CVE: CVE-2021-3875 Upstream-Status: Backport Signed-off-by: Ross Burton From b8968e26d7508e7d64bfc86808142818b0a9288c Mon Sep 17 00:00:00 2001 From: Bram Moolenaar Date: Sat, 9 Oct 2021 13:58:55 +0100 Subject: [PATCH] patch 8.2.3489: ml_get error after search with range Problem: ml_get error after search with range. Solution: Limit the line number to the buffer line count. --- src/ex_docmd.c | 6 ++++-- src/testdir/test_search.vim | 17 +++++++++++++++++ src/version.c | 2 ++ 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/src/ex_docmd.c b/src/ex_docmd.c index fb07450f8..fde726477 100644 --- a/src/ex_docmd.c +++ b/src/ex_docmd.c @@ -3586,8 +3586,10 @@ get_address( // When '/' or '?' follows another address, start from // there. - if (lnum != MAXLNUM) - curwin->w_cursor.lnum = lnum; + if (lnum > 0 && lnum != MAXLNUM) + curwin->w_cursor.lnum = + lnum > curbuf->b_ml.ml_line_count + ? curbuf->b_ml.ml_line_count : lnum; // Start a forward search at the end of the line (unless // before the first line). diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim index 187671305..e142c3547 100644 --- a/src/testdir/test_search.vim +++ b/src/testdir/test_search.vim @@ -1366,3 +1366,20 @@ func Test_searchdecl() bwipe! endfunc + +func Test_search_with_invalid_range() + new + let lines =<< trim END + /\%.v + 5/ + c + END + call writefile(lines, 'Xrangesearch') + source Xrangesearch + + bwipe! + call delete('Xrangesearch') +endfunc + + +" vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index 2b5de5ccf..092864bbb 100644 --- a/src/version.c +++ b/src/version.c @@ -742,6 +742,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 3489, /**/ 3487, /**/