bac1f99e54
Resolves: CVE-2022-1897
122 lines
2.9 KiB
Diff
122 lines
2.9 KiB
Diff
diff -up vim82/src/normal.c.cve1897 vim82/src/normal.c
|
|
--- vim82/src/normal.c.cve1897 2022-06-13 09:31:42.880768567 +0200
|
|
+++ vim82/src/normal.c 2022-06-13 09:35:38.560084927 +0200
|
|
@@ -479,6 +479,22 @@ find_command(int cmdchar)
|
|
}
|
|
|
|
/*
|
|
+ * If currently editing a cmdline or text is locked: beep and give an error
|
|
+ * message, return TRUE.
|
|
+ */
|
|
+ static int
|
|
+check_text_locked(oparg_T *oap)
|
|
+{
|
|
+ if (text_locked())
|
|
+ {
|
|
+ clearopbeep(oap);
|
|
+ text_locked_msg();
|
|
+ return TRUE;
|
|
+ }
|
|
+ return FALSE;
|
|
+}
|
|
+
|
|
+/*
|
|
* Execute a command in Normal mode.
|
|
*/
|
|
void
|
|
@@ -742,14 +758,9 @@ getcount:
|
|
goto normal_end;
|
|
}
|
|
|
|
- if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW))
|
|
- {
|
|
- // This command is not allowed while editing a cmdline: beep.
|
|
- clearopbeep(oap);
|
|
- text_locked_msg();
|
|
- goto normal_end;
|
|
- }
|
|
- if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked())
|
|
+ if ((nv_cmds[idx].cmd_flags & NV_NCW)
|
|
+ && (check_text_locked(oap) || curbuf_locked()))
|
|
+ // this command is not allowed now
|
|
goto normal_end;
|
|
|
|
/*
|
|
@@ -4212,12 +4223,8 @@ nv_gotofile(cmdarg_T *cap)
|
|
char_u *ptr;
|
|
linenr_T lnum = -1;
|
|
|
|
- if (text_locked())
|
|
- {
|
|
- clearopbeep(cap->oap);
|
|
- text_locked_msg();
|
|
+ if (check_text_locked(cap->oap))
|
|
return;
|
|
- }
|
|
if (curbuf_locked())
|
|
{
|
|
clearop(cap->oap);
|
|
@@ -6343,14 +6350,7 @@ nv_g_cmd(cmdarg_T *cap)
|
|
|
|
// "gQ": improved Ex mode
|
|
case 'Q':
|
|
- if (text_locked())
|
|
- {
|
|
- clearopbeep(cap->oap);
|
|
- text_locked_msg();
|
|
- break;
|
|
- }
|
|
-
|
|
- if (!checkclearopq(oap))
|
|
+ if (!check_text_locked(cap->oap) && !checkclearopq(oap))
|
|
do_exmode(TRUE);
|
|
break;
|
|
|
|
diff -up vim82/src/testdir/test_substitute.vim.cve1897 vim82/src/testdir/test_substitute.vim
|
|
--- vim82/src/testdir/test_substitute.vim.cve1897 2022-06-13 09:31:42.938768884 +0200
|
|
+++ vim82/src/testdir/test_substitute.vim 2022-06-13 09:36:39.013406036 +0200
|
|
@@ -955,5 +955,27 @@ func Test_sub_change_window()
|
|
delfunc Repl
|
|
endfunc
|
|
|
|
+" This was undoign a change in between computing the length and using it.
|
|
+func Do_Test_sub_undo_change()
|
|
+ new
|
|
+ norm o0000000000000000000000000000000000000000000000000000
|
|
+ silent! s/\%')/\=Repl()
|
|
+ bwipe!
|
|
+endfunc
|
|
+
|
|
+func Test_sub_undo_change()
|
|
+ func Repl()
|
|
+ silent! norm g-
|
|
+ endfunc
|
|
+ call Do_Test_sub_undo_change()
|
|
+
|
|
+ func! Repl()
|
|
+ silent earlier
|
|
+ endfunc
|
|
+ call Do_Test_sub_undo_change()
|
|
+
|
|
+ delfunc Repl
|
|
+endfunc
|
|
+
|
|
|
|
" vim: shiftwidth=2 sts=2 expandtab
|
|
diff -up vim82/src/undo.c.cve1897 vim82/src/undo.c
|
|
--- vim82/src/undo.c.cve1897 2022-06-13 09:31:42.904768698 +0200
|
|
+++ vim82/src/undo.c 2022-06-13 09:31:42.938768884 +0200
|
|
@@ -2323,6 +2323,12 @@ undo_time(
|
|
int above = FALSE;
|
|
int did_undo = TRUE;
|
|
|
|
+ if (text_locked())
|
|
+ {
|
|
+ text_locked_msg();
|
|
+ return;
|
|
+ }
|
|
+
|
|
// First make sure the current undoable change is synced.
|
|
if (curbuf->b_u_synced == FALSE)
|
|
u_sync(TRUE);
|