diff options
Diffstat (limited to 'patches/source/vim/CVE-2022-2817.patch')
-rw-r--r-- | patches/source/vim/CVE-2022-2817.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/patches/source/vim/CVE-2022-2817.patch b/patches/source/vim/CVE-2022-2817.patch new file mode 100644 index 000000000..d9bfc1a66 --- /dev/null +++ b/patches/source/vim/CVE-2022-2817.patch @@ -0,0 +1,69 @@ +From 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Sun, 14 Aug 2022 22:23:02 +0100 +Subject: [PATCH] patch 9.0.0213: using freed memory with error in assert + argument + +Problem: Using freed memory with error in assert argument. +Solution: Make a copy of the error. +--- + +diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim +index 27b2d73fbfc8..7c9d090b39df 100644 +--- a/src/testdir/test_assert.vim ++++ b/src/testdir/test_assert.vim +@@ -291,6 +291,10 @@ func Test_assert_fail_fails() + let exp = v:exception + endtry + call assert_match("E1174: String required for argument 5", exp) ++ ++ call assert_equal(1, assert_fails('c0', ['', '\1'])) ++ call assert_match("Expected '\\\\\\\\1' but got 'E939: Positive count required: c0': c0", v:errors[0]) ++ call remove(v:errors, 0) + endfunc + + func Test_assert_fails_in_try_block() +diff --git a/src/testing.c b/src/testing.c +index f2355f5dac13..21eb9c18e6e2 100644 +--- a/src/testing.c ++++ b/src/testing.c +@@ -597,6 +597,7 @@ f_assert_fails(typval_T *argvars, typval_T *rettv) + int save_trylevel = trylevel; + int called_emsg_before = called_emsg; + char *wrong_arg_msg = NULL; ++ char_u *tofree = NULL; + + if (check_for_string_or_number_arg(argvars, 0) == FAIL + || check_for_opt_string_or_list_arg(argvars, 1) == FAIL +@@ -660,13 +661,17 @@ f_assert_fails(typval_T *argvars, typval_T *rettv) + } + else if (list->lv_len == 2) + { +- tv = &list->lv_u.mat.lv_last->li_tv; +- actual = get_vim_var_str(VV_ERRMSG); +- expected = tv_get_string_buf_chk(tv, buf); +- if (!pattern_match(expected, actual, FALSE)) ++ // make a copy, an error in pattern_match() may free it ++ tofree = actual = vim_strsave(get_vim_var_str(VV_ERRMSG)); ++ if (actual != NULL) + { +- error_found = TRUE; +- expected_str = expected; ++ tv = &list->lv_u.mat.lv_last->li_tv; ++ expected = tv_get_string_buf_chk(tv, buf); ++ if (!pattern_match(expected, actual, FALSE)) ++ { ++ error_found = TRUE; ++ expected_str = expected; ++ } + } + } + } +@@ -749,6 +754,7 @@ f_assert_fails(typval_T *argvars, typval_T *rettv) + msg_scrolled = 0; + lines_left = Rows; + VIM_CLEAR(emsg_assert_fails_msg); ++ vim_free(tofree); + set_vim_var_string(VV_ERRMSG, NULL, 0); + if (wrong_arg_msg != NULL) + emsg(_(wrong_arg_msg)); |