blob: d62d875f8e40839a2835ef089a1977454f6a525b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From 40aa9802ef56d3cdbe256b4c9e58049953051a2d Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 15 Nov 2021 14:34:50 +0800
Subject: [PATCH] patch 8.2.3489: ml_get error after search with range
Problem: ml_get error after search with range.
Solution: Limit the line number to the buffer line count.
CVE: CVE-2021-3875
Upstream-Status: Backport [https://github.com/vim/vim/commit/35a319b77f897744eec1155b736e9372c9c5575f]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
src/ex_docmd.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index fb07450f8..89d33ba90 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -3586,8 +3586,10 @@ get_address(
// When '/' or '?' follows another address, start from
// there.
- if (lnum != MAXLNUM)
- curwin->w_cursor.lnum = lnum;
+ if (lnum > 0 && lnum != MAXLNUM)
+ curwin->w_cursor.lnum =
+ lnum > curbuf->b_ml.ml_line_count
+ ? curbuf->b_ml.ml_line_count : lnum;
// Start a forward search at the end of the line (unless
// before the first line).
--
2.17.1
|
