 +
 src/testdir/test_visual.vim | 10 ++++++++++
 5 files changed, 41 insertions(+), 10 deletions(-)

diff --git a/src/change.c b/src/change.c
index f2dfc93..a5ebbdf 100644
--- a/src/change.c
+++ b/src/change.c
@@ -523,6 +523,9 @@ changed_common(
 #endif
     }

+    if (VIsual_active)
+	check_visual_pos();
+
     FOR_ALL_TAB_WINDOWS(tp, wp)
     {
 	if (wp->w_buffer == curbuf)
diff --git a/src/edit.c b/src/edit.c
index f77cc05..0dd6b93 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -3101,16 +3101,8 @@ stop_insert(

 	    // <C-S-Right> may have started Visual mode, adjust the position for
 	    // deleted characters.
-	    if (VIsual_active && VIsual.lnum == curwin->w_cursor.lnum)
-	    {
-		int len = (int)STRLEN(ml_get_curline());
-
-		if (VIsual.col > len)
-		{
-		    VIsual.col = len;
-		    VIsual.coladd = 0;
-		}
-	    }
+	    if (VIsual_active)
+		check_visual_pos();
 	}
     }
     did_ai = FALSE;
diff --git a/src/misc2.c b/src/misc2.c
index 80731f0..51244da 100644
--- a/src/misc2.c
+++ b/src/misc2.c
@@ -618,6 +618,31 @@ check_cursor(void)
     check_cursor_col();
 }

+/*
+ * Check if VIsual position is valid, correct it if not.
+ * Can be called when in Visual mode and a change has been made.
+ */
+    void
+check_visual_pos(void)
+{
+    if (VIsual.lnum > curbuf->b_ml.ml_line_count)
+    {
+	VIsual.lnum = curbuf->b_ml.ml_line_count;
+	VIsual.col = 0;
+	VIsual.coladd = 0;
+    }
+    else
+    {
+	int len = (int)STRLEN(ml_get(VIsual.lnum));
+
+	if (VIsual.col > len)
+	{
+	    VIsual.col = len;
+	    VIsual.coladd = 0;
+	}
+    }
+}
+
 #if defined(FEAT_TEXTOBJ) || defined(PROTO)
 /*
  * Make sure curwin->w_cursor is not on the NUL at the end of the line.
diff --git a/src/proto/misc2.pro b/src/proto/misc2.pro
index a52b462..6e6e22d 100644
--- a/src/proto/misc2.pro
+++ b/src/proto/misc2.pro
@@ -17,6 +17,7 @@ void check_cursor_lnum(void);
 void check_cursor_col(void);
 void check_cursor_col_win(win_T *win);
 void check_cursor(void);
+void check_visual_pos(void);
 void adjust_cursor_col(void);
 int leftcol_changed(void);
 void vim_mem_profile_dump(void);
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index 4f8f056..d21f8f1 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -956,3 +956,13 @@ func Test_visual_block_insert_round_off()
   bwipe!
 endfunc

+func Test_visual_block_with_substitute()
+  " this was reading beyond the end of the line
+  new
+  norm a0)
+  sil! norm  O
+  s/)
+  sil! norm
+  bwipe!
+endfunc
+
--
1.8.3.1