diff options
Diffstat (limited to 'meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch')
| -rw-r--r-- | meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch | 86 |
1 files changed, 0 insertions, 86 deletions
diff --git a/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch b/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch deleted file mode 100644 index 576664f436..0000000000 --- a/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch +++ /dev/null @@ -1,86 +0,0 @@ -CVE: CVE-2021-3872 -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -From 61629ea24a2fff1f89c37479d3fb52f17c3480fc Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar <Bram@vim.org> -Date: Fri, 8 Oct 2021 18:39:28 +0100 -Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very - long - -Problem: Illegal memory access if buffer name is very long. -Solution: Make sure not to go over the end of the buffer. ---- - src/drawscreen.c | 10 +++++----- - src/testdir/test_statusline.vim | 11 +++++++++++ - src/version.c | 2 ++ - 3 files changed, 18 insertions(+), 5 deletions(-) - -diff --git a/src/drawscreen.c b/src/drawscreen.c -index 3a88ee979..9acb70552 100644 ---- a/src/drawscreen.c -+++ b/src/drawscreen.c -@@ -446,13 +446,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED) - *(p + len++) = ' '; - if (bt_help(wp->w_buffer)) - { -- STRCPY(p + len, _("[Help]")); -+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]")); - len += (int)STRLEN(p + len); - } - #ifdef FEAT_QUICKFIX - if (wp->w_p_pvw) - { -- STRCPY(p + len, _("[Preview]")); -+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]")); - len += (int)STRLEN(p + len); - } - #endif -@@ -462,12 +462,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED) - #endif - ) - { -- STRCPY(p + len, "[+]"); -- len += 3; -+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]"); -+ len += (int)STRLEN(p + len); - } - if (wp->w_buffer->b_p_ro) - { -- STRCPY(p + len, _("[RO]")); -+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]")); - len += (int)STRLEN(p + len); - } - -diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim -index 1f705b847..91bce1407 100644 ---- a/src/testdir/test_statusline.vim -+++ b/src/testdir/test_statusline.vim -@@ -393,3 +393,14 @@ func Test_statusline_visual() - bwipe! x1 - bwipe! x2 - endfunc -+" Used to write beyond allocated memory. This assumes MAXPATHL is 4096 bytes. -+func Test_statusline_verylong_filename() -+ let fname = repeat('x', 4090) -+ exe "new " .. fname -+ set buftype=help -+ set previewwindow -+ redraw -+ bwipe! -+endfunc -+ -+" vim: shiftwidth=2 sts=2 expandtab -diff --git a/src/version.c b/src/version.c -index 1046993d6..2b5de5ccf 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3487, - /**/ - 3428, - /**/ |