Blame SOURCES/0001-patch-8.2.4245-retab-0-may-cause-illegal-memory-acce.patch

13ea7f
diff -up vim82/src/indent.c.cve0417 vim82/src/indent.c
13ea7f
--- vim82/src/indent.c.cve0417	2022-02-09 10:01:34.250009316 +0100
13ea7f
+++ vim82/src/indent.c	2022-02-09 10:02:54.802588536 +0100
13ea7f
@@ -71,7 +71,7 @@ tabstop_set(char_u *var, int **array)
13ea7f
 	int n = atoi((char *)cp);
13ea7f
 
13ea7f
 	// Catch negative values, overflow and ridiculous big values.
13ea7f
-	if (n < 0 || n > 9999)
13ea7f
+	if (n < 0 || n > TABSTOP_MAX)
13ea7f
 	{
13ea7f
 	    semsg(_(e_invarg2), cp);
13ea7f
 	    vim_free(*array);
13ea7f
@@ -1595,7 +1595,7 @@ ex_retab(exarg_T *eap)
13ea7f
 	emsg(_(e_positive));
13ea7f
 	return;
13ea7f
     }
13ea7f
-    if (new_ts < 0 || new_ts > 9999)
13ea7f
+    if (new_ts < 0 || new_ts > TABSTOP_MAX)
13ea7f
     {
13ea7f
 	semsg(_(e_invarg2), eap->arg);
13ea7f
 	return;
13ea7f
diff -up vim82/src/option.c.cve0417 vim82/src/option.c
13ea7f
--- vim82/src/option.c.cve0417	2022-02-09 10:01:34.196009598 +0100
13ea7f
+++ vim82/src/option.c	2022-02-09 10:28:10.398548161 +0100
13ea7f
@@ -3640,6 +3640,11 @@ set_num_option(
13ea7f
 	errmsg = e_positive;
13ea7f
 	curbuf->b_p_ts = 8;
13ea7f
     }
13ea7f
+    else if (curbuf->b_p_ts > TABSTOP_MAX)
13ea7f
+    {
13ea7f
+	errmsg = e_invarg;
13ea7f
+	curbuf->b_p_ts = 8;
13ea7f
+    }
13ea7f
     if (p_tm < 0)
13ea7f
     {
13ea7f
 	errmsg = e_positive;
13ea7f
@@ -5830,7 +5835,7 @@ buf_copy_options(buf_T *buf, int flags)
13ea7f
 	    if (p_vsts && p_vsts != empty_option)
13ea7f
 		(void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
13ea7f
 	    else
13ea7f
-		buf->b_p_vsts_array = 0;
13ea7f
+		buf->b_p_vsts_array = NULL;
13ea7f
 	    buf->b_p_vsts_nopaste = p_vsts_nopaste
13ea7f
 				 ? vim_strsave(p_vsts_nopaste) : NULL;
13ea7f
 #endif
13ea7f
@@ -6649,9 +6654,7 @@ paste_option_changed(void)
13ea7f
 	    if (buf->b_p_vsts)
13ea7f
 		free_string_option(buf->b_p_vsts);
13ea7f
 	    buf->b_p_vsts = empty_option;
13ea7f
-	    if (buf->b_p_vsts_array)
13ea7f
-		vim_free(buf->b_p_vsts_array);
13ea7f
-	    buf->b_p_vsts_array = 0;
13ea7f
+	    VIM_CLEAR(buf->b_p_vsts_array);
13ea7f
 #endif
13ea7f
 	}
13ea7f
 
13ea7f
@@ -6697,12 +6700,11 @@ paste_option_changed(void)
13ea7f
 		free_string_option(buf->b_p_vsts);
13ea7f
 	    buf->b_p_vsts = buf->b_p_vsts_nopaste
13ea7f
 			 ? vim_strsave(buf->b_p_vsts_nopaste) : empty_option;
13ea7f
-	    if (buf->b_p_vsts_array)
13ea7f
-		vim_free(buf->b_p_vsts_array);
13ea7f
+	    vim_free(buf->b_p_vsts_array);
13ea7f
 	    if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
13ea7f
 		(void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
13ea7f
 	    else
13ea7f
-		buf->b_p_vsts_array = 0;
13ea7f
+		buf->b_p_vsts_array = NULL;
13ea7f
 #endif
13ea7f
 	}
13ea7f
 
13ea7f
diff -up vim82/src/testdir/test_options.vim.cve0417 vim82/src/testdir/test_options.vim
13ea7f
--- vim82/src/testdir/test_options.vim.cve0417	2021-03-22 10:02:42.000000000 +0100
13ea7f
+++ vim82/src/testdir/test_options.vim	2022-02-09 10:01:34.251009311 +0100
13ea7f
@@ -362,6 +362,8 @@ func Test_set_errors()
13ea7f
   call assert_fails('set shiftwidth=-1', 'E487:')
13ea7f
   call assert_fails('set sidescroll=-1', 'E487:')
13ea7f
   call assert_fails('set tabstop=-1', 'E487:')
13ea7f
+  call assert_fails('set tabstop=10000', 'E474:')
13ea7f
+  call assert_fails('set tabstop=5500000000', 'E474:')
13ea7f
   call assert_fails('set textwidth=-1', 'E487:')
13ea7f
   call assert_fails('set timeoutlen=-1', 'E487:')
13ea7f
   call assert_fails('set updatecount=-1', 'E487:')
13ea7f
diff -up vim82/src/vim.h.cve0417 vim82/src/vim.h
13ea7f
--- vim82/src/vim.h.cve0417	2021-03-22 10:02:42.000000000 +0100
13ea7f
+++ vim82/src/vim.h	2022-02-09 10:01:34.252009306 +0100
13ea7f
@@ -2032,6 +2032,8 @@ typedef int sock_T;
13ea7f
 
13ea7f
 #define DICT_MAXNEST 100	// maximum nesting of lists and dicts
13ea7f
 
13ea7f
+#define TABSTOP_MAX 9999
13ea7f
+
13ea7f
 #ifdef FEAT_CLIPBOARD
13ea7f
 
13ea7f
 // VIM_ATOM_NAME is the older Vim-specific selection type for X11.  Still