fix CVE-2022-2580 CVE-2022-2581

(cherry picked from commit 7b4348e2011970c47ca4e2c7065e1884feeb1605)
2022-08-17 11:01:21 +08:00 · 2022-08-17 11:01:21 +08:00 · 0d625d3cd8
commit 0d625d3cd8
parent 6cb9c69818
3 changed files with 74 additions and 1 deletions
--- a/backport-CVE-2022-2580.patch
+++ b/backport-CVE-2022-2580.patch
--- a/backport-CVE-2022-2581.patch
+++ b/backport-CVE-2022-2581.patch
@ -0,0 +1,65 @@
+From f50940531dd57135fe60aa393ac9d3281f352d88 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 29 Jul 2022 16:22:25 +0100
+Subject: [PATCH 002/123] patch 9.0.0105: illegal memory access when pattern
+ starts with illegal byte
+
+Problem:    Illegal memory access when pattern starts with illegal byte.
+Solution:   Do not match a character with an illegal byte.
+---
+ src/regexp.c                     |  6 +++++-
+ src/testdir/test_regexp_utf8.vim | 15 +++++++++++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/src/regexp.c b/src/regexp.c
+index 1a5cfd0..bec0464 100644
+--- a/src/regexp.c
+++ b/src/regexp.c
+@@ -1641,7 +1641,11 @@ cstrchr(char_u *s, int c)
+ 	{
+ 	    if (enc_utf8 && c > 0x80)
+ 	    {
+-		if (utf_fold(utf_ptr2char(p)) == cc)
+		int uc = utf_ptr2char(p);
+
+		// Do not match an illegal byte.  E.g. 0xff matches 0xc3 0xbf,
+		// not 0xff.
+		if ((uc < 0x80 || uc != *p) && utf_fold(uc) == cc)
+ 		    return p;
+ 	    }
+ 	    else if (*p == c || *p == cc)
+diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim
+index d88e263..e7672dd 100644
+--- a/src/testdir/test_regexp_utf8.vim
+++ b/src/testdir/test_regexp_utf8.vim
+@@ -1,5 +1,7 @@
+ " Tests for regexp in utf8 encoding
+ 
+source shared.vim
+
+ func s:equivalence_test()
+   let str = "AÀÁÂÃÄÅĀĂĄǍǞǠǺȂȦȺḀẠẢẤẦẨẪẬẮẰẲẴẶ BƁɃḂḄḆ CÇĆĈĊČƇȻḈꞒ DĎĐƊḊḌḎḐḒ EÈÉÊËĒĔĖĘĚȄȆȨɆḔḖḘḚḜẸẺẼẾỀỂỄỆ FƑḞꞘ GĜĞĠĢƓǤǦǴḠꞠ HĤĦȞḢḤḦḨḪⱧ IÌÍÎÏĨĪĬĮİƗǏȈȊḬḮỈỊ JĴɈ KĶƘǨḰḲḴⱩꝀ LĹĻĽĿŁȽḶḸḺḼⱠ MḾṀṂ NÑŃŅŇǸṄṆṈṊꞤ OÒÓÔÕÖØŌŎŐƟƠǑǪǬǾȌȎȪȬȮȰṌṎṐṒỌỎỐỒỔỖỘỚỜỞỠỢ PƤṔṖⱣ QɊ RŔŖŘȐȒɌṘṚṜṞⱤꞦ SŚŜŞŠȘṠṢṤṦṨⱾꞨ TŢŤŦƬƮȚȾṪṬṮṰ UÙÚÛÜŨŪŬŮŰƯǕǙǛǓǗȔȖɄṲṴṶṸṺỤỦỨỪỬỮỰ  VƲṼṾ WŴẀẂẄẆẈ XẊẌ YÝŶŸƳȲɎẎỲỴỶỸ ZŹŻŽƵẐẒẔⱫ aàáâãäåāăąǎǟǡǻȃȧᶏḁẚạảấầẩẫậắằẳẵặⱥ bƀɓᵬᶀḃḅḇ cçćĉċčƈȼḉꞓꞔ dďđɗᵭᶁᶑḋḍḏḑḓ eèéêëēĕėęěȅȇȩɇᶒḕḗḙḛḝẹẻẽếềểễệ fƒᵮᶂḟꞙ gĝğġģǥǧǵɠᶃḡꞡ hĥħȟḣḥḧḩḫẖⱨꞕ iìíîïĩīĭįǐȉȋɨᶖḭḯỉị jĵǰɉ kķƙǩᶄḱḳḵⱪꝁ lĺļľŀłƚḷḹḻḽⱡ mᵯḿṁṃ nñńņňŉǹᵰᶇṅṇṉṋꞥ oòóôõöøōŏőơǒǫǭǿȍȏȫȭȯȱɵṍṏṑṓọỏốồổỗộớờởỡợ pƥᵱᵽᶈṕṗ qɋʠ rŕŗřȑȓɍɽᵲᵳᶉṛṝṟꞧ sśŝşšșȿᵴᶊṡṣṥṧṩꞩ tţťŧƫƭțʈᵵṫṭṯṱẗⱦ uùúûüũūŭůűųǚǖưǔǘǜȕȗʉᵾᶙṳṵṷṹṻụủứừửữự vʋᶌṽṿ wŵẁẃẅẇẉẘ xẋẍ yýÿŷƴȳɏẏẙỳỵỷỹ zźżžƶᵶᶎẑẓẕⱬ"
+   let groups = split(str)
+@@ -560,6 +562,19 @@ func Test_match_invalid_byte()
+   call delete('Xinvalid')
+ endfunc
+ 
+func Test_match_illegal_byte()
+  let lines =<< trim END
+      silent! buffer ÿ\c
+      next ÿ
+      0scriptnames
+      source
+  END
+  call writefile(lines, 'Xregexp')
+  call system(GetVimCommand() .. ' -X -Z -e -s -S Xregexp -c qa!')
+
+  call delete('Xregexp')
+endfunc
+
+ func Test_match_too_complicated()
+   set regexpengine=1
+   exe "noswapfile vsplit \xeb\xdb\x99"
+-- 
+1.8.3.1
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        4
+Release:        5
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -44,6 +44,8 @@ Patch6013:      backport-patch-9.0.0054-compiler-warning-for-size_t-to-int-co.pa
 Patch6014:      backport-CVE-2022-2522.patch
 Patch6015:      backport-CVE-2022-2598.patch
 Patch6016:      backport-CVE-2022-2571.patch
+Patch6017:      backport-CVE-2022-2580.patch
+Patch6018:      backport-CVE-2022-2581.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -437,6 +439,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Wed Aug 17 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-5
+- Type:bugfix
+- ID:CVE-2022-2580 CVE-2022-2581
+- SUG:NA
+- DESC:fix CVE-2022-2580 CVE-2022-2581
+
 * Wed Aug 10 2022 shixuantong <shixuantong@h-partners.com> - 2:9.0-4
 - Type:bugfix
 - ID:NA