import vim-8.2.2637-16.el9_0.3
This commit is contained in:
parent
26c4c8da8b
commit
f94b1b6eaf
@ -0,0 +1,110 @@
|
||||
From e3537aec2f8d6470010547af28dcbd83d41461b8 Mon Sep 17 00:00:00 2001
|
||||
From: Bram Moolenaar <Bram@vim.org>
|
||||
Date: Tue, 8 Feb 2022 15:05:20 +0000
|
||||
Subject: [PATCH] patch 8.2.4327: may end up with no current buffer
|
||||
|
||||
Problem: May end up with no current buffer.
|
||||
Solution: When deleting the current buffer to not pick a quickfix buffer as
|
||||
the new current buffer.
|
||||
---
|
||||
src/buffer.c | 26 ++++++++++++++++++++++----
|
||||
src/testdir/test_quickfix.vim | 25 +++++++++++++++++++++++++
|
||||
src/version.c | 2 ++
|
||||
3 files changed, 49 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/buffer.c b/src/buffer.c
|
||||
index 81bdb31ca..b3e2bc3f9 100644
|
||||
--- a/src/buffer.c
|
||||
+++ b/src/buffer.c
|
||||
@@ -1430,8 +1430,14 @@ do_buffer_ext(
|
||||
buf = buflist_findnr(curwin->w_jumplist[jumpidx].fmark.fnum);
|
||||
if (buf != NULL)
|
||||
{
|
||||
- if (buf == curbuf || !buf->b_p_bl)
|
||||
- buf = NULL; // skip current and unlisted bufs
|
||||
+ // Skip current and unlisted bufs. Also skip a quickfix
|
||||
+ // buffer, it might be deleted soon.
|
||||
+ if (buf == curbuf || !buf->b_p_bl
|
||||
+#if defined(FEAT_QUICKFIX)
|
||||
+ || bt_quickfix(buf)
|
||||
+#endif
|
||||
+ )
|
||||
+ buf = NULL;
|
||||
else if (buf->b_ml.ml_mfp == NULL)
|
||||
{
|
||||
// skip unloaded buf, but may keep it for later
|
||||
@@ -1467,7 +1473,11 @@ do_buffer_ext(
|
||||
continue;
|
||||
}
|
||||
// in non-help buffer, try to skip help buffers, and vv
|
||||
- if (buf->b_help == curbuf->b_help && buf->b_p_bl)
|
||||
+ if (buf->b_help == curbuf->b_help && buf->b_p_bl
|
||||
+#if defined(FEAT_QUICKFIX)
|
||||
+ && !bt_quickfix(buf)
|
||||
+#endif
|
||||
+ )
|
||||
{
|
||||
if (buf->b_ml.ml_mfp != NULL) // found loaded buffer
|
||||
break;
|
||||
@@ -1485,7 +1495,11 @@ do_buffer_ext(
|
||||
if (buf == NULL) // No loaded buffer, find listed one
|
||||
{
|
||||
FOR_ALL_BUFFERS(buf)
|
||||
- if (buf->b_p_bl && buf != curbuf)
|
||||
+ if (buf->b_p_bl && buf != curbuf
|
||||
+#if defined(FEAT_QUICKFIX)
|
||||
+ && !bt_quickfix(buf)
|
||||
+#endif
|
||||
+ )
|
||||
break;
|
||||
}
|
||||
if (buf == NULL) // Still no buffer, just take one
|
||||
@@ -1494,6 +1508,10 @@ do_buffer_ext(
|
||||
buf = curbuf->b_next;
|
||||
else
|
||||
buf = curbuf->b_prev;
|
||||
+#if defined(FEAT_QUICKFIX)
|
||||
+ if (bt_quickfix(buf))
|
||||
+ buf = NULL;
|
||||
+#endif
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
|
||||
index 07fdb9644..adb0ea4fd 100644
|
||||
--- a/src/testdir/test_quickfix.vim
|
||||
+++ b/src/testdir/test_quickfix.vim
|
||||
@@ -5851,5 +5851,30 @@ func Test_lopen_bwipe()
|
||||
delfunc R
|
||||
endfunc
|
||||
|
||||
+" Another sequence of commands that caused all buffers to be wiped out
|
||||
+func Test_lopen_bwipe_all()
|
||||
+ let lines =<< trim END
|
||||
+ func R()
|
||||
+ silent! tab lopen
|
||||
+ e foo
|
||||
+ silent! lfile
|
||||
+ endfunc
|
||||
+ cal R()
|
||||
+ exe "norm \<C-W>\<C-V>0"
|
||||
+ cal R()
|
||||
+ bwipe
|
||||
+
|
||||
+ call writefile(['done'], 'Xresult')
|
||||
+ qall!
|
||||
+ END
|
||||
+ call writefile(lines, 'Xscript')
|
||||
+ if RunVim([], [], '-u NONE -n -X -Z -e -m -s -S Xscript')
|
||||
+ call assert_equal(['done'], readfile('Xresult'))
|
||||
+ endif
|
||||
+
|
||||
+ call delete('Xscript')
|
||||
+ call delete('Xresult')
|
||||
+endfunc
|
||||
+
|
||||
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
||||
--
|
||||
2.35.1
|
||||
|
@ -0,0 +1,39 @@
|
||||
diff -up vim82/src/spellsuggest.c.cve0943 vim82/src/spellsuggest.c
|
||||
--- vim82/src/spellsuggest.c.cve0943 2022-03-28 20:48:07.079197805 +0200
|
||||
+++ vim82/src/spellsuggest.c 2022-03-28 20:48:07.101197522 +0200
|
||||
@@ -501,6 +501,10 @@ spell_suggest(int count)
|
||||
curwin->w_cursor.col = VIsual.col;
|
||||
++badlen;
|
||||
end_visual_mode();
|
||||
+ // make sure we don't include the NUL at the end of the line
|
||||
+ line = ml_get_curline();
|
||||
+ if (badlen > STRLEN(line) - curwin->w_cursor.col)
|
||||
+ badlen = STRLEN(line) - curwin->w_cursor.col;
|
||||
}
|
||||
// Find the start of the badly spelled word.
|
||||
else if (spell_move_to(curwin, FORWARD, TRUE, TRUE, NULL) == 0
|
||||
diff -up vim82/src/testdir/test_spell.vim.cve0943 vim82/src/testdir/test_spell.vim
|
||||
--- vim82/src/testdir/test_spell.vim.cve0943 2022-03-28 20:48:07.102197509 +0200
|
||||
+++ vim82/src/testdir/test_spell.vim 2022-03-28 20:49:05.038452974 +0200
|
||||
@@ -441,6 +441,21 @@ func Test_spellsuggest_expr_errors()
|
||||
delfunc MySuggest3
|
||||
endfunc
|
||||
|
||||
+func Test_spellsuggest_visual_end_of_line()
|
||||
+ let enc_save = &encoding
|
||||
+ set encoding=iso8859
|
||||
+
|
||||
+ " This was reading beyond the end of the line.
|
||||
+ norm R00000000000
|
||||
+ sil norm 0
|
||||
+ sil! norm i00000)
|
||||
+ sil! norm i00000)
|
||||
+ call feedkeys("\<CR>")
|
||||
+ norm z=
|
||||
+
|
||||
+ let &encoding = enc_save
|
||||
+endfunc
|
||||
+
|
||||
func Test_spellinfo()
|
||||
new
|
||||
let runtime = substitute($VIMRUNTIME, '\\', '/', 'g')
|
@ -0,0 +1,44 @@
|
||||
diff -up vim82/src/regexp_bt.c.cve1154 vim82/src/regexp_bt.c
|
||||
--- vim82/src/regexp_bt.c.cve1154 2022-04-25 15:22:28.367621755 +0200
|
||||
+++ vim82/src/regexp_bt.c 2022-04-25 15:25:13.726340728 +0200
|
||||
@@ -3188,8 +3188,17 @@ regmatch(
|
||||
int mark = OPERAND(scan)[0];
|
||||
int cmp = OPERAND(scan)[1];
|
||||
pos_T *pos;
|
||||
+ size_t col = REG_MULTI ? rex.input - rex.line : 0;
|
||||
|
||||
pos = getmark_buf(rex.reg_buf, mark, FALSE);
|
||||
+
|
||||
+ // Line may have been freed, get it again.
|
||||
+ if (REG_MULTI)
|
||||
+ {
|
||||
+ rex.line = reg_getline(rex.lnum);
|
||||
+ rex.input = rex.line + col;
|
||||
+ }
|
||||
+
|
||||
if (pos == NULL // mark doesn't exist
|
||||
|| pos->lnum <= 0 // mark isn't set in reg_buf
|
||||
|| (pos->lnum == rex.lnum + rex.reg_firstlnum
|
||||
diff -up vim82/src/testdir/test_regexp_latin.vim.cve1154 vim82/src/testdir/test_regexp_latin.vim
|
||||
--- vim82/src/testdir/test_regexp_latin.vim.cve1154 2022-04-25 15:22:28.368621752 +0200
|
||||
+++ vim82/src/testdir/test_regexp_latin.vim 2022-04-25 15:26:57.515227712 +0200
|
||||
@@ -954,4 +954,19 @@ func Test_using_visual_position()
|
||||
bwipe!
|
||||
endfunc
|
||||
|
||||
+func Test_using_mark_position()
|
||||
+ " this was using freed memory
|
||||
+ " new engine
|
||||
+ new
|
||||
+ norm O0
|
||||
+ call assert_fails("s/\\%')", 'E486:')
|
||||
+ bwipe!
|
||||
+
|
||||
+ " old engine
|
||||
+ new
|
||||
+ norm O0
|
||||
+ call assert_fails("s/\\%#=1\\%')", 'E486:')
|
||||
+ bwipe!
|
||||
+endfunc
|
||||
+
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
@ -0,0 +1,51 @@
|
||||
diff -up vim82/src/errors.h.cve1420 vim82/src/errors.h
|
||||
--- vim82/src/errors.h.cve1420 2022-04-25 16:01:03.559985019 +0200
|
||||
+++ vim82/src/errors.h 2022-04-25 16:01:58.113332024 +0200
|
||||
@@ -383,3 +383,7 @@ EXTERN char e_cannot_use_default_values_
|
||||
INIT(= N_("E1172: Cannot use default values in a lambda"));
|
||||
EXTERN char e_resulting_text_too_long[]
|
||||
INIT(= N_("E1240: Resulting text too long"));
|
||||
+#ifdef FEAT_EVAL
|
||||
+EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
|
||||
+ INIT(= N_("E1275: String or function required for ->(expr)"));
|
||||
+#endif
|
||||
diff -up vim82/src/eval.c.cve1420 vim82/src/eval.c
|
||||
--- vim82/src/eval.c.cve1420 2022-04-25 16:01:03.560985007 +0200
|
||||
+++ vim82/src/eval.c 2022-04-25 16:14:11.746600369 +0200
|
||||
@@ -3718,13 +3718,20 @@ eval_lambda(
|
||||
if (**arg != ')')
|
||||
{
|
||||
emsg(_(e_missing_close));
|
||||
- ret = FAIL;
|
||||
+ return FAIL;
|
||||
+ }
|
||||
+ if (rettv->v_type != VAR_STRING && rettv->v_type != VAR_FUNC
|
||||
+ && rettv->v_type != VAR_PARTIAL)
|
||||
+ {
|
||||
+ emsg(_(e_string_or_function_required_for_arrow_parens_expr));
|
||||
+ return FAIL;
|
||||
}
|
||||
++*arg;
|
||||
}
|
||||
if (ret != OK)
|
||||
return FAIL;
|
||||
- else if (**arg != '(')
|
||||
+
|
||||
+ if (**arg != '(')
|
||||
{
|
||||
if (verbose)
|
||||
{
|
||||
diff -up vim82/src/testdir/test_lambda.vim.cve1420 vim82/src/testdir/test_lambda.vim
|
||||
--- vim82/src/testdir/test_lambda.vim.cve1420 2022-04-25 16:01:03.560985007 +0200
|
||||
+++ vim82/src/testdir/test_lambda.vim 2022-04-25 16:17:01.694886566 +0200
|
||||
@@ -64,6 +64,10 @@ function Test_lambda_fails()
|
||||
call assert_fails('echo {a, a -> a + a}(1, 2)', 'E853:')
|
||||
call assert_fails('echo {a, b -> a + b)}(1, 2)', 'E451:')
|
||||
echo assert_fails('echo 10->{a -> a + 2}', 'E107:')
|
||||
+ call assert_fails('eval 0->(3)()', "E1275:")
|
||||
+ call assert_fails('eval 0->([3])()', "E1275:")
|
||||
+ call assert_fails('eval 0->({"a": 3})()', "E1275:")
|
||||
+ call assert_fails('eval 0->(xxx)()', "E121:")
|
||||
endfunc
|
||||
|
||||
func Test_not_lamda()
|
@ -0,0 +1,50 @@
|
||||
diff -up vim82/src/errors.h.cve1621 vim82/src/errors.h
|
||||
--- vim82/src/errors.h.cve1621 2022-05-24 13:36:23.883370040 +0200
|
||||
+++ vim82/src/errors.h 2022-05-24 13:36:47.665487703 +0200
|
||||
@@ -387,3 +387,7 @@ EXTERN char e_resulting_text_too_long[]
|
||||
EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
|
||||
INIT(= N_("E1275: String or function required for ->(expr)"));
|
||||
#endif
|
||||
+#ifdef FEAT_SPELL
|
||||
+EXTERN char e_illegal_character_in_word[]
|
||||
+ INIT(= N_("E1280: Illegal character in word"));
|
||||
+#endif
|
||||
diff -up vim82/src/mbyte.c.cve1621 vim82/src/mbyte.c
|
||||
--- vim82/src/mbyte.c.cve1621 2021-03-22 10:02:42.000000000 +0100
|
||||
+++ vim82/src/mbyte.c 2022-05-24 13:36:23.884370045 +0200
|
||||
@@ -4181,7 +4181,7 @@ theend:
|
||||
convert_setup(&vimconv, NULL, NULL);
|
||||
}
|
||||
|
||||
-#if defined(FEAT_GUI_GTK) || defined(PROTO)
|
||||
+#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO)
|
||||
/*
|
||||
* Return TRUE if string "s" is a valid utf-8 string.
|
||||
* When "end" is NULL stop at the first NUL.
|
||||
diff -up vim82/src/spellfile.c.cve1621 vim82/src/spellfile.c
|
||||
--- vim82/src/spellfile.c.cve1621 2021-03-22 10:02:42.000000000 +0100
|
||||
+++ vim82/src/spellfile.c 2022-05-24 13:36:23.885370049 +0200
|
||||
@@ -4391,6 +4391,10 @@ store_word(
|
||||
int res = OK;
|
||||
char_u *p;
|
||||
|
||||
+ // Avoid adding illegal bytes to the word tree.
|
||||
+ if (enc_utf8 && !utf_valid_string(word, NULL))
|
||||
+ return FAIL;
|
||||
+
|
||||
(void)spell_casefold(word, len, foldword, MAXWLEN);
|
||||
for (p = pfxlist; res == OK; ++p)
|
||||
{
|
||||
@@ -6191,6 +6195,12 @@ spell_add_word(
|
||||
int i;
|
||||
char_u *spf;
|
||||
|
||||
+ if (enc_utf8 && !utf_valid_string(word, NULL))
|
||||
+ {
|
||||
+ emsg(_(e_illegal_character_in_word));
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
if (idx == 0) // use internal wordlist
|
||||
{
|
||||
if (int_wordlist == NULL)
|
@ -0,0 +1,33 @@
|
||||
From 53a70289c2712808e6d4e88927e03cac01b470dd Mon Sep 17 00:00:00 2001
|
||||
From: Bram Moolenaar <Bram@vim.org>
|
||||
Date: Mon, 9 May 2022 13:15:07 +0100
|
||||
Subject: [PATCH] patch 8.2.4925: trailing backslash may cause reading past end
|
||||
of line
|
||||
|
||||
Problem: Trailing backslash may cause reading past end of line.
|
||||
Solution: Check for NUL after backslash.
|
||||
---
|
||||
src/testdir/test_textobjects.vim | 10 +++++++++-
|
||||
src/textobject.c | 4 ++++
|
||||
src/version.c | 2 ++
|
||||
3 files changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/textobject.c b/src/textobject.c
|
||||
index e4a7db38e..edaa64c51 100644
|
||||
--- a/src/textobject.c
|
||||
+++ b/src/textobject.c
|
||||
@@ -1664,7 +1664,11 @@ find_next_quote(
|
||||
if (c == NUL)
|
||||
return -1;
|
||||
else if (escape != NULL && vim_strchr(escape, c))
|
||||
+ {
|
||||
++col;
|
||||
+ if (line[col] == NUL)
|
||||
+ return -1;
|
||||
+ }
|
||||
else if (c == quotechar)
|
||||
break;
|
||||
if (has_mbyte)
|
||||
--
|
||||
2.36.1
|
||||
|
@ -0,0 +1,59 @@
|
||||
diff -up vim82/src/ex_cmds.c.cve1785 vim82/src/ex_cmds.c
|
||||
--- vim82/src/ex_cmds.c.cve1785 2022-06-10 10:26:16.883312704 +0200
|
||||
+++ vim82/src/ex_cmds.c 2022-06-10 10:26:16.910312568 +0200
|
||||
@@ -4356,12 +4356,17 @@ ex_substitute(exarg_T *eap)
|
||||
// Save flags for recursion. They can change for e.g.
|
||||
// :s/^/\=execute("s#^##gn")
|
||||
subflags_save = subflags;
|
||||
+
|
||||
+ // Disallow changing text or switching window in an expression.
|
||||
+ ++textwinlock;
|
||||
#endif
|
||||
// get length of substitution part
|
||||
sublen = vim_regsub_multi(®match,
|
||||
sub_firstlnum - regmatch.startpos[0].lnum,
|
||||
sub, sub_firstline, FALSE, magic_isset(), TRUE);
|
||||
#ifdef FEAT_EVAL
|
||||
+ --textwinlock;
|
||||
+
|
||||
// If getting the substitute string caused an error, don't do
|
||||
// the replacement.
|
||||
// Don't keep flags set by a recursive call.
|
||||
@@ -4462,9 +4467,15 @@ ex_substitute(exarg_T *eap)
|
||||
mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
|
||||
new_end += copy_len;
|
||||
|
||||
+#ifdef FEAT_EVAL
|
||||
+ ++textwinlock;
|
||||
+#endif
|
||||
(void)vim_regsub_multi(®match,
|
||||
sub_firstlnum - regmatch.startpos[0].lnum,
|
||||
sub, new_end, TRUE, magic_isset(), TRUE);
|
||||
+#ifdef FEAT_EVAL
|
||||
+ --textwinlock;
|
||||
+#endif
|
||||
sub_nsubs++;
|
||||
did_sub = TRUE;
|
||||
|
||||
diff -up vim82/src/testdir/test_substitute.vim.cve1785 vim82/src/testdir/test_substitute.vim
|
||||
--- vim82/src/testdir/test_substitute.vim.cve1785 2022-06-10 10:26:16.910312568 +0200
|
||||
+++ vim82/src/testdir/test_substitute.vim 2022-06-10 10:27:02.166084629 +0200
|
||||
@@ -942,5 +942,18 @@ func Test_using_old_sub()
|
||||
set nocompatible
|
||||
endfunc
|
||||
|
||||
+" This was switching windows in between computing the length and using it.
|
||||
+func Test_sub_change_window()
|
||||
+ silent! lfile
|
||||
+ sil! norm o0000000000000000000000000000000000000000000000000000
|
||||
+ func Repl()
|
||||
+ lopen
|
||||
+ endfunc
|
||||
+ silent! s/\%')/\=Repl()
|
||||
+ bwipe!
|
||||
+ bwipe!
|
||||
+ delfunc Repl
|
||||
+endfunc
|
||||
+
|
||||
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
@ -0,0 +1,121 @@
|
||||
diff -up vim82/src/normal.c.cve1897 vim82/src/normal.c
|
||||
--- vim82/src/normal.c.cve1897 2022-06-13 09:31:42.880768567 +0200
|
||||
+++ vim82/src/normal.c 2022-06-13 09:35:38.560084927 +0200
|
||||
@@ -479,6 +479,22 @@ find_command(int cmdchar)
|
||||
}
|
||||
|
||||
/*
|
||||
+ * If currently editing a cmdline or text is locked: beep and give an error
|
||||
+ * message, return TRUE.
|
||||
+ */
|
||||
+ static int
|
||||
+check_text_locked(oparg_T *oap)
|
||||
+{
|
||||
+ if (text_locked())
|
||||
+ {
|
||||
+ clearopbeep(oap);
|
||||
+ text_locked_msg();
|
||||
+ return TRUE;
|
||||
+ }
|
||||
+ return FALSE;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
* Execute a command in Normal mode.
|
||||
*/
|
||||
void
|
||||
@@ -742,14 +758,9 @@ getcount:
|
||||
goto normal_end;
|
||||
}
|
||||
|
||||
- if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW))
|
||||
- {
|
||||
- // This command is not allowed while editing a cmdline: beep.
|
||||
- clearopbeep(oap);
|
||||
- text_locked_msg();
|
||||
- goto normal_end;
|
||||
- }
|
||||
- if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked())
|
||||
+ if ((nv_cmds[idx].cmd_flags & NV_NCW)
|
||||
+ && (check_text_locked(oap) || curbuf_locked()))
|
||||
+ // this command is not allowed now
|
||||
goto normal_end;
|
||||
|
||||
/*
|
||||
@@ -4212,12 +4223,8 @@ nv_gotofile(cmdarg_T *cap)
|
||||
char_u *ptr;
|
||||
linenr_T lnum = -1;
|
||||
|
||||
- if (text_locked())
|
||||
- {
|
||||
- clearopbeep(cap->oap);
|
||||
- text_locked_msg();
|
||||
+ if (check_text_locked(cap->oap))
|
||||
return;
|
||||
- }
|
||||
if (curbuf_locked())
|
||||
{
|
||||
clearop(cap->oap);
|
||||
@@ -6343,14 +6350,7 @@ nv_g_cmd(cmdarg_T *cap)
|
||||
|
||||
// "gQ": improved Ex mode
|
||||
case 'Q':
|
||||
- if (text_locked())
|
||||
- {
|
||||
- clearopbeep(cap->oap);
|
||||
- text_locked_msg();
|
||||
- break;
|
||||
- }
|
||||
-
|
||||
- if (!checkclearopq(oap))
|
||||
+ if (!check_text_locked(cap->oap) && !checkclearopq(oap))
|
||||
do_exmode(TRUE);
|
||||
break;
|
||||
|
||||
diff -up vim82/src/testdir/test_substitute.vim.cve1897 vim82/src/testdir/test_substitute.vim
|
||||
--- vim82/src/testdir/test_substitute.vim.cve1897 2022-06-13 09:31:42.938768884 +0200
|
||||
+++ vim82/src/testdir/test_substitute.vim 2022-06-13 09:36:39.013406036 +0200
|
||||
@@ -955,5 +955,27 @@ func Test_sub_change_window()
|
||||
delfunc Repl
|
||||
endfunc
|
||||
|
||||
+" This was undoign a change in between computing the length and using it.
|
||||
+func Do_Test_sub_undo_change()
|
||||
+ new
|
||||
+ norm o0000000000000000000000000000000000000000000000000000
|
||||
+ silent! s/\%')/\=Repl()
|
||||
+ bwipe!
|
||||
+endfunc
|
||||
+
|
||||
+func Test_sub_undo_change()
|
||||
+ func Repl()
|
||||
+ silent! norm g-
|
||||
+ endfunc
|
||||
+ call Do_Test_sub_undo_change()
|
||||
+
|
||||
+ func! Repl()
|
||||
+ silent earlier
|
||||
+ endfunc
|
||||
+ call Do_Test_sub_undo_change()
|
||||
+
|
||||
+ delfunc Repl
|
||||
+endfunc
|
||||
+
|
||||
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
||||
diff -up vim82/src/undo.c.cve1897 vim82/src/undo.c
|
||||
--- vim82/src/undo.c.cve1897 2022-06-13 09:31:42.904768698 +0200
|
||||
+++ vim82/src/undo.c 2022-06-13 09:31:42.938768884 +0200
|
||||
@@ -2323,6 +2323,12 @@ undo_time(
|
||||
int above = FALSE;
|
||||
int did_undo = TRUE;
|
||||
|
||||
+ if (text_locked())
|
||||
+ {
|
||||
+ text_locked_msg();
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
// First make sure the current undoable change is synced.
|
||||
if (curbuf->b_u_synced == FALSE)
|
||||
u_sync(TRUE);
|
@ -0,0 +1,106 @@
|
||||
diff -up vim82/src/ex_docmd.c.cve1927 vim82/src/ex_docmd.c
|
||||
--- vim82/src/ex_docmd.c.cve1927 2021-03-22 10:02:42.000000000 +0100
|
||||
+++ vim82/src/ex_docmd.c 2022-06-13 15:29:45.099472751 +0200
|
||||
@@ -3081,6 +3081,8 @@ parse_cmd_address(exarg_T *eap, char **e
|
||||
{
|
||||
int address_count = 1;
|
||||
linenr_T lnum;
|
||||
+ int need_check_cursor = FALSE;
|
||||
+ int ret = FAIL;
|
||||
|
||||
// Repeat for all ',' or ';' separated addresses.
|
||||
for (;;)
|
||||
@@ -3091,7 +3093,7 @@ parse_cmd_address(exarg_T *eap, char **e
|
||||
lnum = get_address(eap, &eap->cmd, eap->addr_type, eap->skip, silent,
|
||||
eap->addr_count == 0, address_count++);
|
||||
if (eap->cmd == NULL) // error detected
|
||||
- return FAIL;
|
||||
+ goto theend;
|
||||
if (lnum == MAXLNUM)
|
||||
{
|
||||
if (*eap->cmd == '%') // '%' - all lines
|
||||
@@ -3136,14 +3138,14 @@ parse_cmd_address(exarg_T *eap, char **e
|
||||
// there is no Vim command which uses '%' and
|
||||
// ADDR_WINDOWS or ADDR_TABS
|
||||
*errormsg = _(e_invrange);
|
||||
- return FAIL;
|
||||
+ goto theend;
|
||||
}
|
||||
break;
|
||||
case ADDR_TABS_RELATIVE:
|
||||
case ADDR_UNSIGNED:
|
||||
case ADDR_QUICKFIX:
|
||||
*errormsg = _(e_invrange);
|
||||
- return FAIL;
|
||||
+ goto theend;
|
||||
case ADDR_ARGUMENTS:
|
||||
if (ARGCOUNT == 0)
|
||||
eap->line1 = eap->line2 = 0;
|
||||
@@ -3175,7 +3177,7 @@ parse_cmd_address(exarg_T *eap, char **e
|
||||
if (eap->addr_type != ADDR_LINES)
|
||||
{
|
||||
*errormsg = _(e_invrange);
|
||||
- return FAIL;
|
||||
+ goto theend;
|
||||
}
|
||||
|
||||
++eap->cmd;
|
||||
@@ -3183,11 +3185,11 @@ parse_cmd_address(exarg_T *eap, char **e
|
||||
{
|
||||
fp = getmark('<', FALSE);
|
||||
if (check_mark(fp) == FAIL)
|
||||
- return FAIL;
|
||||
+ goto theend;
|
||||
eap->line1 = fp->lnum;
|
||||
fp = getmark('>', FALSE);
|
||||
if (check_mark(fp) == FAIL)
|
||||
- return FAIL;
|
||||
+ goto theend;
|
||||
eap->line2 = fp->lnum;
|
||||
++eap->addr_count;
|
||||
}
|
||||
@@ -3202,10 +3204,13 @@ parse_cmd_address(exarg_T *eap, char **e
|
||||
if (!eap->skip)
|
||||
{
|
||||
curwin->w_cursor.lnum = eap->line2;
|
||||
+
|
||||
// Don't leave the cursor on an illegal line or column, but do
|
||||
// accept zero as address, so 0;/PATTERN/ works correctly.
|
||||
+ // Check the cursor position before returning.
|
||||
if (eap->line2 > 0)
|
||||
check_cursor();
|
||||
+ need_check_cursor = TRUE;
|
||||
}
|
||||
}
|
||||
else if (*eap->cmd != ',')
|
||||
@@ -3221,7 +3226,12 @@ parse_cmd_address(exarg_T *eap, char **e
|
||||
if (lnum == MAXLNUM)
|
||||
eap->addr_count = 0;
|
||||
}
|
||||
- return OK;
|
||||
+ ret = OK;
|
||||
+
|
||||
+theend:
|
||||
+ if (need_check_cursor)
|
||||
+ check_cursor();
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
diff -up vim82/src/testdir/test_excmd.vim.cve1927 vim82/src/testdir/test_excmd.vim
|
||||
--- vim82/src/testdir/test_excmd.vim.cve1927 2022-06-13 15:26:53.941517542 +0200
|
||||
+++ vim82/src/testdir/test_excmd.vim 2022-06-13 15:30:53.972860361 +0200
|
||||
@@ -536,4 +536,13 @@ func Test_sandbox()
|
||||
sandbox call Sandbox_tests()
|
||||
endfunc
|
||||
|
||||
+" This was leaving the cursor in line zero
|
||||
+func Test_using_zero_in_range()
|
||||
+ new
|
||||
+ norm o00
|
||||
+ silent! 0;s/\%')
|
||||
+ bwipe!
|
||||
+endfunc
|
||||
+
|
||||
+
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
@ -27,7 +27,7 @@ Summary: The VIM editor
|
||||
URL: http://www.vim.org/
|
||||
Name: vim
|
||||
Version: %{baseversion}.%{patchlevel}
|
||||
Release: 15%{?dist}
|
||||
Release: 16%{?dist}.3
|
||||
License: Vim and MIT
|
||||
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
|
||||
Source1: virc
|
||||
@ -116,6 +116,24 @@ Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch
|
||||
Patch3042: 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch
|
||||
# CVE-2022-0714 vim: buffer overflow [rhel-9]
|
||||
Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch
|
||||
# CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
|
||||
Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
|
||||
# CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim
|
||||
Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
|
||||
# CVE-2022-1154 vim: use after free in utf_ptr2char
|
||||
Patch3046: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
|
||||
# CVE-2022-1420 vim: Out-of-range Pointer Offset
|
||||
Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
|
||||
# CVE-2022-1621 vim: heap buffer overflow
|
||||
Patch3048: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
|
||||
# CVE-2022-1629 vim: buffer over-read
|
||||
Patch3049: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
|
||||
# CVE-2022-1785 vim: Out-of-bounds Write
|
||||
Patch3050: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
|
||||
# CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
|
||||
Patch3051: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
|
||||
# CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
|
||||
Patch3052: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
|
||||
|
||||
# gcc is no longer in buildroot by default
|
||||
BuildRequires: gcc
|
||||
@ -346,6 +364,15 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
||||
%patch3041 -p1 -b .cve0572
|
||||
%patch3042 -p1 -b .cve0629
|
||||
%patch3043 -p1 -b .cve0714
|
||||
%patch3044 -p1 -b .cve0554
|
||||
%patch3045 -p1 -b .cve0943
|
||||
%patch3046 -p1 -b .cve1154
|
||||
%patch3047 -p1 -b .cve1420
|
||||
%patch3048 -p1 -b .cve1621
|
||||
%patch3049 -p1 -b .cve1629
|
||||
%patch3050 -p1 -b .cve1785
|
||||
%patch3051 -p1 -b .cve1897
|
||||
%patch3052 -p1 -b .cve1927
|
||||
|
||||
%build
|
||||
cd src
|
||||
@ -903,6 +930,21 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16.3
|
||||
- CVE-2022-1785 vim: Out-of-bounds Write
|
||||
- CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
|
||||
- CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
|
||||
|
||||
* Wed May 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16.2
|
||||
- CVE-2022-1621 vim: heap buffer overflow
|
||||
- CVE-2022-1629 vim: buffer over-read
|
||||
|
||||
* Mon Apr 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16.1
|
||||
- CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
|
||||
- CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim
|
||||
- CVE-2022-1154 vim: use after free in utf_ptr2char
|
||||
- CVE-2022-1420 vim: Out-of-range Pointer Offset
|
||||
|
||||
* Thu Feb 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-15
|
||||
- CVE-2022-0714 vim: buffer overflow [rhel-9]
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user