fix CVE-2023-48232

(cherry picked from commit 43fa07e121e8732ab185e1612741b4265ce5e7f9)
2024-07-12 11:43:51 +08:00 · 2024-07-12 11:43:51 +08:00 · c9b3e054f6
commit c9b3e054f6
parent d46c9d9fcc
9 changed files with 78 additions and 8 deletions
--- a/backport-patch-9.0.2106-Use-after-free-in-win_close.patch
+++ b/backport-patch-9.0.2106-Use-after-free-in-win_close.patch
--- a/backport-CVE-2023-48232.patch
+++ b/backport-CVE-2023-48232.patch
@ -0,0 +1,63 @@
+From cb0b99f0672d8446585d26e998343dceca17d1ce Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Tue, 14 Nov 2023 20:05:59 +0100
+Subject: [PATCH] patch 9.0.2107: [security]: FPE in adjust_plines_for_skipcol
+
+Problem:  [security]: FPE in adjust_plines_for_skipcol
+Solution: don't divide by zero, return zero
+
+Prevent a floating point exception when calculating w_skipcol (which can
+happen with a small window when the number option is set and cpo+=n).
+
+Add a test to verify
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/move.c                      |  5 +++--
+ src/testdir/test_scroll_opt.vim | 19 +++++++++++++++++++
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/src/move.c b/src/move.c
+index ce06dc3394689..fbb352a32e15a 100644
+--- a/src/move.c
+++ b/src/move.c
+@@ -45,8 +45,9 @@ adjust_plines_for_skipcol(win_T *wp)
+ 	return 0;
+ 
+     int width = wp->w_width - win_col_off(wp);
+-    if (wp->w_skipcol >= width)
+-	return (wp->w_skipcol - width) / (width + win_col_off2(wp)) + 1;
+    int w2 = width + win_col_off2(wp);
+    if (wp->w_skipcol >= width && w2 > 0)
+	return (wp->w_skipcol - width) / w2 + 1;
+ 
+     return 0;
+ }
+diff --git a/src/testdir/test_scroll_opt.vim b/src/testdir/test_scroll_opt.vim
+index d5d08a24c20d4..342d382c20a5a 100644
+--- a/src/testdir/test_scroll_opt.vim
+++ b/src/testdir/test_scroll_opt.vim
+@@ -926,4 +926,23 @@ func Test_smoothscroll_cursor_top()
+   call StopVimInTerminal(buf)
+ endfunc
+ 
+" Division by zero, shouldn't crash
+func Test_smoothscroll_crash()
+  CheckScreendump
+
+  let lines =<< trim END
+      20 new
+      vsp
+      put =repeat('aaaa', 20)
+      set nu fdc=1  smoothscroll cpo+=n
+      vert resize 0
+      exe "norm! 0\<c-e>"
+  END
+  call writefile(lines, 'XSmoothScrollCrash', 'D')
+  let buf = RunVimInTerminal('-u NONE -S XSmoothScrollCrash', #{rows: 12, cols:40})
+  call term_sendkeys(buf, "2\<C-E>\<C-L>")
+
+  call StopVimInTerminal(buf)
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
--- a/bugfix-security-overflow-with-count-for-s-command.patch
+++ b/bugfix-security-overflow-with-count-for-s-command.patch
--- a/backport-patch-9.0.2109-overflow-in-nv_z_get_count.patch
+++ b/backport-patch-9.0.2109-overflow-in-nv_z_get_count.patch
--- a/backport-patch-9.0.2110-overflow-in-ex-address-parsing.patch
+++ b/backport-patch-9.0.2110-overflow-in-ex-address-parsing.patch
--- a/backport-patch-9.0.2111-overflow-in-get_number.patch
+++ b/backport-patch-9.0.2111-overflow-in-get_number.patch
--- a/backport-patch-9.0.2112-overflow-in-shift_line.patch
+++ b/backport-patch-9.0.2112-overflow-in-shift_line.patch
--- a/backport-patch-9.0.2121-use-after-free-in-ex_substitute.patch
+++ b/backport-patch-9.0.2121-use-after-free-in-ex_substitute.patch
--- a/vim.spec
+++ b/vim.spec
@ -14,7 +14,7 @@
 Name:           vim
 Epoch:          2
 Version:        %{baseversion}.%{patchlevel}
-Release:        5
+Release:        6
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -30,17 +30,18 @@ Patch0004:      vim-8.0-copy-paste.patch
 Patch0005:      vim-python3-tests.patch


-Patch6000:      bugfix-security-overflow-with-count-for-s-command.patch
-Patch6001:      backport-patch-9.0.2106-Use-after-free-in-win_close.patch
-Patch6002:      backport-patch-9.0.2109-overflow-in-nv_z_get_count.patch
-Patch6003:      backport-patch-9.0.2110-overflow-in-ex-address-parsing.patch
-Patch6004:      backport-patch-9.0.2111-overflow-in-get_number.patch
-Patch6005:      backport-patch-9.0.2112-overflow-in-shift_line.patch
+Patch6000:      backport-CVE-2023-48233.patch
+Patch6001:      backport-CVE-2023-48231.patch
+Patch6002:      backport-CVE-2023-48234.patch
+Patch6003:      backport-CVE-2023-48235.patch
+Patch6004:      backport-CVE-2023-48236.patch
+Patch6005:      backport-CVE-2023-48237.patch
 Patch6006:      backport-patch-9.0.2114-overflow-detection-not-accurate-when-adding.patch
-Patch6007:      backport-patch-9.0.2121-use-after-free-in-ex_substitute.patch
+Patch6007:      backport-CVE-2023-48706.patch
 Patch6008:      backport-patch-9.0.2123-Problem-with-initializing-the-length-of-range-lists.patch
 Patch6009:      backport-vim-7.0-rclocation.patch
 Patch6010:      backport-CVE-2024-22667.patch
+Patch6011:      backport-CVE-2023-48232.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -448,6 +449,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests."
 %{_mandir}/man1/evim.*

 %changelog
+* Fri Jul 12 2024 wangjiang <wangjiang37@h-partners.com> - 2:9.0.2092-6
+- Type:CVE
+- ID:CVE-2023-48232
+- SUG:NA
+- DESC:fix CVE-2023-48232
+
 * Mon Jul 08 2024 wangjiang <wangjiang37@h-partners.com> - 2:9.0.2092-5
 - Type:CVE
 - ID:CVE-2024-22667