fix CVE-2022-1771

2022-06-21 14:49:42 +08:00 · 2022-06-21 14:49:42 +08:00 · b8180db820
commit b8180db820
parent 05679aa719
2 changed files with 104 additions and 1 deletions
--- a/backport-CVE-2022-1771.patch
+++ b/backport-CVE-2022-1771.patch
@ -0,0 +1,96 @@
+From 51f0bfb88a3554ca2dde777d78a59880d1ee37a8 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 17 May 2022 20:11:02 +0100
+Subject: [PATCH] patch 8.2.4975: recursive command line loop may cause a crash
+ 
+Problem:    Recursive command line loop may cause a crash.
+Solution:   Limit recursion of getcmdline().
+ 
+Reference:https://github.com/vim/vim/commit/51f0bfb88a3554ca2dde777d78a59880d1ee37a8
+Conflict:(1)The src/version.c file is not modified
+(2)add e_command_too_recursive in src/globals.h
+---
+ src/ex_getln.c               | 12 ++++++++++++
+ src/globals.h                |  3 +++
+ src/testdir/test_cmdline.vim | 12 ++++++++++++
+ 3 files changed, 27 insertions(+)
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 771a9cd..e935f78 100644
+--- a/src/ex_getln.c
+++ b/src/ex_getln.c
+@@ -791,6 +791,7 @@ getcmdline_int(
+     int		indent,		// indent for inside conditionals
+     int		init_ccline)	// clear ccline first
+ {
+    static int	depth = 0;	    // call depth
+     int		c;
+     int		i;
+     int		j;
+@@ -820,6 +821,9 @@ getcmdline_int(
+     int		did_save_ccline = FALSE;
+     int		cmdline_type;
+ 
+    // one recursion level deeper
+    ++depth;
+
+     if (ccline.cmdbuff != NULL)
+     {
+ 	// Being called recursively.  Since ccline is global, we need to save
+@@ -873,6 +877,13 @@ getcmdline_int(
+ 	ccline.cmdlen = indent;
+     }
+ 
+    if (depth == 50)
+    {
+	// Somehow got into a loop recursively calling getcmdline(), bail out.
+	emsg(_(e_command_too_recursive));
+	goto theend;
+    }
+
+     ExpandInit(&xpc);
+     ccline.xpc = &xpc;
+ 
+@@ -2425,6 +2436,7 @@ theend:
+     {
+ 	char_u *p = ccline.cmdbuff;
+ 
+	--depth;
+ 	if (did_save_ccline)
+ 	    restore_cmdline(&save_ccline);
+ 	else
+diff --git a/src/globals.h b/src/globals.h
+index 44162d4..e9c88ed 100644
+--- a/src/globals.h
+++ b/src/globals.h
+@@ -1747,3 +1747,6 @@ EXTERN int did_repeated_msg INIT(= 0);
+ EXTERN char e_illegal_character_in_word[]
+        INIT(= N_("E1280: Illegal character in word"));
+ #endif
+
+EXTERN char e_command_too_recursive[]
+	INIT(= N_("E169: Command too recursive"));
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index 1ccdbe2..b76b7f3 100644
+--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
+@@ -903,4 +903,16 @@ func Test_report_error_with_composing()
+   call assert_equal('yes', caught)
+ endfunc
+ 
+func Test_recursive_register()
+  let @= = ''
+  silent! ?e/
+  let caught = 'no'
+  try
+    normal // 
+  catch /E169:/
+    let caught = 'yes'
+  endtry
+  call assert_equal('yes', caught)
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        37
+Release:        38
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -108,6 +108,7 @@ Patch6071:      backport-command-line-editing-not-sufficiently-tested.patch
 Patch6072:      backport-CVE-2022-1619.patch
 Patch6073:      backport-CVE-2022-1733.patch
 Patch6074:      backport-CVE-2022-1735.patch
+Patch6075:      backport-CVE-2022-1771.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -496,6 +497,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Tue Jun 21 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-38
+- Type:CVE
+- ID:CVE-2022-1771
+- SUG:NA
+- DESC:fix CVE-2022-1771
+
 * Tue May 31 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-37
 - Type:CVE
 - ID:CVE-2022-1733 CVE-2022-1735