File CVE-2016-1248.patch of Package vim
From d0b5138ba4bccff8a744c99836041ef6322ed39a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 4 Nov 2016 15:23:45 +0100
Subject: [PATCH] patch 8.0.0056 Problem: When setting 'filetype' there is
no check for a valid name. Solution: Only allow valid characters in
'filetype', 'syntax' and 'keymap'.
---
src/option.c | 38 ++++++++++++++++++++++++++++++++--
src/testdir/test_options.vim | 49 ++++++++++++++++++++++++++++++++++++++++++++
src/version.c | 2 ++
3 files changed, 87 insertions(+), 2 deletions(-)
Index: vim74/src/option.c
===================================================================
--- vim74.orig/src/option.c
+++ vim74/src/option.c
@@ -5653,6 +5653,21 @@ set_string_option(opt_idx, value, opt_fl
}
/*
+ * Return TRUE if "val" is a valid 'filetype' name.
+ * Also used for 'syntax' and 'keymap'.
+ */
+ static int
+valid_filetype(char_u *val)
+{
+ char_u *s;
+
+ for (s = val; *s != NUL; ++s)
+ if (!ASCII_ISALNUM(*s) && vim_strchr((char_u *)".-_", *s) == NULL)
+ return FALSE;
+ return TRUE;
+}
+
+/*
* Handle string options that need some action to perform when changed.
* Returns NULL for success, or an error message for an error.
*/
@@ -6043,8 +6058,11 @@ did_set_string_option(opt_idx, varp, new
#ifdef FEAT_KEYMAP
else if (varp == &curbuf->b_p_keymap)
{
- /* load or unload key mapping tables */
- errmsg = keymap_init();
+ if (!valid_filetype(*varp))
+ errmsg = e_invarg;
+ else
+ /* load or unload key mapping tables */
+ errmsg = keymap_init();
if (errmsg == NULL)
{
@@ -6990,6 +7008,22 @@ did_set_string_option(opt_idx, varp, new
}
#endif
+#ifdef FEAT_AUTOCMD
+ else if (gvarp == &p_ft)
+ {
+ if (!valid_filetype(*varp))
+ errmsg = e_invarg;
+ }
+#endif
+
+#ifdef FEAT_SYN_HL
+ else if (gvarp == &p_syn)
+ {
+ if (!valid_filetype(*varp))
+ errmsg = e_invarg;
+ }
+#endif
+
/* Options that are a list of flags. */
else
{