packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-2816 CVE-2022-2817 CVE-2022-2819 CVE-2022-2845 CVE-2022-2849 CVE-2022-2862 CVE-2022-2874

Browse Source 
(cherry picked from commit 8aa930c83f9aeac83469ad406dc753545144c86f)
This commit is contained in:
shixuantong 2022-08-18 16:59:58 +08:00 committed by openeuler-sync-bot
parent c5301c59b4
commit 480d0a43a5
8 changed files with 522 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
backport-CVE-2022-2816.patch Normal file
View File

@ -0,0 +1,58 @@
From dbdd16b62560413abcc3c8e893cc3010ccf31666 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 14 Aug 2022 21:46:07 +0100
Subject: [PATCH] patch 9.0.0212: invalid memory access when compiling :unlet
Problem: Invalid memory access when compiling :unlet.
Solution: Don't read past the end of the line.
---
src/testdir/test_vim9_cmd.vim | 11 +++++++++--
src/vim9cmds.c | 6 ++++++
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/testdir/test_vim9_cmd.vim b/src/testdir/test_vim9_cmd.vim
index 16f534e..a40f261 100644
--- a/src/testdir/test_vim9_cmd.vim
+++ b/src/testdir/test_vim9_cmd.vim
@@ -1704,12 +1704,19 @@ def Test_lockvar()
lines =<< trim END
def _()
- s:0([], s:0)
lockv
enddef
defcomp
END
- v9.CheckScriptFailure(lines, 'E179', 2)
+ v9.CheckScriptFailure(lines, 'E179', 1)
+
+ lines =<< trim END
+ def T()
+ unlet
+ enddef
+ defcomp
+ END
+ v9.CheckScriptFailure(lines, 'E179', 1)
enddef
def Test_substitute_expr()
diff --git a/src/vim9cmds.c b/src/vim9cmds.c
index 35a3821..93032d6 100644
--- a/src/vim9cmds.c
+++ b/src/vim9cmds.c
@@ -92,6 +92,12 @@ free_locals(cctx_T *cctx)
int
check_vim9_unlet(char_u *name)
{
+ if (*name == NUL)
+ {
+ semsg(_(e_argument_required_for_str), "unlet");
+ return FAIL;
+ }
+
if (name[1] != ':' || vim_strchr((char_u *)"gwtb", *name) == NULL)
{
// "unlet s:var" is allowed in legacy script.
--
2.36.1

75
backport-CVE-2022-2817.patch Normal file
View File

@ -0,0 +1,75 @@
From 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 14 Aug 2022 22:23:02 +0100
Subject: [PATCH] patch 9.0.0213: using freed memory with error in assert
argument
Problem: Using freed memory with error in assert argument.
Solution: Make a copy of the error.
---
src/testdir/test_assert.vim | 4 ++++
src/testing.c | 18 ++++++++++++------
2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim
index 27b2d73..7c9d090 100644
--- a/src/testdir/test_assert.vim
+++ b/src/testdir/test_assert.vim
@@ -291,6 +291,10 @@ func Test_assert_fail_fails()
let exp = v:exception
endtry
call assert_match("E1174: String required for argument 5", exp)
+
+ call assert_equal(1, assert_fails('c0', ['', '\1']))
+ call assert_match("Expected '\\\\\\\\1' but got 'E939: Positive count required: c0': c0", v:errors[0])
+ call remove(v:errors, 0)
endfunc
func Test_assert_fails_in_try_block()
diff --git a/src/testing.c b/src/testing.c
index c49df4b..43b8d20 100644
--- a/src/testing.c
+++ b/src/testing.c
@@ -597,6 +597,7 @@ f_assert_fails(typval_T *argvars, typval_T *rettv)
int save_trylevel = trylevel;
int called_emsg_before = called_emsg;
char *wrong_arg_msg = NULL;
+ char_u *tofree = NULL;
if (check_for_string_or_number_arg(argvars, 0) == FAIL
|| check_for_opt_string_or_list_arg(argvars, 1) == FAIL
@@ -660,13 +661,17 @@ f_assert_fails(typval_T *argvars, typval_T *rettv)
}
else if (list->lv_len == 2)
{
- tv = &list->lv_u.mat.lv_last->li_tv;
- actual = get_vim_var_str(VV_ERRMSG);
- expected = tv_get_string_buf_chk(tv, buf);
- if (!pattern_match(expected, actual, FALSE))
+ // make a copy, an error in pattern_match() may free it
+ tofree = actual = vim_strsave(get_vim_var_str(VV_ERRMSG));
+ if (actual != NULL)
{
- error_found = TRUE;
- expected_str = expected;
+ tv = &list->lv_u.mat.lv_last->li_tv;
+ expected = tv_get_string_buf_chk(tv, buf);
+ if (!pattern_match(expected, actual, FALSE))
+ {
+ error_found = TRUE;
+ expected_str = expected;
+ }
}
}
}
@@ -749,6 +754,7 @@ theend:
msg_scrolled = 0;
lines_left = Rows;
VIM_CLEAR(emsg_assert_fails_msg);
+ vim_free(tofree);
set_vim_var_string(VV_ERRMSG, NULL, 0);
if (wrong_arg_msg != NULL)
emsg(_(wrong_arg_msg));
--
2.36.1

66
backport-CVE-2022-2819.patch Normal file
View File

@ -0,0 +1,66 @@
From d1d8f6bacb489036d0fd479c9dd3c0102c988889 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 14 Aug 2022 21:28:32 +0100
Subject: [PATCH] patch 9.0.0211: invalid memory access when compiling :lockvar
Problem: Invalid memory access when compiling :lockvar.
Solution: Don't read past the end of the line.
---
src/testdir/test_vim9_cmd.vim | 9 +++++++++
src/vim9cmds.c | 9 +++++++--
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/testdir/test_vim9_cmd.vim b/src/testdir/test_vim9_cmd.vim
index 7db8e50..16f534e 100644
--- a/src/testdir/test_vim9_cmd.vim
+++ b/src/testdir/test_vim9_cmd.vim
@@ -1701,6 +1701,15 @@ def Test_lockvar()
UnLockIt()
END
v9.CheckScriptFailure(lines, 'E46', 1)
+
+ lines =<< trim END
+ def _()
+ s:0([], s:0)
+ lockv
+ enddef
+ defcomp
+ END
+ v9.CheckScriptFailure(lines, 'E179', 2)
enddef
def Test_substitute_expr()
diff --git a/src/vim9cmds.c b/src/vim9cmds.c
index ad32c32..35a3821 100644
--- a/src/vim9cmds.c
+++ b/src/vim9cmds.c
@@ -188,10 +188,17 @@ compile_lock_unlock(
size_t len;
char_u *buf;
isntype_T isn = ISN_EXEC;
+ char *cmd = eap->cmdidx == CMD_lockvar ? "lockvar" : "unlockvar";
if (cctx->ctx_skip == SKIP_YES)
return OK;
+ if (*p == NUL)
+ {
+ semsg(_(e_argument_required_for_str), cmd);
+ return FAIL;
+ }
+
// Cannot use :lockvar and :unlockvar on local variables.
if (p[1] != ':')
{
@@ -223,8 +230,6 @@ compile_lock_unlock(
ret = FAIL;
else
{
- char *cmd = eap->cmdidx == CMD_lockvar ? "lockvar" : "unlockvar";
-
if (deep < 0)
vim_snprintf((char *)buf, len, "%s! %s", cmd, p);
else
--
2.36.1

61
backport-CVE-2022-2845.patch Normal file
View File

@ -0,0 +1,61 @@
From e98c88c44c308edaea5994b8ad4363e65030968c Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 16 Aug 2022 14:51:53 +0100
Subject: [PATCH] patch 9.0.0218: reading before the start of the line
Problem: Reading before the start of the line.
Solution: When displaying "$" check the column is not negative.
---
src/edit.c | 3 ++-
src/proto/edit.pro | 2 +-
src/testdir/test_cmdline.vim | 8 ++++++++
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/src/edit.c b/src/edit.c
index a8e695c..96f47bd 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -1741,8 +1741,9 @@ edit_unputchar(void)
* Only works when cursor is in the line that changes.
*/
void
-display_dollar(colnr_T col)
+display_dollar(colnr_T col_arg)
{
+ colnr_T col = col_arg < 0 ? 0 : col_arg;
colnr_T save_col;
if (!redrawing())
diff --git a/src/proto/edit.pro b/src/proto/edit.pro
index a233e40..f35ec1e 100644
--- a/src/proto/edit.pro
+++ b/src/proto/edit.pro
@@ -5,7 +5,7 @@ void ins_redraw(int ready);
void edit_putchar(int c, int highlight);
void set_insstart(linenr_T lnum, int col);
void edit_unputchar(void);
-void display_dollar(colnr_T col);
+void display_dollar(colnr_T col_arg);
void undisplay_dollar(void);
void truncate_spaces(char_u *line);
void backspace_until_column(int col);
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index f0498a1..08e2de7 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -3439,4 +3439,12 @@ func Test_long_error_message()
silent! norm Q00000000000000     000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000                                                                                                                                                                                                                        
endfunc
+func Test_cmdwin_virtual_edit()
+ enew!
+ set ve=all cpo+=$
+ silent normal q/s
+
+ set ve= cpo-=$
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.36.1

103
backport-CVE-2022-2849.patch Normal file
View File

@ -0,0 +1,103 @@
From f6d39c31d2177549a986d170e192d8351bd571e2 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 16 Aug 2022 17:50:38 +0100
Subject: [PATCH] patch 9.0.0220: invalid memory access with for loop over NULL
string
Problem: Invalid memory access with for loop over NULL string.
Solution: Make sure mb_ptr2len() consistently returns zero for NUL.
---
src/globals.h | 3 ++-
src/mbyte.c | 21 +++++++++++++--------
src/testdir/test_eval_stuff.vim | 12 ++++++++++++
3 files changed, 27 insertions(+), 9 deletions(-)
diff --git a/src/globals.h b/src/globals.h
index 888f6e9..9b40be4 100644
--- a/src/globals.h
+++ b/src/globals.h
@@ -1033,7 +1033,8 @@ EXTERN vimconv_T output_conv; // type of output conversion
* (DBCS).
* The value is set in mb_init();
*/
-// length of char in bytes, including following composing chars
+// Length of char in bytes, including any following composing chars.
+// NUL has length zero.
EXTERN int (*mb_ptr2len)(char_u *p) INIT(= latin_ptr2len);
// idem, with limit on string length
diff --git a/src/mbyte.c b/src/mbyte.c
index 3656880..782a7ad 100644
--- a/src/mbyte.c
+++ b/src/mbyte.c
@@ -1077,24 +1077,28 @@ dbcs_char2bytes(int c, char_u *buf)
}
/*
- * mb_ptr2len() function pointer.
- * Get byte length of character at "*p" but stop at a NUL.
- * For UTF-8 this includes following composing characters.
- * Returns 0 when *p is NUL.
+ * Get byte length of character at "*p". Returns zero when "*p" is NUL.
+ * Used for mb_ptr2len() when 'encoding' latin.
*/
int
latin_ptr2len(char_u *p)
{
- return MB_BYTE2LEN(*p);
+ return *p == NUL ? 0 : 1;
}
+/*
+ * Get byte length of character at "*p". Returns zero when "*p" is NUL.
+ * Used for mb_ptr2len() when 'encoding' DBCS.
+ */
static int
-dbcs_ptr2len(
- char_u *p)
+dbcs_ptr2len(char_u *p)
{
int len;
- // Check if second byte is not missing.
+ if (*p == NUL)
+ return 0;
+
+ // if the second byte is missing the length is 1
len = MB_BYTE2LEN(*p);
if (len == 2 && p[1] == NUL)
len = 1;
@@ -2105,6 +2109,7 @@ utf_ptr2len_len(char_u *p, int size)
/*
* Return the number of bytes the UTF-8 encoding of the character at "p" takes.
* This includes following composing characters.
+ * Returns zero for NUL.
*/
int
utfc_ptr2len(char_u *p)
diff --git a/src/testdir/test_eval_stuff.vim b/src/testdir/test_eval_stuff.vim
index c63082e..313d791 100644
--- a/src/testdir/test_eval_stuff.vim
+++ b/src/testdir/test_eval_stuff.vim
@@ -75,6 +75,18 @@ func Test_for_invalid()
redraw
endfunc
+func Test_for_over_null_string()
+ let save_enc = &enc
+ set enc=iso8859
+ let cnt = 0
+ for c in test_null_string()
+ let cnt += 1
+ endfor
+ call assert_equal(0, cnt)
+
+ let &enc = save_enc
+endfunc
+
func Test_readfile_binary()
new
call setline(1, ['one', 'two', 'three'])
--
2.36.1

72
backport-CVE-2022-2862.patch Normal file
View File

@ -0,0 +1,72 @@
From 1889f499a4f248cd84e0e0bf6d0d820016774494 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 16 Aug 2022 19:34:44 +0100
Subject: [PATCH] patch 9.0.0221: accessing freed memory if compiling nested
function fails
Problem: Accessing freed memory if compiling nested function fails.
Solution: Mess up the variable name so that it won't be found.
---
src/testdir/test_vim9_func.vim | 12 ++++++++++++
src/vim9compile.c | 7 +++++--
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/src/testdir/test_vim9_func.vim b/src/testdir/test_vim9_func.vim
index 33a6615..426fde4 100644
--- a/src/testdir/test_vim9_func.vim
+++ b/src/testdir/test_vim9_func.vim
@@ -907,6 +907,18 @@ def Test_nested_function()
v9.CheckScriptFailure(lines, 'E1173: Text found after enddef: burp', 3)
enddef
+def Test_nested_function_fails()
+ var lines =<< trim END
+ def T()
+ def Func(g: string):string
+ enddef
+ Func()
+ enddef
+ silent! defcompile
+ END
+ v9.CheckScriptFailure(lines, 'E1069:')
+enddef
+
def Test_not_nested_function()
echo printf('%d',
function('len')('xxx'))
diff --git a/src/vim9compile.c b/src/vim9compile.c
index b7f590e..fb39997 100644
--- a/src/vim9compile.c
+++ b/src/vim9compile.c
@@ -822,6 +822,7 @@ compile_nested_function(exarg_T *eap, cctx_T *cctx, garray_T *lines_to_free)
int r = FAIL;
compiletype_T compile_type;
isn_T *funcref_isn = NULL;
+ lvar_T *lvar = NULL;
if (eap->forceit)
{
@@ -928,9 +929,8 @@ compile_nested_function(exarg_T *eap, cctx_T *cctx, garray_T *lines_to_free)
else
{
// Define a local variable for the function reference.
- lvar_T *lvar = reserve_local(cctx, func_name, name_end - name_start,
+ lvar = reserve_local(cctx, func_name, name_end - name_start,
TRUE, ufunc->uf_func_type);
-
if (lvar == NULL)
goto theend;
if (generate_FUNCREF(cctx, ufunc, &funcref_isn) == FAIL)
@@ -949,6 +949,9 @@ compile_nested_function(exarg_T *eap, cctx_T *cctx, garray_T *lines_to_free)
&& compile_def_function(ufunc, TRUE, compile_type, cctx) == FAIL)
{
func_ptr_unref(ufunc);
+ if (lvar != NULL)
+ // Now the local variable can't be used.
+ *lvar->lv_name = '/'; // impossible value
goto theend;
}
--
2.36.1

73
backport-CVE-2022-2874.patch Normal file
View File

@ -0,0 +1,73 @@
From 4875d6ab068f09df88d24d81de40dcd8d56e243d Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 17 Aug 2022 15:55:51 +0100
Subject: [PATCH] patch 9.0.0224: Using NULL pointer when skipping compiled
code
Problem: Using NULL pointer when skipping compiled code.
Solution: Check for skipping.
---
src/testdir/test_vim9_script.vim | 13 +++++++++++++
src/vim9compile.c | 14 ++++++++++----
2 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/src/testdir/test_vim9_script.vim b/src/testdir/test_vim9_script.vim
index fc0ef15..75b3e9c 100644
--- a/src/testdir/test_vim9_script.vim
+++ b/src/testdir/test_vim9_script.vim
@@ -2097,6 +2097,19 @@ def Test_for_skipped_block()
v9.CheckDefAndScriptSuccess(lines)
enddef
+def Test_skipped_redir()
+ var lines =<< trim END
+ def T()
+ if 0
+ redir =>l[0]
+ redir END
+ endif
+ enddef
+ defcompile
+ END
+ v9.CheckScriptSuccess(lines)
+enddef
+
def Test_for_loop()
var lines =<< trim END
var result = ''
diff --git a/src/vim9compile.c b/src/vim9compile.c
index fb39997..a8fa5dc 100644
--- a/src/vim9compile.c
+++ b/src/vim9compile.c
@@ -1157,11 +1157,14 @@ generate_loadvar(
generate_LOADV(cctx, name + 2);
break;
case dest_local:
- if (lvar->lv_from_outer > 0)
- generate_LOADOUTER(cctx, lvar->lv_idx, lvar->lv_from_outer,
+ if (cctx->ctx_skip != SKIP_YES)
+ {
+ if (lvar->lv_from_outer > 0)
+ generate_LOADOUTER(cctx, lvar->lv_idx, lvar->lv_from_outer,
type);
- else
- generate_LOAD(cctx, ISN_LOAD, lvar->lv_idx, NULL, type);
+ else
+ generate_LOAD(cctx, ISN_LOAD, lvar->lv_idx, NULL, type);
+ }
break;
case dest_expr:
// list or dict value should already be on the stack.
@@ -1944,6 +1947,9 @@ compile_assign_unlet(
}
}
+ if (cctx->ctx_skip == SKIP_YES)
+ return OK;
+
// Load the dict or list. On the stack we then have:
// - value (for assignment, not for :unlet)
// - index
--
2.36.1

15
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim Name: vim
Epoch: 2 Epoch: 2
Version: 9.0 Version: 9.0
Release: 5 Release: 6
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT License: Vim and MIT
URL: http://www.vim.org URL: http://www.vim.org
@ -46,6 +46,13 @@ Patch6015: backport-CVE-2022-2598.patch
Patch6016: backport-CVE-2022-2571.patch Patch6016: backport-CVE-2022-2571.patch
Patch6017: backport-CVE-2022-2580.patch Patch6017: backport-CVE-2022-2580.patch
Patch6018: backport-CVE-2022-2581.patch Patch6018: backport-CVE-2022-2581.patch
Patch6019: backport-CVE-2022-2819.patch
Patch6020: backport-CVE-2022-2816.patch
Patch6021: backport-CVE-2022-2817.patch
Patch6022: backport-CVE-2022-2845.patch
Patch6023: backport-CVE-2022-2849.patch
Patch6024: backport-CVE-2022-2862.patch
Patch6025: backport-CVE-2022-2874.patch
Patch9000: bugfix-rm-modify-info-version.patch Patch9000: bugfix-rm-modify-info-version.patch
@ -439,6 +446,12 @@ popd
%{_mandir}/man1/evim.* %{_mandir}/man1/evim.*
%changelog %changelog
* Thu Aug 18 2022 shixuantong <shixuantong@h-partners.com> - 2:9.0-6
- Type:CVE
- ID:CVE-2022-2816 CVE-2022-2817 CVE-2022-2819 CVE-2022-2845 CVE-2022-2849 CVE-2022-2862 CVE-2022-2874
- SUG:NA
- DESC:fix CVE-2022-2816 CVE-2022-2817 CVE-2022-2819 CVE-2022-2845 CVE-2022-2849 CVE-2022-2862 CVE-2022-2874
* Wed Aug 17 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-5 * Wed Aug 17 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-5
- Type:bugfix - Type:bugfix
- ID:CVE-2022-2580 CVE-2022-2581 - ID:CVE-2022-2580 CVE-2022-2581