jkunstle / rpms / vim

Forked from rpms/vim 3 years ago
Clone

Blame SOURCES/vim-7.4-CVE-2016-1248.patch

3ef2ca
diff -urN vim74_orig/src/option.c vim74/src/option.c
3ef2ca
--- vim74_orig/src/option.c	2016-12-12 12:18:52.614342651 +0100
3ef2ca
+++ vim74/src/option.c	2016-12-12 12:34:08.192983990 +0100
3ef2ca
@@ -5663,6 +5663,21 @@
3ef2ca
     return r;
3ef2ca
 }
3ef2ca
 
3ef2ca
+ /*
3ef2ca
+ * Return TRUE if "val" is a valid 'filetype' name.
3ef2ca
+ * Also used for 'syntax' and 'keymap'.
3ef2ca
+ */
3ef2ca
+    static int
3ef2ca
+valid_filetype(char_u *val)
3ef2ca
+{
3ef2ca
+    char_u *s;
3ef2ca
+
3ef2ca
+    for (s = val; *s != NUL; ++s)
3ef2ca
+   if (!ASCII_ISALNUM(*s) && vim_strchr((char_u *)".-_", *s) == NULL)
3ef2ca
+       return FALSE;
3ef2ca
+    return TRUE;
3ef2ca
+}
3ef2ca
+
3ef2ca
 /*
3ef2ca
  * Handle string options that need some action to perform when changed.
3ef2ca
  * Returns NULL for success, or an error message for an error.
3ef2ca
@@ -6054,8 +6069,11 @@
3ef2ca
 #ifdef FEAT_KEYMAP
3ef2ca
     else if (varp == &curbuf->b_p_keymap)
3ef2ca
     {
3ef2ca
-	/* load or unload key mapping tables */
3ef2ca
-	errmsg = keymap_init();
3ef2ca
+        if (!valid_filetype(*varp))
3ef2ca
+            errmsg = e_invarg;
3ef2ca
+        else
3ef2ca
+            /* load or unload key mapping tables */
3ef2ca
+            errmsg = keymap_init();	
3ef2ca
 
3ef2ca
 	if (errmsg == NULL)
3ef2ca
 	{
3ef2ca
@@ -7010,6 +7028,23 @@
3ef2ca
     }
3ef2ca
 #endif
3ef2ca
 
3ef2ca
+#ifdef FEAT_AUTOCMD
3ef2ca
+    else if (gvarp == &p_ft)
3ef2ca
+    {
3ef2ca
+   if (!valid_filetype(*varp))
3ef2ca
+       errmsg = e_invarg;
3ef2ca
+    }
3ef2ca
+#endif
3ef2ca
+
3ef2ca
+#ifdef FEAT_SYN_HL
3ef2ca
+    else if (gvarp == &p_syn)
3ef2ca
+    {
3ef2ca
+   if (!valid_filetype(*varp))
3ef2ca
+       errmsg = e_invarg;
3ef2ca
+    }
3ef2ca
+#endif
3ef2ca
+
3ef2ca
+
3ef2ca
     /* Options that are a list of flags. */
3ef2ca
     else
3ef2ca
     {