packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-3256

Browse Source
This commit is contained in:
dongyuzhen 2022-09-23 14:46:56 +08:00
parent 1401b5fad3
commit 9c21b94d0c
2 changed files with 74 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
backport-CVE-2022-3256.patch Normal file
View File

@ -0,0 +1,66 @@
From 8ecfa2c56b4992c7f067b92488aa9acea5a454ad Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 21 Sep 2022 13:07:22 +0100
Subject: [PATCH] patch 9.0.0530: using freed memory when autocmd changes mark
Problem: Using freed memory when autocmd changes mark.
Solution: Copy the mark before editing another buffer.
---
src/mark.c | 12 +++++++-----
src/testdir/test_marks.vim | 13 +++++++++++++
2 files changed, 20 insertions(+), 5 deletions(-)
diff --git a/src/mark.c b/src/mark.c
index ade5a10..584db03 100644
--- a/src/mark.c
+++ b/src/mark.c
@@ -221,17 +221,19 @@ movemark(int count)
fname2fnum(jmp);
if (jmp->fmark.fnum != curbuf->b_fnum)
{
- // jump to other file
- if (buflist_findnr(jmp->fmark.fnum) == NULL)
+ // Make a copy, an autocommand may make "jmp" invalid.
+ fmark_T fmark = jmp->fmark;
+
+ // jump to the file with the mark
+ if (buflist_findnr(fmark.fnum) == NULL)
{ // Skip this one ..
count += count < 0 ? -1 : 1;
continue;
}
- if (buflist_getfile(jmp->fmark.fnum, jmp->fmark.mark.lnum,
- 0, FALSE) == FAIL)
+ if (buflist_getfile(fmark.fnum, fmark.mark.lnum, 0, FALSE) == FAIL)
return (pos_T *)NULL;
// Set lnum again, autocommands my have changed it
- curwin->w_cursor = jmp->fmark.mark;
+ curwin->w_cursor = fmark.mark;
pos = (pos_T *)-1;
}
else
diff --git a/src/testdir/test_marks.vim b/src/testdir/test_marks.vim
index 12501a3..20fb304 100644
--- a/src/testdir/test_marks.vim
+++ b/src/testdir/test_marks.vim
@@ -305,4 +305,17 @@ func Test_getmarklist()
close!
endfunc
+" This was using freed memory
+func Test_jump_mark_autocmd()
+ next 00
+ edit 0
+ sargument
+ au BufEnter 0 all
+ sil norm 
+
+ au! BufEnter
+ bwipe!
+endfunc
+
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0

9
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim
Epoch: 2
Version: 9.0
Release: 15
Release: 16
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT
URL: http://www.vim.org
@ -65,6 +65,7 @@ Patch6034: backport-CVE-2022-3134.patch
Patch6035: backport-CVE-2022-3153.patch
Patch6036: backport-CVE-2022-3234.patch
Patch6037: backport-CVE-2022-3235.patch
Patch6038: backport-CVE-2022-3256.patch
Patch9000: bugfix-rm-modify-info-version.patch
@ -463,6 +464,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
%{_mandir}/man1/evim.*
%changelog
* Fri Sep 23 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:9.0-16
- Type:CVE
- ID:CVE-2022-3256
- SUG:NA
- DESC:fix CVE-2022-3256
* Mon Sep 19 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:9.0-15
- Type:CVE
- ID:CVE-2022-3234 CVE-2022-3235