!414 fix CVE-2022-3352

From: @dongyuzhen Reviewed-by: @lvying6 Signed-off-by: @lvying6
2022-10-14 08:40:10 +00:00 · 2022-10-14 08:40:10 +00:00 · 3e0ecfae46
commit 3e0ecfae46
parent 15c61c2594 950df88546
3 changed files with 117 additions and 1 deletions
--- a/backport-CVE-2022-3352.patch
+++ b/backport-CVE-2022-3352.patch
@ -0,0 +1,79 @@
+From ef976323e770315b5fca544efb6b2faa25674d15 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 28 Sep 2022 11:48:30 +0100
+Subject: [PATCH] patch 9.0.0614: SpellFileMissing autocmd may delete buffer
+
+Problem:    SpellFileMissing autocmd may delete buffer.
+Solution:   Disallow deleting the current buffer to avoid using freed memory.
+---
+ src/buffer.c                 |  7 ++++++-
+ src/spell.c                  |  6 ++++++
+ src/testdir/test_autocmd.vim | 10 ++++++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index e775398..a85b2a8 100644
+--- a/src/buffer.c
+++ b/src/buffer.c
+@@ -461,7 +461,12 @@ can_unload_buffer(buf_T *buf)
+ 	    }
+     }
+     if (!can_unload)
+-	semsg(_(e_attempt_to_delete_buffer_that_is_in_use_str), buf->b_fname);
+    {
+	char_u *fname = buf->b_fname != NULL ? buf->b_fname : buf->b_ffname;
+
+	semsg(_(e_attempt_to_delete_buffer_that_is_in_use_str),
+				fname != NULL ? fname : (char_u *)"[No Name]");
+    }
+     return can_unload;
+ }
+ 
+diff --git a/src/spell.c b/src/spell.c
+index 24abce4..3664425 100644
+--- a/src/spell.c
+++ b/src/spell.c
+@@ -1559,6 +1559,10 @@ spell_load_lang(char_u *lang)
+     sl.sl_slang = NULL;
+     sl.sl_nobreak = FALSE;
+ 
+    // Disallow deleting the current buffer.  Autocommands can do weird things
+    // and cause "lang" to be freed.
+    ++curbuf->b_locked;
+
+     // We may retry when no spell file is found for the language, an
+     // autocommand may load it then.
+     for (round = 1; round <= 2; ++round)
+@@ -1612,6 +1616,8 @@ spell_load_lang(char_u *lang)
+ 	STRCPY(fname_enc + STRLEN(fname_enc) - 3, "add.spl");
+ 	do_in_runtimepath(fname_enc, DIP_ALL, spell_load_cb, &sl);
+     }
+
+    --curbuf->b_locked;
+ }
+ 
+ /*
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index e9a59c2..bc74c29 100644
+--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
+@@ -2750,6 +2750,16 @@ func Test_FileType_spell()
+   setglobal spellfile=
+ endfunc
+ 
+" this was wiping out the current buffer and using freed memory
+func Test_SpellFileMissing_bwipe()
+  next 0
+  au SpellFileMissing 0 bwipe
+  call assert_fails('set spell spelllang=0', 'E937:')
+
+  au! SpellFileMissing
+  bwipe
+endfunc
+
+ " Test closing a window or editing another buffer from a FileChangedRO handler
+ " in a readonly buffer
+ func Test_FileChangedRO_winclose()
+-- 
+2.27.0
+
--- a/backport-spell-test-fails-because-error-message-changed.patch
+++ b/backport-spell-test-fails-because-error-message-changed.patch
@ -0,0 +1,28 @@
+From 371951d0c34d4f44b50ad8bc8d30a4ef7effade6 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 28 Sep 2022 14:08:23 +0100
+Subject: [PATCH] patch 9.0.0616: spell test fails because error message
+ changed
+
+Problem:    Spell test fails because error message changed.
+Solution:   Adjust expected error message.
+---
+ src/testdir/test_spell.vim | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
+index 9cc7d68..bc948b0 100644
+--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
+@@ -145,7 +145,7 @@ func Test_spell_file_missing()
+   augroup TestSpellFileMissing
+     autocmd! SpellFileMissing * bwipe
+   augroup END
+-  call assert_fails('set spell spelllang=ab_cd', 'E797:')
+  call assert_fails('set spell spelllang=ab_cd', 'E937:')
+ 
+   " clean up
+   augroup TestSpellFileMissing
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        17
+Release:        18
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -67,6 +67,8 @@ Patch6036:      backport-CVE-2022-3234.patch
 Patch6037:      backport-CVE-2022-3235.patch
 Patch6038:      backport-CVE-2022-3256.patch
 Patch6039:      backport-CVE-2022-3296.patch
+Patch6040:      backport-CVE-2022-3352.patch
+Patch6041:      backport-spell-test-fails-because-error-message-changed.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -365,6 +367,7 @@ popd
 %{_bindir}/vim -c ":helptags %{_datadir}/%{name}/vimfiles/doc" -c :q &> /dev/null || :

 %check
+export TERM=xterm
 LC_ALL=en_US.UTF-8 make -j1 test

 %files common
@ -465,6 +468,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Wed Oct 12 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:9.0-18
+- Type:CVE
+- ID:CVE-2022-3352
+- SUG:NA
+- DESC:fix CVE-2022-3352
+
 * Thu Sep 29 2022 huangduirong <huangduirong@huawei.com> - 2:9.0-17
 - Type:CVE
 - ID:CVE-2022-3296