master

分支 (14)

标签 (11)

管理

管理

master

openEuler-22.03-LTS-Next

virctest1

openEuler1.0

openEuler-20.03-LTS-SP1

openEuler-20.03-LTS-SP3

openEuler-22.03-LTS

openEuler-21.09

openEuler-20.03-LTS-SP2

openEuler-20.03-LTS

openEuler-20.03-LTS-Next

openEuler-21.03

openEuler-20.09

openEuler1.0-base

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

vim
/
backport-CVE-2022-0261.patch

From 9f8c304c8a390ade133bac29963dc8e56ab14cbc Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 17 Jan 2022 17:30:21 +0000
Subject: [PATCH] patch 8.2.4120: block insert goes over the end of the line

Problem:    Block insert goes over the end of the line.
Solution:   Handle invalid byte better.  Fix inserting the wrong text.
---
 src/ops.c                   | 40 ++++++++++++++++++++++++-------------
 src/testdir/test_visual.vim | 10 ++++++++++
 2 files changed, 36 insertions(+), 14 deletions(-)

diff --git a/src/ops.c b/src/ops.c
index d3e1e47..13e6bdb 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -535,22 +535,27 @@ block_insert(
 	    if (b_insert)
 	    {
 		off = (*mb_head_off)(oldp, oldp + offset + spaces);
+		spaces -= off;
+		count -= off;
 	    }
 	    else
 	    {
-		off = (*mb_off_next)(oldp, oldp + offset);
-		offset += off;
+		// spaces fill the gap, the character that's at the edge moves
+		// right
+		off = (*mb_head_off)(oldp, oldp + offset);
+		offset -= off;
 	    }
-	    spaces -= off;
-	    count -= off;
 	}

-	newp = alloc(STRLEN(oldp) + s_len + count + 1);
+	// Make sure the allocated size matches what is actually copied below.
+	newp = alloc(STRLEN(oldp) + spaces + s_len
+		    + (spaces > 0 && !bdp->is_short ? ts_val - spaces : 0)
+								  + count + 1);
 	if (newp == NULL)
 	    continue;

 	// copy up to shifted part
-	mch_memmove(newp, oldp, (size_t)(offset));
+	mch_memmove(newp, oldp, (size_t)offset);
 	oldp += offset;

 	// insert pre-padding
@@ -560,14 +565,21 @@ block_insert(
 	mch_memmove(newp + offset + spaces, s, (size_t)s_len);
 	offset += s_len;

-	if (spaces && !bdp->is_short)
+	if (spaces > 0 && !bdp->is_short)
 	{
-	    // insert post-padding
-	    vim_memset(newp + offset + spaces, ' ', (size_t)(ts_val - spaces));
-	    // We're splitting a TAB, don't copy it.
-	    oldp++;
-	    // We allowed for that TAB, remember this now
-	    count++;
+	    if (*oldp == TAB)
+	    {
+		// insert post-padding
+		vim_memset(newp + offset + spaces, ' ',
+						    (size_t)(ts_val - spaces));
+		// we're splitting a TAB, don't copy it
+		oldp++;
+		// We allowed for that TAB, remember this now
+		count++;
+	    }
+	    else
+		// Not a TAB, no extra spaces
+		count = spaces;
 	}

 	if (spaces > 0)
@@ -1609,7 +1621,7 @@ op_insert(oparg_T *oap, long count1)
 		oap->start_vcol = t;
 	    }
 	    else if (oap->op_type == OP_APPEND
-		      && oap->end.col + oap->end.coladd
+			&& oap->start.col + oap->start.coladd
 			>= curbuf->b_op_start_orig.col
 					      + curbuf->b_op_start_orig.coladd)
 	    {
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index 0705fdb..84a8981 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -903,3 +903,13 @@ func Test_visual_block_ctrl_w_f()
 endfunc

 " vim: shiftwidth=2 sts=2 expandtab
+
+func Test_visual_block_append_invalid_char()
+  " this was going over the end of the line
+  new
+  call setline(1, ['	   let xxx', 'xxxxx', 'xxxxxxxxxxx'])
+  exe "normal 0\<C-V>jjA-\<Esc>"
+  call assert_equal(['	-   let xxx', 'xxxxx   -', 'xxxxxxxx-xxx'], getline(1, 3))
+  bwipe!
+endfunc
+
--
2.27.0