Projects
Mega:23.09
vim
_service:tar_scm:backport-CVE-2022-2289.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-CVE-2022-2289.patch of Package vim
From c5274dd12224421f2430b30c53b881b9403d649e Mon Sep 17 00:00:00 2001 From: Bram Moolenaar <Bram@vim.org> Date: Sat, 2 Jul 2022 15:10:00 +0100 Subject: [PATCH] patch 9.0.0026: accessing freed memory with diff put Problem: Accessing freed memory with diff put. Solution: Bail out when diff pointer is no longer valid. --- src/diff.c | 24 ++++++++++++++++++++++-- 1 files changed, 22 insertions(+), 2 deletions(-) diff --git a/src/diff.c b/src/diff.c index 91e5ae2..e4bafe2 100644 --- a/src/diff.c +++ b/src/diff.c @@ -2643,6 +2643,20 @@ nv_diffgetput(int put, long count) } /* + * Return TRUE if "diff" appears in the list of diff blocks of the current tab. + */ + static int +valid_diff(diff_T *diff) +{ + diff_T *dp; + + for (dp = curtab->tp_first_diff; dp != NULL; dp = dp->df_next) + if (dp == diff) + return TRUE; + return FALSE; +} + +/* * ":diffget" * ":diffput" */ @@ -2899,9 +2913,9 @@ ex_diffgetput(exarg_T *eap) } } - // Adjust marks. This will change the following entries! if (added != 0) { + // Adjust marks. This will change the following entries! mark_adjust(lnum, lnum + count - 1, (long)MAXLNUM, (long)added); if (curwin->w_cursor.lnum >= lnum) { @@ -2923,7 +2937,13 @@ ex_diffgetput(exarg_T *eap) #endif vim_free(dfree); } - else + + // mark_adjust() may have made "dp" invalid. We don't know where + // to continue then, bail out. + if (added != 0 && !valid_diff(dp)) + break; + + if (dfree == NULL) // mark_adjust() may have changed the count in a wrong way dp->df_count[idx_to] = new_count; -- 1.8.3.1
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2