diff options
Diffstat (limited to 'meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch')
-rw-r--r-- | meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch b/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch new file mode 100644 index 0000000000..576664f436 --- /dev/null +++ b/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch @@ -0,0 +1,86 @@ +CVE: CVE-2021-3872 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 61629ea24a2fff1f89c37479d3fb52f17c3480fc Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Fri, 8 Oct 2021 18:39:28 +0100 +Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very + long + +Problem: Illegal memory access if buffer name is very long. +Solution: Make sure not to go over the end of the buffer. +--- + src/drawscreen.c | 10 +++++----- + src/testdir/test_statusline.vim | 11 +++++++++++ + src/version.c | 2 ++ + 3 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/src/drawscreen.c b/src/drawscreen.c +index 3a88ee979..9acb70552 100644 +--- a/src/drawscreen.c ++++ b/src/drawscreen.c +@@ -446,13 +446,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED) + *(p + len++) = ' '; + if (bt_help(wp->w_buffer)) + { +- STRCPY(p + len, _("[Help]")); ++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]")); + len += (int)STRLEN(p + len); + } + #ifdef FEAT_QUICKFIX + if (wp->w_p_pvw) + { +- STRCPY(p + len, _("[Preview]")); ++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]")); + len += (int)STRLEN(p + len); + } + #endif +@@ -462,12 +462,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED) + #endif + ) + { +- STRCPY(p + len, "[+]"); +- len += 3; ++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]"); ++ len += (int)STRLEN(p + len); + } + if (wp->w_buffer->b_p_ro) + { +- STRCPY(p + len, _("[RO]")); ++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]")); + len += (int)STRLEN(p + len); + } + +diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim +index 1f705b847..91bce1407 100644 +--- a/src/testdir/test_statusline.vim ++++ b/src/testdir/test_statusline.vim +@@ -393,3 +393,14 @@ func Test_statusline_visual() + bwipe! x1 + bwipe! x2 + endfunc ++" Used to write beyond allocated memory. This assumes MAXPATHL is 4096 bytes. ++func Test_statusline_verylong_filename() ++ let fname = repeat('x', 4090) ++ exe "new " .. fname ++ set buftype=help ++ set previewwindow ++ redraw ++ bwipe! ++endfunc ++ ++" vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/version.c b/src/version.c +index 1046993d6..2b5de5ccf 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -742,6 +742,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 3487, + /**/ + 3428, + /**/ |