1 Star 0 Fork 52

杨超豪/vim

forked from src-openEuler/vim 
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
backport-CVE-2022-3352.patch 2.36 KB
一键复制 编辑 原始数据 按行查看 历史
albatross 提交于 2022-10-12 11:12 . fix CVE-2022-3352
From ef976323e770315b5fca544efb6b2faa25674d15 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 28 Sep 2022 11:48:30 +0100
Subject: [PATCH] patch 9.0.0614: SpellFileMissing autocmd may delete buffer
Problem: SpellFileMissing autocmd may delete buffer.
Solution: Disallow deleting the current buffer to avoid using freed memory.
---
src/buffer.c | 7 ++++++-
src/spell.c | 6 ++++++
src/testdir/test_autocmd.vim | 10 ++++++++++
3 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/src/buffer.c b/src/buffer.c
index e775398..a85b2a8 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -461,7 +461,12 @@ can_unload_buffer(buf_T *buf)
}
}
if (!can_unload)
- semsg(_(e_attempt_to_delete_buffer_that_is_in_use_str), buf->b_fname);
+ {
+ char_u *fname = buf->b_fname != NULL ? buf->b_fname : buf->b_ffname;
+
+ semsg(_(e_attempt_to_delete_buffer_that_is_in_use_str),
+ fname != NULL ? fname : (char_u *)"[No Name]");
+ }
return can_unload;
}
diff --git a/src/spell.c b/src/spell.c
index 24abce4..3664425 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -1559,6 +1559,10 @@ spell_load_lang(char_u *lang)
sl.sl_slang = NULL;
sl.sl_nobreak = FALSE;
+ // Disallow deleting the current buffer. Autocommands can do weird things
+ // and cause "lang" to be freed.
+ ++curbuf->b_locked;
+
// We may retry when no spell file is found for the language, an
// autocommand may load it then.
for (round = 1; round <= 2; ++round)
@@ -1612,6 +1616,8 @@ spell_load_lang(char_u *lang)
STRCPY(fname_enc + STRLEN(fname_enc) - 3, "add.spl");
do_in_runtimepath(fname_enc, DIP_ALL, spell_load_cb, &sl);
}
+
+ --curbuf->b_locked;
}
/*
diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
index e9a59c2..bc74c29 100644
--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
@@ -2750,6 +2750,16 @@ func Test_FileType_spell()
setglobal spellfile=
endfunc
+" this was wiping out the current buffer and using freed memory
+func Test_SpellFileMissing_bwipe()
+ next 0
+ au SpellFileMissing 0 bwipe
+ call assert_fails('set spell spelllang=0', 'E937:')
+
+ au! SpellFileMissing
+ bwipe
+endfunc
+
" Test closing a window or editing another buffer from a FileChangedRO handler
" in a readonly buffer
func Test_FileChangedRO_winclose()
--
2.27.0
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/yang-chaohao/vim.git
git@gitee.com:yang-chaohao/vim.git
yang-chaohao
vim
vim
master

搜索帮助