fix CVE-2022-2598 CVE-2022-2571

2022-08-02 10:50:05 +08:00 · 2022-08-02 10:50:05 +08:00 · c35d8e69ae
commit c35d8e69ae
parent 079f0ce79c
3 changed files with 123 additions and 1 deletions
--- a/backport-CVE-2022-2571.patch
+++ b/backport-CVE-2022-2571.patch
@ -0,0 +1,47 @@
+From a6f9e300161f4cb54713da22f65b261595e8e614 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 28 Jul 2022 21:51:37 +0100
+Subject: [PATCH] patch 9.0.0102: reading past end of line with insert mode
+ completion
+
+Problem:    Reading past end of line with insert mode completion.
+Solution:   Check text length.
+---
+ src/insexpand.c                   | 2 +-
+ src/testdir/test_ins_complete.vim | 8 ++++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/insexpand.c b/src/insexpand.c
+index 7339ce9..fc3eff0 100644
+--- a/src/insexpand.c
+++ b/src/insexpand.c
+@@ -3501,7 +3501,7 @@ ins_comp_get_next_word_or_line(
+     {
+ 	char_u	*tmp_ptr = ptr;
+ 
+-	if (compl_status_adding())
+	if (compl_status_adding() && compl_length <= (int)STRLEN(tmp_ptr))
+ 	{
+ 	    tmp_ptr += compl_length;
+ 	    // Skip if already inside a word.
+diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
+index 35c5785..2b0a294 100644
+--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
+@@ -2142,5 +2142,13 @@ func Test_ins_complete_add()
+   bwipe!
+ endfunc
+ 
+func Test_ins_complete_end_of_line()
+  " this was reading past the end of the line
+  new  
+  norm 8oý 
+  sil! norm o
+
+  bwipe!
+endfunc
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+1.8.3.1
+
--- a/backport-CVE-2022-2598.patch
+++ b/backport-CVE-2022-2598.patch
@ -0,0 +1,67 @@
+From 4e677b9c40ccbc5f090971b31dc2fe07bf05541d Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 28 Jul 2022 18:44:27 +0100
+Subject: [PATCH] patch 9.0.0101: invalid memory access in diff mode with "dp"
+ and undo
+
+Problem:    Invalid memory access in diff mode with "dp" and undo.
+Solution:   Make sure the line number does not go below one.
+---
+ src/diff.c                    |  9 ++++++---
+ src/testdir/test_diffmode.vim | 14 ++++++++++++++
+ 2 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/src/diff.c b/src/diff.c
+index e4bafe2..fb43eee 100644
+--- a/src/diff.c
+++ b/src/diff.c
+@@ -464,7 +464,10 @@ diff_mark_adjust_tp(
+ 		    for (i = 0; i < DB_COUNT; ++i)
+ 			if (tp->tp_diffbuf[i] != NULL && i != idx)
+ 			{
+-			    dp->df_lnum[i] -= off;
+			    if (dp->df_lnum[i] > off)
+				dp->df_lnum[i] -= off;
+			    else
+				dp->df_lnum[i] = 1;
+ 			    dp->df_count[i] += n;
+ 			}
+ 		}
+@@ -2863,8 +2866,8 @@ ex_diffgetput(exarg_T *eap)
+ 	    {
+ 		// remember deleting the last line of the buffer
+ 		buf_empty = curbuf->b_ml.ml_line_count == 1;
+-		ml_delete(lnum);
+-		--added;
+		if (ml_delete(lnum) == OK)
+		    --added;
+ 	    }
+ 	    for (i = 0; i < dp->df_count[idx_from] - start_skip - end_skip; ++i)
+ 	    {
+diff --git a/src/testdir/test_diffmode.vim b/src/testdir/test_diffmode.vim
+index dcacd55..41f7fe3 100644
+--- a/src/testdir/test_diffmode.vim
+++ b/src/testdir/test_diffmode.vim
+@@ -1628,5 +1628,19 @@ func Test_diff_manipulations()
+   %bwipe!
+ endfunc
+ 
+" This was causing the line number in the diff block to go below one.
+" FIXME: somehow this causes a valgrind error when run directly but not when
+" run as a test.
+func Test_diff_put_and_undo()
+  set diff
+  next 0
+  split 00
+  sil! norm o0gguudpo0ggJuudp
+
+  bwipe!
+  bwipe!
+  set nodiff
+endfunc
+
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+1.8.3.1
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        2
+Release:        3
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -42,6 +42,8 @@ Patch6011:      backport-CVE-2022-2344.patch
 Patch6012:      backport-CVE-2022-2345.patch
 Patch6013:      backport-patch-9.0.0054-compiler-warning-for-size_t-to-int-co.patch
 Patch6014:      backport-CVE-2022-2522.patch
+Patch6015:      backport-CVE-2022-2598.patch
+Patch6016:      backport-CVE-2022-2571.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -434,6 +436,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Tue Aug 02 2022 shixuantong <shixuantong@h-partners.com> - 2:9.0-3
+- Type:CVE
+- ID:CVE-2022-2598 CVE-2022-2571
+- SUG:NA
+- DESC:fix CVE-2022-2598 CVE-2022-2571
+
 * Sat Jul 30 2022 shixuantong <shixuantong@h-partners.com> - 2:9.0-2
 - Type:CVE
 - ID:CVE-2022-2257 CVE-2022-2264 CVE-2022-2284 CVE-2022-2285 CVE-2022-2286 CVE-2022-2287 CVE-2022-2288 CVE-2022-2289 CVE-2022-2304 CVE-2022-2343 CVE-2022-2344 CVE-2022-2345 CVE-2022-2522