!430 fix CVE-2022-3705

From: @wangjiang37 Reviewed-by: @xiezhipeng1 Signed-off-by: @xiezhipeng1
2022-11-02 01:33:30 +00:00 · 2022-11-02 01:33:30 +00:00 · 73f01bfb0f
commit 73f01bfb0f
parent 0c3db09f8a 67228ec1ea
2 changed files with 80 additions and 1 deletions
--- a/backport-CVE-2022-3705.patch
+++ b/backport-CVE-2022-3705.patch
@ -0,0 +1,72 @@
+From d0fab10ed2a86698937e3c3fed2f10bd9bb5e731 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 20 Oct 2022 16:03:33 +0100
+Subject: [PATCH] patch 9.0.0805: filetype autocmd may cause freed memory
+ access
+
+Problem:    Filetype autocmd may cause freed memory access.
+Solution:   Set the quickfix-busy flag while filling the buffer.
+---
+ src/quickfix.c                |  6 ++++++
+ src/testdir/test_quickfix.vim | 16 ++++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/src/quickfix.c b/src/quickfix.c
+index a90611475ab1..f85fff56f23d 100644
+--- a/src/quickfix.c
+++ b/src/quickfix.c
+@@ -4543,6 +4543,9 @@ qf_update_buffer(qf_info_T *qi, qfline_T *old_last)
+ 	    qf_winid = win->w_id;
+ 	}
+ 
+	// autocommands may cause trouble
+	incr_quickfix_busy();
+
+ 	if (old_last == NULL)
+ 	    // set curwin/curbuf to buf and save a few things
+ 	    aucmd_prepbuf(&aco, buf);
+@@ -4564,6 +4567,9 @@ qf_update_buffer(qf_info_T *qi, qfline_T *old_last)
+ 	// when the added lines are not visible.
+ 	if ((win = qf_find_win(qi)) != NULL && old_line_count < win->w_botline)
+ 	    redraw_buf_later(buf, NOT_VALID);
+
+	// always called after incr_quickfix_busy()
+	decr_quickfix_busy();
+     }
+ }
+ 
+diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
+index 2ee754b39690..bcaef5da175c 100644
+--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
+@@ -3471,6 +3471,21 @@ func Test_resize_from_copen()
+   endtry
+ endfunc
+ 
+func Test_filetype_autocmd()
+  " this changes the location list while it is in use to fill a buffer
+  lexpr ''
+  lopen
+  augroup FT_loclist
+    au FileType * call setloclist(0, [], 'f')
+  augroup END
+  silent! lolder
+  lexpr ''
+
+  augroup FT_loclist
+    au! FileType
+  augroup END
+endfunc
+
+ func Test_vimgrep_with_textlock()
+   new
+ 
+@@ -6380,4 +6395,5 @@ func Test_loclist_replace_autocmd()
+   call setloclist(0, [], 'f')
+ endfunc
+ 
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.33.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        19
+Release:        20
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -73,6 +73,7 @@ Patch6042:      backport-CVE-2022-3278.patch
 Patch6043:      backport-CVE-2022-3297.patch
 Patch6044:      backport-9.0.0581-adding-a-character-for-incsearch-fails-at-end-of-line.patch
 Patch6045:      backport-CVE-2022-3324.patch
+Patch6046:      backport-CVE-2022-3705.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -472,6 +473,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Tue Nov 01 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-20
+- Type:CVE
+- ID:CVE-2022-3705
+- SUG:NA
+- DESC:fix CVE-2022-3705
+
 * Mon Oct 17 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:9.0-19
 - Type:CVE
 - ID:CVE-2022-3278 CVE-2022-3297 CVE-2022-3324