!689 fix CVE-2025-22134 CVE-2025-24014

From: @fwo Reviewed-by: @boluo56, @znzjugod Signed-off-by: @znzjugod
2025-02-12 03:29:39 +00:00 · 2025-02-12 03:29:39 +00:00 · 2ce48f9807
commit 2ce48f9807
parent 6407ebe15e fc890a3c60
4 changed files with 269 additions and 1 deletions
--- a/backport-CVE-2025-22134.patch
+++ b/backport-CVE-2025-22134.patch
@ -0,0 +1,126 @@
 From c9a1e257f1630a0866447e53a564f7ff96a80ead Mon Sep 17 00:00:00 2001
 From: Christian Brabandt <cb@256bit.org>
 Date: Sat, 11 Jan 2025 15:25:00 +0100
 Subject: [PATCH] patch 9.1.1003: [security]: heap-buffer-overflow with visual
 mode
 Problem:  [security]: heap-buffer-overflow with visual mode when
          using :all, causing Vim trying to access beyond end-of-line
          (gandalf)
 Solution: Reset visual mode on :all, validate position in gchar_pos()
          and charwise_block_prep()
 This fixes CVE-2025-22134
 Github Advisory:
 https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8
 Co-authored-by: zeertzjq <zeertzjq@outlook.com>
 Signed-off-by: Christian Brabandt <cb@256bit.org>
 ---
 src/arglist.c               |  4 ++++
 src/misc1.c                 |  4 ++++
 src/testdir/test_visual.vim | 26 ++++++++++++++++++++++----
 3 files changed, 30 insertions(+), 4 deletions(-)
 diff --git a/src/arglist.c b/src/arglist.c
 index 8825c8e252ccc5..4eec079df438a3 100644
 --- a/src/arglist.c
 +++ b/src/arglist.c
@@ -1248,6 +1248,10 @@ do_arg_all(
     tabpage_T *new_lu_tp = curtab;
 +    // Stop Visual mode, the cursor and "VIsual" may very well be invalid after
 +    // switching to another buffer.
 +    reset_VIsual_and_resel();
 +
     // Try closing all windows that are not in the argument list.
     // Also close windows that are not full width;
     // When 'hidden' or "forceit" set the buffer becomes hidden.
 diff --git a/src/misc1.c b/src/misc1.c
 index 90cf914742b115..142a6161ea6c8a 100644
 --- a/src/misc1.c
 +++ b/src/misc1.c
@@ -535,11 +535,15 @@ plines_m_win(win_T *wp, linenr_T first, linenr_T last, int limit_winheight)
 gchar_pos(pos_T *pos)
 {
     char_u	*ptr;
 +    int		ptrlen;
     // When searching columns is sometimes put at the end of a line.
     if (pos->col == MAXCOL)
 	return NUL;
 +    ptrlen = STRLEN(ml_get(pos->lnum));
     ptr = ml_get_pos(pos);
 +    if (pos->col > ptrlen)
 +	return NUL;
     if (has_mbyte)
 	return (*mb_ptr2char)(ptr);
     return (int)*ptr;
 diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
 index 0be73ecc1342b9..03335a464d62f3 100644
 --- a/src/testdir/test_visual.vim
 +++ b/src/testdir/test_visual.vim
@@ -469,7 +469,7 @@ func Test_Visual_Block()
 	      \ "\t{",
 	      \ "\t}"], getline(1, '$'))
 -  close!
 +  bw!
 endfunc
 " Test for 'p'ut in visual block mode
@@ -1079,7 +1079,7 @@ func Test_star_register()
   delmarks < >
   call assert_fails('*yank', 'E20:')
 -  close!
 +  bw!
 endfunc
 " Test for changing text in visual mode with 'exclusive' selection
@@ -1095,7 +1095,7 @@ func Test_exclusive_selection()
   call assert_equal('l      one', getline(1))
   set virtualedit&
   set selection&
 -  close!
 +  bw!
 endfunc
 " Test for starting linewise visual with a count.
@@ -1152,7 +1152,7 @@ func Test_visual_inner_block()
   8,9d
   call cursor(5, 1)
   call assert_beeps('normal ViBiB')
 -  close!
 +  bw!
 endfunc
 func Test_visual_put_in_block()
@@ -1587,4 +1587,22 @@ func Test_Visual_r_CTRL_C()
   bw!
 endfu
 +" the following caused a Heap-Overflow, because Vim was accessing outside of a
 +" line end
 +func Test_visual_pos_buffer_heap_overflow()
 +  set virtualedit=all
 +  args Xa Xb
 +  all
 +  call setline(1, ['', '', ''])
 +  call cursor(3, 1)
 +  wincmd w
 +  call setline(1, 'foobar')
 +  normal! $lv0
 +  all
 +  call setreg('"', 'baz')
 +  normal! [P
 +  set virtualedit=
 +  bw! Xa Xb
 +endfunc
 +
 " vim: shiftwidth=2 sts=2 expandtab
 -- 
 2.43.0
--- a/backport-CVE-2025-24014.patch
+++ b/backport-CVE-2025-24014.patch
@ -0,0 +1,42 @@
 From 9d1bed5eccdbb46a26b8a484f5e9163c40e63919 Mon Sep 17 00:00:00 2001
 From: Christian Brabandt <cb@256bit.org>
 Date: Mon, 20 Jan 2025 22:55:57 +0100
 Subject: [PATCH] patch 9.1.1043: [security]: segfault in win_line()
 Problem:  [security]: segfault in win_line()
          (fizz-is-on-the-way)
 Solution: Check that ScreenLines is not NULL
 Github Advisory:
 https://github.com/vim/vim/security/advisories/GHSA-j3g9-wg22-v955
 Signed-off-by: Christian Brabandt <cb@256bit.org>
 ---
 src/gui.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/src/gui.c b/src/gui.c
 index 8e7b079a5a4ea4..86c40de632aa1e 100644
 --- a/src/gui.c
 +++ b/src/gui.c
@@ -4471,13 +4471,15 @@ gui_do_scroll(void)
     /*
      * Don't call updateWindow() when nothing has changed (it will overwrite
      * the status line!).
 +     *
 +     * Check for ScreenLines, because in ex-mode, we don't have a valid display.
      */
 -    if (old_topline != wp->w_topline
 +    if (ScreenLines != NULL && (old_topline != wp->w_topline
 	    || wp->w_redr_type != 0
 #ifdef FEAT_DIFF
 	    || old_topfill != wp->w_topfill
 #endif
 -	    )
 +	    ))
     {
 	int type = UPD_VALID;
 -- 
 2.43.0
--- a/backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch
+++ b/backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch
@ -0,0 +1,91 @@
 From 4ea37f88e8345ca830271636a2e197a1a46114d2 Mon Sep 17 00:00:00 2001
 From: zeertzjq <zeertzjq@outlook.com>
 Date: Wed, 17 Jan 2024 20:52:13 +0100
 Subject: [PATCH] patch 9.1.0038: Unnecessary loop in getvcol()
 Problem:  Unnecessary loop in getvcol().
 Solution: Compare next char position with pos->col directly.
          (zeertzjq)
 The loop below already handles end of line before checking for posptr,
 and the next char is after pos->col whether pos->col is at the start or
 in the middle of the char in question, so neither the NUL check nor the
 mb_head_off() are needed when comparing the position of the next char
 with pos->col directly.
 closes: #13878
 Signed-off-by: zeertzjq <zeertzjq@outlook.com>
 Signed-off-by: Christian Brabandt <cb@256bit.org>
 ---
 src/charset.c | 30 ++++++------------------------
 1 files changed, 6 insertions(+), 24 deletions(-)
 diff --git a/src/charset.c b/src/charset.c
 index 3ea2ecb8e216c2..eef2e8983c280e 100644
 --- a/src/charset.c
 +++ b/src/charset.c
@@ -1482,7 +1482,6 @@ getvcol(
 {
     colnr_T	vcol;
     char_u	*ptr;		// points to current char
 -    char_u	*posptr;	// points to char at pos->col
     char_u	*line;		// start of the line
     int		incr;
     int		head;
@@ -1498,24 +1497,6 @@ getvcol(
     vcol = 0;
     line = ptr = ml_get_buf(wp->w_buffer, pos->lnum, FALSE);
 -    if (pos->col == MAXCOL)
 -	posptr = NULL;  // continue until the NUL
 -    else
 -    {
 -	colnr_T i;
 -
 -	// In a few cases the position can be beyond the end of the line.
 -	for (i = 0; i < pos->col; ++i)
 -	    if (ptr[i] == NUL)
 -	    {
 -		pos->col = i;
 -		break;
 -	    }
 -	posptr = ptr + pos->col;
 -	if (has_mbyte)
 -	    // always start on the first byte
 -	    posptr -= (*mb_head_off)(line, posptr);
 -    }
     init_chartabsize_arg(&cts, wp, pos->lnum, 0, line, line);
     cts.cts_max_head_vcol = -1;
@@ -1577,11 +1558,12 @@ getvcol(
 		    incr = g_chartab[c] & CT_CELL_MASK;
 	    }
 -	    if (posptr != NULL && ptr >= posptr) // character at pos->col
 +	    char_u *next_ptr = ptr + (*mb_ptr2len)(ptr);
 +	    if (next_ptr - line > pos->col) // character at pos->col
 		break;
 	    vcol += incr;
 -	    MB_PTR_ADV(ptr);
 +	    ptr = next_ptr;
 	}
     }
     else
@@ -1609,12 +1591,12 @@ getvcol(
 		wp->w_virtcol_first_char = cts.cts_first_char;
 #endif
 -	    if (posptr != NULL && cts.cts_ptr >= posptr)
 -		// character at pos->col
 +	    char_u *next_ptr = cts.cts_ptr + (*mb_ptr2len)(cts.cts_ptr);
 +	    if (next_ptr - line > pos->col) // character at pos->col
 		break;
 	    cts.cts_vcol += incr;
 -	    MB_PTR_ADV(cts.cts_ptr);
 +	    cts.cts_ptr = next_ptr;
 	}
 	vcol = cts.cts_vcol;
 	ptr = cts.cts_ptr;
--- a/vim.spec
+++ b/vim.spec
@ -14,7 +14,7 @@
 Name:           vim
 Epoch:          2
 Version:        %{baseversion}.%{patchlevel}
-Release:        15
+Release:        16
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -53,6 +53,9 @@ Patch6018:      backport-CVE-2024-43802.patch
 Patch6019:      backport-patch-9.1.0722-crash-with-large-id-in-text_prop-interface.patch
 Patch6020:      backport-patch-9.1.0730-crash-with-cursor-screenline-and-narrow-window.patch
 Patch6021:      backport-patch-9.1.0918-tiny-vim-crashes-with-fuzzy-buffer-completion.patch
 Patch6022:      backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch
 Patch6023:      backport-CVE-2025-22134.patch
 Patch6024:      backport-CVE-2025-24014.patch
 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      fix-CVE-2024-47814.patch
@ -461,6 +464,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests."
 %{_mandir}/man1/evim.*
 %changelog
 * Mon Jan 20 2025 wangjiang <app@cameyan.com> - 2:9.0.2092-16
 - Type:CVE
 - ID:CVE-2025-22134 CVE-2025-24014
 - SUG:NA
 - DESC:CVE-2025-22134 CVE-2025-24014
 * Fri Dec 13 2024 wangjiang <app@cameyan.com> - 2:9.0.2092-15
 - Type:bugfix
 - ID:NA