diff --git a/backport-CVE-2023-1170.patch b/backport-CVE-2023-1170.patch new file mode 100644 index 0000000000000000000000000000000000000000..1343080610bb5437b835853bd697050280715097 --- /dev/null +++ b/backport-CVE-2023-1170.patch @@ -0,0 +1,63 @@ +From 1c73b65229c25e3c1fd8824ba958f7cc4d604f9c Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 3 Mar 2023 21:11:52 +0000 +Subject: [PATCH] patch 9.0.1376: accessing invalid memory with put in Visual + block mode + +Problem: Accessing invalid memory with put in Visual block mode. +Solution: Adjust the cursor column if needed. +--- + src/register.c | 11 ++++++++++- + src/testdir/test_put.vim | 11 +++++++++++ + 2 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/src/register.c b/src/register.c +index 4dc0a68fd7a4..461363be378d 100644 +--- a/src/register.c ++++ b/src/register.c +@@ -1913,7 +1913,7 @@ do_put( + ptr += yanklen; + + // insert block's trailing spaces only if there's text behind +- if ((j < count - 1 || !shortline) && spaces) ++ if ((j < count - 1 || !shortline) && spaces > 0) + { + vim_memset(ptr, ' ', (size_t)spaces); + ptr += spaces; +@@ -2274,6 +2274,15 @@ do_put( + msgmore(nr_lines); + curwin->w_set_curswant = TRUE; + ++ // Make sure the cursor is not after the NUL. ++ int len = (int)STRLEN(ml_get_curline()); ++ if (curwin->w_cursor.col > len) ++ { ++ if (cur_ve_flags == VE_ALL) ++ curwin->w_cursor.coladd = curwin->w_cursor.col - len; ++ curwin->w_cursor.col = len; ++ } ++ + end: + if (cmdmod.cmod_flags & CMOD_LOCKMARKS) + { +diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim +index 66438bd3f69c..a6cea74efb6c 100644 +--- a/src/testdir/test_put.vim ++++ b/src/testdir/test_put.vim +@@ -231,5 +231,16 @@ func Test_put_visual_mode() + set selection& + endfunc + ++func Test_put_visual_block_mode() ++ enew ++ exe "norm 0R\\V" ++ sil exe "norm \c \" ++ set ve=all ++ sil norm vz=p ++ ++ bwipe! ++ set ve= ++endfunc ++ + + " vim: shiftwidth=2 sts=2 expandtab diff --git a/backport-CVE-2023-1175.patch b/backport-CVE-2023-1175.patch new file mode 100644 index 0000000000000000000000000000000000000000..e17dea06d132103ad081816ce57ab8eadca0d18e --- /dev/null +++ b/backport-CVE-2023-1175.patch @@ -0,0 +1,47 @@ +From c99cbf8f289bdda5d4a77d7ec415850a520330ba Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 4 Mar 2023 14:13:10 +0000 +Subject: [PATCH] patch 9.0.1378: illegal memory access when using virtual + editing + +Problem: Illegal memory access when using virtual editing. +Solution: Make sure "startspaces" is not negative. +--- + src/register.c | 2 ++ + src/testdir/test_virtualedit.vim | 10 ++++++++++ + 2 files changed, 12 insertions(+) + +diff --git a/src/register.c b/src/register.c +index 461363be378d..f3df79cfd642 100644 +--- a/src/register.c ++++ b/src/register.c +@@ -1247,6 +1247,8 @@ op_yank(oparg_T *oap, int deleting, int mess) + // double-count it. + bd.startspaces = (ce - cs + 1) + - oap->start.coladd; ++ if (bd.startspaces < 0) ++ bd.startspaces = 0; + startcol++; + } + } +diff --git a/src/testdir/test_virtualedit.vim b/src/testdir/test_virtualedit.vim +index 71cea427bac1..edaae678609d 100644 +--- a/src/testdir/test_virtualedit.vim ++++ b/src/testdir/test_virtualedit.vim +@@ -88,6 +88,16 @@ func Test_edit_change() + set virtualedit= + endfunc + ++func Test_edit_special_char() ++ new ++ se ve=all ++ norm a0 ++ sil! exe "norm o00000\k - 2:9.0-29 +- Type:CVE +- ID:CVE-2023-1170 CVE-2023-1175 +- SUG:NA +- DESC:CVE-2023-1170 CVE-2023-1175 + * Wed Feb 22 2023 wangjiang - 2:9.0-28 - Type:bugfix - ID:NA