vim-patch:8.2.4969: changing text in Visual mode may cause invalid memory access

Problem: Changing text in Visual mode may cause invalid memory access. Solution: Check the Visual position after making a change. 7ce5b2b590
2024-12-31 17:13:26 -07:00 · 2022-05-17 08:10:34 +08:00 · 2022-05-17 08:10:34 +08:00 · 527e861cbb
commit 527e861cbb
parent 26c906f54d
4 changed files with 34 additions and 7 deletions
--- a/src/nvim/change.c
+++ b/src/nvim/change.c
@ -209,6 +209,10 @@ static void changed_common(linenr_T lnum, colnr_T col, linenr_T lnume, long xtra
    curwin->w_changelistidx = curbuf->b_changelistlen;
  }

+  if (VIsual_active) {
+    check_visual_pos();
+  }
+
  FOR_ALL_TAB_WINDOWS(tp, wp) {
    if (wp->w_buffer == curbuf) {
      // Mark this window to be redrawn later.
--- a/src/nvim/cursor.c
+++ b/src/nvim/cursor.c
@ -399,6 +399,24 @@ void check_cursor(void)
  check_cursor_col();
 }

+/// Check if VIsual position is valid, correct it if not.
+/// Can be called when in Visual mode and a change has been made.
+void check_visual_pos(void)
+{
+  if (VIsual.lnum > curbuf->b_ml.ml_line_count) {
+    VIsual.lnum = curbuf->b_ml.ml_line_count;
+    VIsual.col = 0;
+    VIsual.coladd = 0;
+  } else {
+    int len = (int)STRLEN(ml_get(VIsual.lnum));
+
+    if (VIsual.col > len) {
+      VIsual.col = len;
+      VIsual.coladd = 0;
+    }
+  }
+}
+
 /// Make sure curwin->w_cursor is not on the NUL at the end of the line.
 /// Allow it when in Visual mode and 'selection' is not "old".
 void adjust_cursor_col(void)
--- a/src/nvim/edit.c
+++ b/src/nvim/edit.c
@ -6770,13 +6770,8 @@ static void stop_insert(pos_T *end_insert_pos, int esc, int nomove)

      // <C-S-Right> may have started Visual mode, adjust the position for
      // deleted characters.
-      if (VIsual_active && VIsual.lnum == curwin->w_cursor.lnum) {
-        int len = (int)STRLEN(get_cursor_line_ptr());
-
-        if (VIsual.col > len) {
-          VIsual.col = len;
-          VIsual.coladd = 0;
-        }
+      if (VIsual_active) {
+        check_visual_pos();
      }
    }
  }
--- a/src/nvim/testdir/test_visual.vim
+++ b/src/nvim/testdir/test_visual.vim
@ -1258,6 +1258,16 @@ func Test_visual_block_append_invalid_char()
  set isprint&
 endfunc

+func Test_visual_block_with_substitute()
+  " this was reading beyond the end of the line
+  new
+  norm a0)
+  sil! norm  O
+  s/)
+  sil! norm 
+  bwipe!
+endfunc
+
 func Test_visual_reselect_with_count()
  " this was causing an illegal memory access
  let lines =<< trim END