!671 fix coredump in prop_add() with id>INT_MAX

From: @fwo Reviewed-by: @dillon_chen, @zhoupengcheng11 Signed-off-by: @dillon_chen
2024-10-18 07:29:39 +00:00 · 2024-10-18 07:29:39 +00:00 · 33a342038e
commit 33a342038e
parent 1f62c030b4 fb704ad1de
2 changed files with 124 additions and 1 deletions
--- a/backport-patch-9.1.0722-crash-with-large-id-in-text_prop-interface.patch
+++ b/backport-patch-9.1.0722-crash-with-large-id-in-text_prop-interface.patch
@ -0,0 +1,116 @@
+From 701c863e68fa24847100beef3c9008024615a081 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 8 Sep 2024 20:05:23 +0200
+Subject: [PATCH] patch 9.1.0722: crash with large id in text_prop interface
+
+Problem:  crash with large id in text_prop interface
+          prop_add()/prop_add_list() (cposture)
+Solution: Error out if the id is > INT_MAX or <= INT_MIN
+
+fixes: #15637
+closes: #15638
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/doc/textprop.txt      | 12 ++++++------
+ src/testdir/test_textprop.vim |  4 ++++
+ src/textprop.c                | 22 ++++++++++++++++++++--
+ 3 files changed, 30 insertions(+), 8 deletions(-)
+
+diff --git a/runtime/doc/textprop.txt b/runtime/doc/textprop.txt
+index 6b46e06df9a20..0a04abbdb6d01 100644
+--- a/runtime/doc/textprop.txt
+++ b/runtime/doc/textprop.txt
+@@ -1,4 +1,4 @@
+-*textprop.txt*  For Vim version 9.0.  Last change: 2023 Apr 23
+*textprop.txt*  For Vim version 9.1.  Last change: 2024 Sep 08
+ 
+ 
+ 		  VIM REFERENCE MANUAL    by Bram Moolenaar
+@@ -138,10 +138,10 @@ prop_add({lnum}, {col}, {props})
+ 		   bufnr	buffer to add the property to; when omitted
+ 				the current buffer is used
+ 		   id		user defined ID for the property; must be a
+-				number, should be positive; when using "text"
+-				then "id" must not be present and will be set
+-				automatically to a negative number; otherwise
+-				zero is used
+				number, should be positive |E1510|;
+				when using "text" then "id" must not be
+				present and will be set automatically to a
+				negative number; otherwise zero is used
+ 							*E1305*
+ 		   text		text to be displayed before {col}, or
+ 				above/below the line if {col} is zero; prepend
+@@ -267,7 +267,7 @@ prop_add_list({props}, [{item}, ...])
+ 			call prop_add_list(#{type: 'MyProp', id: 2},
+ 					\ [[1, 4, 1, 7],
+ 					\  [1, 15, 1, 20],
+-					\  [2, 30, 3, 30]]
+					\  [2, 30, 3, 30]])
+ <
+ 		Can also be used as a |method|: >
+ 			GetProp()->prop_add_list([[1, 1, 1, 2], [1, 4, 1, 8]])
+diff --git a/src/testdir/test_textprop.vim b/src/testdir/test_textprop.vim
+index 57277f79e2506..bbb911f959305 100644
+--- a/src/testdir/test_textprop.vim
+++ b/src/testdir/test_textprop.vim
+@@ -393,6 +393,8 @@ func Test_prop_add_list()
+   call assert_fails('call prop_add_list(test_null_dict(), [[2, 2, 2]])', 'E965:')
+   call assert_fails('call prop_add_list(#{type: "one"}, test_null_list())', 'E1298:')
+   call assert_fails('call prop_add_list(#{type: "one"}, [test_null_list()])', 'E714:')
+  call assert_fails('call prop_add_list(#{type: "one", id: 2147483648}, [[2, 2, 2, 2], [3, 20, 3, 22]])', 'E1510:')
+  call assert_fails('call prop_add_list(#{type: "one", id: -2147483648}, [[2, 2, 2, 2], [3, 20, 3, 22]])', 'E1510:')
+ 
+   " only one error for multiple wrong values
+   call assert_fails('call prop_add_list(#{type: "one"}, [[{}, [], 0z00, 0.3]])', ['E728:', 'E728:'])
+@@ -1743,6 +1745,8 @@ func Test_prop_func_invalid_args()
+   call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'length':-1})", 'E475:')
+   call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'end_col':0})", 'E475:')
+   call assert_fails("call prop_add(2, 3, {'length':1})", 'E965:')
+  call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'id': 2147483648})", 'E1510:')
+  call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'id': -2147483648})", 'E1510:')
+ 
+   call prop_type_delete('xxx')
+   bwipe!
+diff --git a/src/textprop.c b/src/textprop.c
+index fe0c8d20cbd46..d16f8ecef3abe 100644
+--- a/src/textprop.c
+++ b/src/textprop.c
+@@ -372,7 +372,16 @@ f_prop_add_list(typval_T *argvars, typval_T *rettv UNUSED)
+     type_name = dict_get_string(dict, "type", FALSE);
+ 
+     if (dict_has_key(dict, "id"))
+-	id = dict_get_number(dict, "id");
+    {
+	long long x;
+	x = dict_get_number(dict, "id");
+	if (x > INT_MAX || x  <= INT_MIN)
+	{
+	    semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE));
+	    return;
+	}
+	id = (int)x;
+    }
+ 
+     if (get_bufnr_from_arg(&argvars[0], &buf) == FAIL)
+ 	return;
+@@ -497,7 +506,16 @@ prop_add_common(
+ 	end_col = 1;
+ 
+     if (dict_has_key(dict, "id"))
+-	id = dict_get_number(dict, "id");
+    {
+	long long x;
+	x = dict_get_number(dict, "id");
+	if (x > INT_MAX || x  <= INT_MIN)
+	{
+	    semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE));
+	    goto theend;
+	}
+	id = (int)x;
+    }
+ 
+     if (dict_has_key(dict, "text"))
+     {
+
--- a/vim.spec
+++ b/vim.spec
@ -14,7 +14,7 @@
 Name:           vim
 Epoch:          2
 Version:        %{baseversion}.%{patchlevel}
-Release:        12
+Release:        13
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -50,6 +50,7 @@ Patch6015:      backport-patch-9.1.0554-bw-leaves-jumplist-and-tagstack-data-.pa
 Patch6016:      backport-CVE-2024-41957.patch
 Patch6017:      backport-CVE-2024-43374.patch
 Patch6018:      backport-CVE-2024-43802.patch
+Patch6019:      backport-patch-9.1.0722-crash-with-large-id-in-text_prop-interface.patch

 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      fix-CVE-2024-47814.patch
@ -458,6 +459,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests."
 %{_mandir}/man1/evim.*

 %changelog
+* Thu Oct 17 2024 wangjiang <app@cameyan.com> - 2:9.0.2092-13
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix coredump in prop_add() with id>INT_MAX
+
 * Tue Oct 08 2024 changtao <changtao@kylinos.cn> - 2:9.0.2092-12
 - Type:CVE
 - ID:CVE-2024-47814