[security]: overflow with count for :s command

2024-05-10 11:34:36 +08:00 · 2024-05-10 11:34:36 +08:00 · 66afec4d3c
commit 66afec4d3c
parent 67e5cc494d
2 changed files with 120 additions and 1 deletions
--- a/bugfix-security-overflow-with-count-for-s-command.patch
+++ b/bugfix-security-overflow-with-count-for-s-command.patch
@ -0,0 +1,112 @@
+From ac63787734fda2e294e477af52b3bd601517fa78 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Tue, 14 Nov 2023 20:45:48 +0100
+Subject: [PATCH] patch 9.0.2108: [security]: overflow with count for :s
+ command
+
+Problem:  [security]: overflow with count for :s command
+Solution: Abort the :s command if the count is too large
+
+If the count after the :s command is larger than what fits into a
+(signed) long variable, abort with e_value_too_large.
+
+Adds a test with INT_MAX as count and verify it correctly fails.
+
+It seems the return value on Windows using mingw compiler wraps around,
+so the initial test using :s/./b/9999999999999999999999999990 doesn't
+fail there, since the count is wrapping around several times and finally
+is no longer larger than 2147483647. So let's just use 2147483647 in the
+test, which hopefully will always cause a failure
+
+---
+ runtime/doc/change.txt          | 8 ++++----
+ runtime/doc/cmdline.txt         | 3 ++-
+ runtime/doc/tags                | 1 +
+ src/ex_cmds.c                   | 7 +++++++
+ src/testdir/test_substitute.vim | 1 +
+ 5 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/runtime/doc/change.txt b/runtime/doc/change.txt
+index 65da9a7..dccaa44 100644
+--- a/runtime/doc/change.txt
+++ b/runtime/doc/change.txt
+@@ -1,4 +1,4 @@
+-*change.txt*    For Vim version 9.0.  Last change: 2023 Sep 19
+*change.txt*    For Vim version 9.0.  Last change: 2023 Nov 15
+ 
+ 
+ 		  VIM REFERENCE MANUAL    by Bram Moolenaar
+@@ -644,9 +644,9 @@ For other systems the tmpnam() library function is used.
+ 			current line only.  When [count] is given, replace in
+ 			[count] lines, starting with the last line in [range].
+ 			When [range] is omitted start in the current line.
+-							*E939*
+-			[count] must be a positive number.  Also see
+-			|cmdline-ranges|.
+							*E939* *E1510*
+			[count] must be a positive number (max 2147483647)
+			Also see |cmdline-ranges|.
+ 
+ 			See |:s_flags| for [flags].
+ 			The delimiter doesn't need to be /, see
+diff --git a/runtime/doc/cmdline.txt b/runtime/doc/cmdline.txt
+index c5d0096..cbcf0ad 100644
+--- a/runtime/doc/cmdline.txt
+++ b/runtime/doc/cmdline.txt
+@@ -1,4 +1,4 @@
+-*cmdline.txt*   For Vim version 9.0.  Last change: 2023 May 20
+*cmdline.txt*   For Vim version 9.0.  Last change: 2023 Nov 15
+ 
+ 
+ 		  VIM REFERENCE MANUAL    by Bram Moolenaar
+@@ -362,6 +362,7 @@ terminals)
+ 		A positive number represents the absolute index of an entry
+ 		as it is given in the first column of a :history listing.
+ 		This number remains fixed even if other entries are deleted.
+		(see |E1510|)
+ 
+ 		A negative number means the relative position of an entry,
+ 		counted from the newest entry (which has index -1) backwards.
+diff --git a/runtime/doc/tags b/runtime/doc/tags
+index f450288..b5b2a97 100644
+--- a/runtime/doc/tags
+++ b/runtime/doc/tags
+@@ -4514,6 +4514,7 @@ E1507	builtin.txt	/*E1507*
+ E1508	editing.txt	/*E1508*
+ E1509	editing.txt	/*E1509*
+ E151	helphelp.txt	/*E151*
+E1510	change.txt	/*E1510*
+ E152	helphelp.txt	/*E152*
+ E153	helphelp.txt	/*E153*
+ E154	helphelp.txt	/*E154*
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 3544092..c5f912e 100644
+--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
+@@ -3993,6 +3993,13 @@ ex_substitute(exarg_T *eap)
+ 	    emsg(_(e_positive_count_required));
+ 	    return;
+ 	}
+	else if (i >= INT_MAX)
+	{
+	    char	buf[20];
+	    vim_snprintf(buf, sizeof(buf), "%ld", i);
+	    semsg(_(e_val_too_large), buf);
+	    return;
+	}
+ 	eap->line1 = eap->line2;
+ 	eap->line2 += i - 1;
+ 	if (eap->line2 > curbuf->b_ml.ml_line_count)
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index b99d0e0..3ed1597 100644
+--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
+@@ -206,6 +206,7 @@ func Test_substitute_count()
+   call assert_equal(['foo foo', 'foo foo', 'foo foo', 'bar foo', 'bar foo'],
+         \           getline(1, '$'))
+ 
+  call assert_fails('s/./b/2147483647', 'E1510:')
+   bwipe!
+ endfunc
+
+-- 
--- a/vim.spec
+++ b/vim.spec
@ -14,7 +14,7 @@
 Name:           vim
 Epoch:          2
 Version:        %{baseversion}.%{patchlevel}
-Release:        1
+Release:        2
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -28,6 +28,7 @@ Patch0006:      vim-7.4-fstabsyntax.patch
 Patch0009:      vim-7.4-globalsyntax.patch
 Patch0011:      vim-8.0-copy-paste.patch
 Patch0012:      vim-python3-tests.patch
+Patch0013:      bugfix-security-overflow-with-count-for-s-command.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -435,6 +436,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests."
 %{_mandir}/man1/evim.*

 %changelog
+* Wed May 08 2024 yinyongkang <yinyongkang@kylinos.cn>  - 2:9.0.2092-2
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC: overflow with count for :s command
+
 * Sun Feb 04 2024 wangjiang <wangjiang37@h-partners.com> - 2:9.0.2092-1
 - Type:enhancement
 - ID:NA