Miroirs/slackware-current
1
0
Fork 0
mirror of git://slackware.nl/current.git synced 2025-01-16 15:41:42 +01:00
Code Issues Projects Releases Packages Wiki Activity
slackware-current/patches/source/vim/CVE-2022-2817.patch
Patrick J Volkerding 821b8a94bf Wed Aug 17 20:41:53 UTC 2022 
patches/packages/vim-8.2.4649-x86_64-2_slack15.0.txz:  Rebuilt.
  Fix use after free, out-of-bounds read, and heap based buffer overflow.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2816
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2817
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2819
  (* Security fix *)
patches/packages/vim-gvim-8.2.4649-x86_64-2_slack15.0.txz:  Rebuilt.
2022-08-18 13:30:02 +02:00

69 lines
2.3 KiB
Diff
Raw Blame History

From 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 14 Aug 2022 22:23:02 +0100
Subject: [PATCH] patch 9.0.0213: using freed memory with error in assert
argument
Problem: Using freed memory with error in assert argument.
Solution: Make a copy of the error.
---
diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim
index 27b2d73fbfc8..7c9d090b39df 100644
--- a/src/testdir/test_assert.vim
+++ b/src/testdir/test_assert.vim
@@ -291,6 +291,10 @@ func Test_assert_fail_fails()
let exp = v:exception
endtry
call assert_match("E1174: String required for argument 5", exp)
+
+ call assert_equal(1, assert_fails('c0', ['', '\1']))
+ call assert_match("Expected '\\\\\\\\1' but got 'E939: Positive count required: c0': c0", v:errors[0])
+ call remove(v:errors, 0)
endfunc
func Test_assert_fails_in_try_block()
diff --git a/src/testing.c b/src/testing.c
index f2355f5dac13..21eb9c18e6e2 100644
--- a/src/testing.c
+++ b/src/testing.c
@@ -597,6 +597,7 @@ f_assert_fails(typval_T *argvars, typval_T *rettv)
int save_trylevel = trylevel;
int called_emsg_before = called_emsg;
char *wrong_arg_msg = NULL;
+ char_u *tofree = NULL;
if (check_for_string_or_number_arg(argvars, 0) == FAIL
|| check_for_opt_string_or_list_arg(argvars, 1) == FAIL
@@ -660,13 +661,17 @@ f_assert_fails(typval_T *argvars, typval_T *rettv)
}
else if (list->lv_len == 2)
{
- tv = &list->lv_u.mat.lv_last->li_tv;
- actual = get_vim_var_str(VV_ERRMSG);
- expected = tv_get_string_buf_chk(tv, buf);
- if (!pattern_match(expected, actual, FALSE))
+ // make a copy, an error in pattern_match() may free it
+ tofree = actual = vim_strsave(get_vim_var_str(VV_ERRMSG));
+ if (actual != NULL)
{
- error_found = TRUE;
- expected_str = expected;
+ tv = &list->lv_u.mat.lv_last->li_tv;
+ expected = tv_get_string_buf_chk(tv, buf);
+ if (!pattern_match(expected, actual, FALSE))
+ {
+ error_found = TRUE;
+ expected_str = expected;
+ }
}
}
}
@@ -749,6 +754,7 @@ f_assert_fails(typval_T *argvars, typval_T *rettv)
msg_scrolled = 0;
lines_left = Rows;
VIM_CLEAR(emsg_assert_fails_msg);
+ vim_free(tofree);
set_vim_var_string(VV_ERRMSG, NULL, 0);
if (wrong_arg_msg != NULL)
emsg(_(wrong_arg_msg));
Reference in a new issue View git blame Copy permalink