summaryrefslogtreecommitdiffstats
path: root/patches/source/vim/CVE-2022-2817.patch
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/vim/CVE-2022-2817.patch')
-rw-r--r--patches/source/vim/CVE-2022-2817.patch69
1 files changed, 69 insertions, 0 deletions
diff --git a/patches/source/vim/CVE-2022-2817.patch b/patches/source/vim/CVE-2022-2817.patch
new file mode 100644
index 000000000..d9bfc1a66
--- /dev/null
+++ b/patches/source/vim/CVE-2022-2817.patch
@@ -0,0 +1,69 @@
+From 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 14 Aug 2022 22:23:02 +0100
+Subject: [PATCH] patch 9.0.0213: using freed memory with error in assert
+ argument
+
+Problem: Using freed memory with error in assert argument.
+Solution: Make a copy of the error.
+---
+
+diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim
+index 27b2d73fbfc8..7c9d090b39df 100644
+--- a/src/testdir/test_assert.vim
++++ b/src/testdir/test_assert.vim
+@@ -291,6 +291,10 @@ func Test_assert_fail_fails()
+ let exp = v:exception
+ endtry
+ call assert_match("E1174: String required for argument 5", exp)
++
++ call assert_equal(1, assert_fails('c0', ['', '\1']))
++ call assert_match("Expected '\\\\\\\\1' but got 'E939: Positive count required: c0': c0", v:errors[0])
++ call remove(v:errors, 0)
+ endfunc
+
+ func Test_assert_fails_in_try_block()
+diff --git a/src/testing.c b/src/testing.c
+index f2355f5dac13..21eb9c18e6e2 100644
+--- a/src/testing.c
++++ b/src/testing.c
+@@ -597,6 +597,7 @@ f_assert_fails(typval_T *argvars, typval_T *rettv)
+ int save_trylevel = trylevel;
+ int called_emsg_before = called_emsg;
+ char *wrong_arg_msg = NULL;
++ char_u *tofree = NULL;
+
+ if (check_for_string_or_number_arg(argvars, 0) == FAIL
+ || check_for_opt_string_or_list_arg(argvars, 1) == FAIL
+@@ -660,13 +661,17 @@ f_assert_fails(typval_T *argvars, typval_T *rettv)
+ }
+ else if (list->lv_len == 2)
+ {
+- tv = &list->lv_u.mat.lv_last->li_tv;
+- actual = get_vim_var_str(VV_ERRMSG);
+- expected = tv_get_string_buf_chk(tv, buf);
+- if (!pattern_match(expected, actual, FALSE))
++ // make a copy, an error in pattern_match() may free it
++ tofree = actual = vim_strsave(get_vim_var_str(VV_ERRMSG));
++ if (actual != NULL)
+ {
+- error_found = TRUE;
+- expected_str = expected;
++ tv = &list->lv_u.mat.lv_last->li_tv;
++ expected = tv_get_string_buf_chk(tv, buf);
++ if (!pattern_match(expected, actual, FALSE))
++ {
++ error_found = TRUE;
++ expected_str = expected;
++ }
+ }
+ }
+ }
+@@ -749,6 +754,7 @@ f_assert_fails(typval_T *argvars, typval_T *rettv)
+ msg_scrolled = 0;
+ lines_left = Rows;
+ VIM_CLEAR(emsg_assert_fails_msg);
++ vim_free(tofree);
+ set_vim_var_string(VV_ERRMSG, NULL, 0);
+ if (wrong_arg_msg != NULL)
+ emsg(_(wrong_arg_msg));
generated by cgit v1.2.3 (git 2.26.2) at 2024-05-02 19:14:58 +0000