packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

CVE-2022-2257 CVE-2022-2264 CVE-2022-2284 CVE-2022-2285 CVE-2022-2286 CVE-2022-2287 CVE-2022-2288 CVE-2022-2289 CVE-2022-2304 CVE-2022-2343 CVE-2022-2344 CVE-2022-2345 CVE-2022-2522

Browse Source
This commit is contained in:
shixuantong 2022-07-30 14:12:30 +08:00
parent 5e952e933f
commit cd06045448
16 changed files with 1018 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
backport-CVE-2022-2257.patch Normal file
View File

@ -0,0 +1,53 @@
From 083692d598139228e101b8c521aaef7bcf256e9a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 29 Jun 2022 21:16:58 +0100
Subject: [PATCH] patch 9.0.0009: going past the end of a menu item with only
modifier
Problem: Going past the end of a menu item with only modifier.
Solution: Check for NUL.
---
src/message.c | 4 ++--
src/testdir/test_menu.vim | 13 +++++++++++++
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/message.c b/src/message.c
index 02380e9..becb280 100644
--- a/src/message.c
+++ b/src/message.c
@@ -1820,8 +1820,8 @@ str2special(
*sp = str + 1;
}
else
- // single-byte character or illegal byte
- *sp = str + 1;
+ // single-byte character, NUL or illegal byte
+ *sp = str + (*str == NUL ? 0 : 1);
// Make special keys and C0 control characters in <> form, also <M-Space>.
// Use <Space> only for lhs of a mapping.
diff --git a/src/testdir/test_menu.vim b/src/testdir/test_menu.vim
index c867162..df717cc 100644
--- a/src/testdir/test_menu.vim
+++ b/src/testdir/test_menu.vim
@@ -528,4 +528,17 @@ func Test_tmenu()
tunmenu Test
endfunc
+func Test_only_modifier()
+ exe "tmenu a.b \x80\xfc0"
+ let exp =<< trim [TEXT]
+ --- Menus ---
+ 500 a
+ 500 b
+ t - <T-2-^@>
+ [TEXT]
+ call assert_equal(exp, split(execute('tmenu'), "\n"))
+
+ tunmenu a.b
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

51
backport-CVE-2022-2264.patch Normal file
View File

@ -0,0 +1,51 @@
From d25f003342aca9889067f2e839963dfeccf1fe05 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 30 Jun 2022 12:30:19 +0100
Subject: [PATCH] patch 9.0.0011: reading beyond the end of the line with put
command
Problem: Reading beyond the end of the line with put command.
Solution: Adjust the end mark position.
---
src/register.c | 2 ++
src/testdir/test_put.vim | 12 ++++++++++++
2 files changed, 14 insertions(+)
diff --git a/src/register.c b/src/register.c
index 93860ba..30e2001 100644
--- a/src/register.c
+++ b/src/register.c
@@ -1918,6 +1918,8 @@ do_put(
vim_memset(ptr, ' ', (size_t)spaces);
ptr += spaces;
}
+ else
+ totlen -= spaces; // didn't use these spaces
}
// may insert some spaces after the new text
diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim
index aa5aa2b..66438bd 100644
--- a/src/testdir/test_put.vim
+++ b/src/testdir/test_put.vim
@@ -219,5 +219,17 @@ func Test_put_empty_register()
bwipe!
endfunc
+" this was putting the end mark after the end of the line
+func Test_put_visual_mode()
+ edit! SomeNewBuffer
+ set selection=exclusive
+ exe "norm o\t"
+ m0
+ sil! norm  p p
+
+ bwipe!
+ set selection&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

51
backport-CVE-2022-2284.patch Normal file
View File

@ -0,0 +1,51 @@
From 3d51ce18ab1be4f9f6061568a4e7fabf00b21794 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 1 Jul 2022 15:26:15 +0100
Subject: [PATCH] patch 9.0.0017: accessing memory beyond the end of the
line
Problem: Accessing memory beyond the end of the line.
Solution: Stop Visual mode when closing a window.
---
src/testdir/test_visual.vim | 12 ++++++++++++
src/window.c | 2 ++
2 files changed, 14 insertions(+)
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index c323062..e965266 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -1469,5 +1469,17 @@ func Test_visual_paste_clipboard()
bwipe!
endfunc
+func Test_visual_area_adjusted_when_hiding()
+ " The Visual area ended after the end of the line after :hide
+ call setline(1, 'xxx')
+ vsplit Xfile
+ call setline(1, 'xxxxxxxx')
+ norm! $o
+ hid
+ norm! zW
+ bwipe!
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/window.c b/src/window.c
index 992593b..c91ebbc 100644
--- a/src/window.c
+++ b/src/window.c
@@ -2594,6 +2594,8 @@ win_close(win_T *win, int free_buf)
*/
if (wp->w_buffer != curbuf)
{
+ reset_VIsual_and_resel(); // stop Visual mode
+
other_buffer = TRUE;
win->w_closing = TRUE;
apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, FALSE, curbuf);
--
1.8.3.1

46
backport-CVE-2022-2285.patch Normal file
View File

@ -0,0 +1,46 @@
From 27efc62f5d86afcb2ecb7565587fe8dea4b036fe Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 1 Jul 2022 16:35:45 +0100
Subject: [PATCH] patch 9.0.0018: going over the end of the typahead
Problem: Going over the end of the typahead.
Solution: Put a NUL after the typeahead.
---
src/term.c | 1 +
src/testdir/test_mapping.vim | 10 ++++++++++
2 files changed, 11 insertions(+)
diff --git a/src/term.c b/src/term.c
index 754ef82..7d7b84b 100644
--- a/src/term.c
+++ b/src/term.c
@@ -5393,6 +5393,7 @@ check_termcode(
if (*tp == ESC && !p_ek && (State & MODE_INSERT))
continue;
+ tp[len] = NUL;
key_name[0] = NUL; // no key name found yet
key_name[1] = NUL; // no key name found yet
modifiers = 0; // no modifiers yet
diff --git a/src/testdir/test_mapping.vim b/src/testdir/test_mapping.vim
index ace6453..2927ba7 100644
--- a/src/testdir/test_mapping.vim
+++ b/src/testdir/test_mapping.vim
@@ -1715,4 +1715,14 @@ func Test_map_after_timed_out_nop()
call delete('Xtest_map_after_timed_out_nop')
endfunc
+func Test_using_past_typeahead()
+ nnoremap :00 0
+ exe "norm :set \x80\xfb0=0\<CR>"
+ exe "sil norm :0\x0f\<C-U>\<CR>"
+
+ exe "norm :set \x80\xfb0=\<CR>"
+ nunmap :00
+endfunc
+
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

61
backport-CVE-2022-2286.patch Normal file
View File

@ -0,0 +1,61 @@
From f12129f1714f7d2301935bb21d896609bdac221c Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 1 Jul 2022 19:58:30 +0100
Subject: [PATCH] patch 9.0.0020: with some completion reading past end of
string
Problem: With some completion reading past end of string.
Solution: Check the length of the string.
---
src/insexpand.c | 14 ++++++++++++--
src/testdir/test_ins_complete.vim | 8 ++++++++
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/src/insexpand.c b/src/insexpand.c
index 4a5feac..734550f 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -2209,11 +2209,21 @@ ins_compl_stop(int c, int prev_mode, int retval)
// but only do this, if the Popup is still visible
if (c == Ctrl_E)
{
+ char_u *p = NULL;
+
ins_compl_delete();
if (compl_leader != NULL)
- ins_bytes(compl_leader + get_compl_len());
+ p = compl_leader;
else if (compl_first_match != NULL)
- ins_bytes(compl_orig_text + get_compl_len());
+ p = compl_orig_text;
+ if (p != NULL)
+ {
+ int compl_len = get_compl_len();
+ int len = (int)STRLEN(p);
+
+ if (len > compl_len)
+ ins_bytes_len(p + compl_len, len - compl_len);
+ }
retval = TRUE;
}
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 365c646..20c2b4f 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -2184,4 +2184,12 @@ func Test_complete_smartindent()
delfunction! FooBarComplete
endfunc
+func Test_complete_overrun()
+ " this was going past the end of the copied text
+ new
+ sil norm si”0s0 
+ bwipe!
+endfunc
+
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

90
backport-CVE-2022-2287.patch Normal file
View File

@ -0,0 +1,90 @@
From 5e59ea54c0c37c2f84770f068d95280069828774 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 1 Jul 2022 22:26:20 +0100
Subject: [PATCH] patch 9.0.0021: invalid memory access when adding word to
spell word list
Problem: Invalid memory access when adding word with a control character to
the internal spell word list.
Solution: Disallow adding a word with control characters or a trailing
slash.
---
src/spellfile.c | 21 +++++++++++++++++++--
src/testdir/test_spell.vim | 15 +++++++++++++++
2 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/src/spellfile.c b/src/spellfile.c
index f0d6d96..4a0de52 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -4367,6 +4367,23 @@ wordtree_alloc(spellinfo_T *spin)
}
/*
+ * Return TRUE if "word" contains valid word characters.
+ * Control characters and trailing '/' are invalid. Space is OK.
+ */
+ static int
+valid_spell_word(char_u *word)
+{
+ char_u *p;
+
+ if (enc_utf8 && !utf_valid_string(word, NULL))
+ return FALSE;
+ for (p = word; *p != NUL; p += mb_ptr2len(p))
+ if (*p < ' ' || (p[0] == '/' && p[1] == NUL))
+ return FALSE;
+ return TRUE;
+}
+
+/*
* Store a word in the tree(s).
* Always store it in the case-folded tree. For a keep-case word this is
* useful when the word can also be used with all caps (no WF_FIXCAP flag) and
@@ -4391,7 +4408,7 @@ store_word(
char_u *p;
// Avoid adding illegal bytes to the word tree.
- if (enc_utf8 && !utf_valid_string(word, NULL))
+ if (!valid_spell_word(word))
return FAIL;
(void)spell_casefold(curwin, word, len, foldword, MAXWLEN);
@@ -6194,7 +6211,7 @@ spell_add_word(
int i;
char_u *spf;
- if (enc_utf8 && !utf_valid_string(word, NULL))
+ if (!valid_spell_word(word))
{
emsg(_(e_illegal_character_in_word));
return;
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index 0fd5ed9..0187a17 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -854,6 +854,21 @@ func Test_spellsuggest_too_deep()
bwipe!
endfunc
+func Test_spell_good_word_invalid()
+ " This was adding a word with a 0x02 byte, which causes havoc.
+ enew
+ norm o0
+ sil! norm rzzWs00/
+ 2
+ sil! norm VzGprzzW
+ sil! norm z=
+
+ bwipe!
+ " clear the internal word list
+ set enc=latin1
+ set enc=utf-8
+endfunc
+
func LoadAffAndDic(aff_contents, dic_contents)
set enc=latin1
set spellfile=
--
1.8.3.1

54
backport-CVE-2022-2288.patch Normal file
View File

@ -0,0 +1,54 @@
From c6fdb15d423df22e1776844811d082322475e48a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 2 Jul 2022 13:43:21 +0100
Subject: [PATCH] patch 9.0.0025: accessing beyond allocated memory with the
cmdline window
Problem: Accessing beyond allocated memory when using the cmdline window in
Ex mode.
Solution: Use "*" instead of "'<,'>" for Visual mode.
---
src/ex_docmd.c | 6 ++++--
src/testdir/test_cmdline.vim | 8 ++++++++
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index 271e7e2..697337c 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -3118,9 +3118,11 @@ parse_command_modifiers(
size_t len = STRLEN(cmd_start);
// Special case: empty command uses "+":
- // "'<,'>mods" -> "mods'<,'>+
+ // "'<,'>mods" -> "mods *+
+ // Use "*" instead of "'<,'>" to avoid the command getting
+ // longer, in case is was allocated.
mch_memmove(orig_cmd, cmd_start, len);
- STRCPY(orig_cmd + len, "'<,'>+");
+ STRCPY(orig_cmd + len, " *+");
}
else
{
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index 3685336..f0498a1 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -2103,6 +2103,14 @@ func Test_cmdwin_insert_mode_close()
call assert_equal(1, winnr('$'))
endfunc
+func Test_cmdwin_ex_mode_with_modifier()
+ " this was accessing memory after allocated text in Ex mode
+ new
+ call setline(1, ['some', 'text', 'lines'])
+ silent! call feedkeys("gQnormal vq:atopleft\<C-V>\<CR>\<CR>", 'xt')
+ bwipe!
+endfunc
+
" test that ";" works to find a match at the start of the first line
func Test_zero_line_search()
new
--
1.8.3.1

65
backport-CVE-2022-2289.patch Normal file
View File

@ -0,0 +1,65 @@
From c5274dd12224421f2430b30c53b881b9403d649e Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 2 Jul 2022 15:10:00 +0100
Subject: [PATCH] patch 9.0.0026: accessing freed memory with diff put
Problem: Accessing freed memory with diff put.
Solution: Bail out when diff pointer is no longer valid.
---
src/diff.c | 24 ++++++++++++++++++++++--
1 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/src/diff.c b/src/diff.c
index 91e5ae2..e4bafe2 100644
--- a/src/diff.c
+++ b/src/diff.c
@@ -2643,6 +2643,20 @@ nv_diffgetput(int put, long count)
}
/*
+ * Return TRUE if "diff" appears in the list of diff blocks of the current tab.
+ */
+ static int
+valid_diff(diff_T *diff)
+{
+ diff_T *dp;
+
+ for (dp = curtab->tp_first_diff; dp != NULL; dp = dp->df_next)
+ if (dp == diff)
+ return TRUE;
+ return FALSE;
+}
+
+/*
* ":diffget"
* ":diffput"
*/
@@ -2899,9 +2913,9 @@ ex_diffgetput(exarg_T *eap)
}
}
- // Adjust marks. This will change the following entries!
if (added != 0)
{
+ // Adjust marks. This will change the following entries!
mark_adjust(lnum, lnum + count - 1, (long)MAXLNUM, (long)added);
if (curwin->w_cursor.lnum >= lnum)
{
@@ -2923,7 +2937,13 @@ ex_diffgetput(exarg_T *eap)
#endif
vim_free(dfree);
}
- else
+
+ // mark_adjust() may have made "dp" invalid. We don't know where
+ // to continue then, bail out.
+ if (added != 0 && !valid_diff(dp))
+ break;
+
+ if (dfree == NULL)
// mark_adjust() may have changed the count in a wrong way
dp->df_count[idx_to] = new_count;
--
1.8.3.1

55
backport-CVE-2022-2304.patch Normal file
View File

@ -0,0 +1,55 @@
From 54e5fed6d27b747ff152cdb6edfb72ff60e70939 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 4 Jul 2022 13:37:07 +0100
Subject: [PATCH] patch 9.0.0035: spell dump may go beyond end of an array
Problem: Spell dump may go beyond end of an array.
Solution: Limit the word length.
---
src/spell.c | 5 +++--
src/testdir/test_spell.vim | 12 ++++++++++++
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/spell.c b/src/spell.c
index d866a2d..24abce4 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -3996,9 +3996,10 @@ spell_dump_compl(
n = arridx[depth] + curi[depth];
++curi[depth];
c = byts[n];
- if (c == 0)
+ if (c == 0 || depth >= MAXWLEN - 1)
{
- // End of word, deal with the word.
+ // End of word or reached maximum length, deal with the
+ // word.
// Don't use keep-case words in the fold-case tree,
// they will appear in the keep-case tree.
// Only use the word when the region matches.
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index d3f56d8..a291eb5 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -285,6 +285,18 @@ func Test_spellreall()
bwipe!
endfunc
+func Test_spell_dump_word_length()
+ " this was running over MAXWLEN
+ new
+ noremap 0 0a0zW0000000
+ sil! norm 0z=0
+ sil norm 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+ sil! norm 0z=0
+
+ bwipe!
+ nunmap 0
+endfunc
+
" Test spellsuggest({word} [, {max} [, {capital}]])
func Test_spellsuggest()
" Verify suggestions are given even when spell checking is not enabled.
--
1.8.3.1

235
backport-CVE-2022-2343.patch Normal file
View File

@ -0,0 +1,235 @@
FROM CAEA66442D86E7BBBA3BF3DC202C3C0D549B9853 MON SEP 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 7 Jul 2022 19:42:04 +0100
Subject: [PATCH] patch 9.0.0045: reading past end of completion with a
long line
Problem: Reading past end of completion with a long line and 'infercase'
set.
Solution: Allocate the string if needed.
---
src/insexpand.c | 94 ++++++++++++++++++++++---------
src/testdir/test_ins_complete.vim | 16 ++++++
2 files changed, 82 insertions(+), 28 deletions(-)
diff --git a/src/insexpand.c b/src/insexpand.c
index 734550f..0ecb656 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -524,29 +524,32 @@ ins_compl_accept_char(int c)
/*
* Get the completed text by inferring the case of the originally typed text.
+ * If the result is in allocated memory "tofree" is set to it.
*/
static char_u *
ins_compl_infercase_gettext(
char_u *str,
- int actual_len,
- int actual_compl_length,
- int min_len)
+ int char_len,
+ int compl_char_len,
+ int min_len,
+ char_u **tofree)
{
int *wca; // Wide character array.
char_u *p;
int i, c;
int has_lower = FALSE;
int was_letter = FALSE;
+ garray_T gap;
IObuff[0] = NUL;
// Allocate wide character array for the completion and fill it.
- wca = ALLOC_MULT(int, actual_len);
+ wca = ALLOC_MULT(int, char_len);
if (wca == NULL)
return IObuff;
p = str;
- for (i = 0; i < actual_len; ++i)
+ for (i = 0; i < char_len; ++i)
if (has_mbyte)
wca[i] = mb_ptr2char_adv(&p);
else
@@ -566,7 +569,7 @@ ins_compl_infercase_gettext(
if (MB_ISUPPER(wca[i]))
{
// Rule 1 is satisfied.
- for (i = actual_compl_length; i < actual_len; ++i)
+ for (i = compl_char_len; i < char_len; ++i)
wca[i] = MB_TOLOWER(wca[i]);
break;
}
@@ -587,7 +590,7 @@ ins_compl_infercase_gettext(
if (was_letter && MB_ISUPPER(c) && MB_ISLOWER(wca[i]))
{
// Rule 2 is satisfied.
- for (i = actual_compl_length; i < actual_len; ++i)
+ for (i = compl_char_len; i < char_len; ++i)
wca[i] = MB_TOUPPER(wca[i]);
break;
}
@@ -610,20 +613,52 @@ ins_compl_infercase_gettext(
}
// Generate encoding specific output from wide character array.
- // Multi-byte characters can occupy up to five bytes more than
- // ASCII characters, and we also need one byte for NUL, so stay
- // six bytes away from the edge of IObuff.
p = IObuff;
i = 0;
- while (i < actual_len && (p - IObuff + 6) < IOSIZE)
- if (has_mbyte)
+ ga_init2(&gap, 1, 500);
+ while (i < char_len)
+ {
+ if (gap.ga_data != NULL)
+ {
+ if (ga_grow(&gap, 10) == FAIL)
+ {
+ ga_clear(&gap);
+ return (char_u *)"[failed]";
+ }
+ p = (char_u *)gap.ga_data + gap.ga_len;
+ if (has_mbyte)
+ gap.ga_len += (*mb_char2bytes)(wca[i++], p);
+ else
+ {
+ *p = wca[i++];
+ ++gap.ga_len;
+ }
+ }
+ else if ((p - IObuff) + 6 >= IOSIZE)
+ {
+ // Multi-byte characters can occupy up to five bytes more than
+ // ASCII characters, and we also need one byte for NUL, so when
+ // getting to six bytes from the edge of IObuff switch to using a
+ // growarray. Add the character in the next round.
+ if (ga_grow(&gap, IOSIZE) == FAIL)
+ return (char_u *)"[failed]";
+ STRCPY(gap.ga_data, IObuff);
+ gap.ga_len = STRLEN(IObuff);
+ }
+ else if (has_mbyte)
p += (*mb_char2bytes)(wca[i++], p);
else
*(p++) = wca[i++];
- *p = NUL;
-
+ }
vim_free(wca);
+ if (gap.ga_data != NULL)
+ {
+ *tofree = gap.ga_data;
+ return gap.ga_data;
+ }
+
+ *p = NUL;
return IObuff;
}
@@ -644,10 +679,12 @@ ins_compl_add_infercase(
{
char_u *str = str_arg;
char_u *p;
- int actual_len; // Take multi-byte characters
- int actual_compl_length; // into account.
+ int char_len; // count multi-byte characters
+ int compl_char_len;
int min_len;
int flags = 0;
+ int res;
+ char_u *tofree = NULL;
if (p_ic && curbuf->b_p_inf && len > 0)
{
@@ -657,44 +694,45 @@ ins_compl_add_infercase(
if (has_mbyte)
{
p = str;
- actual_len = 0;
+ char_len = 0;
while (*p != NUL)
{
MB_PTR_ADV(p);
- ++actual_len;
+ ++char_len;
}
}
else
- actual_len = len;
+ char_len = len;
// Find actual length of original text.
if (has_mbyte)
{
p = compl_orig_text;
- actual_compl_length = 0;
+ compl_char_len = 0;
while (*p != NUL)
{
MB_PTR_ADV(p);
- ++actual_compl_length;
+ ++compl_char_len;
}
}
else
- actual_compl_length = compl_length;
+ compl_char_len = compl_length;
- // "actual_len" may be smaller than "actual_compl_length" when using
+ // "char_len" may be smaller than "compl_char_len" when using
// thesaurus, only use the minimum when comparing.
- min_len = actual_len < actual_compl_length
- ? actual_len : actual_compl_length;
+ min_len = char_len < compl_char_len ? char_len : compl_char_len;
- str = ins_compl_infercase_gettext(str, actual_len, actual_compl_length,
- min_len);
+ str = ins_compl_infercase_gettext(str, char_len,
+ compl_char_len, min_len, &tofree);
}
if (cont_s_ipos)
flags |= CP_CONT_S_IPOS;
if (icase)
flags |= CP_ICASE;
- return ins_compl_add(str, len, fname, NULL, NULL, dir, flags, FALSE);
+ res = ins_compl_add(str, len, fname, NULL, NULL, dir, flags, FALSE);
+ vim_free(tofree);
+ return res;
}
/*
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 20c2b4f..f2daa02 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -2192,4 +2192,20 @@ func Test_complete_overrun()
endfunc
+func Test_infercase_very_long_line()
+ " this was truncating the line when inferring case
+ new
+ let longLine = "blah "->repeat(300)
+ let verylongLine = "blah "->repeat(400)
+ call setline(1, verylongLine)
+ call setline(2, longLine)
+ set ic infercase
+ exe "normal 2Go\<C-X>\<C-L>\<Esc>"
+ call assert_equal(longLine, getline(3))
+
+ bwipe!
+ set noic noinfercase
+endfunc
+
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.36.1

50
backport-CVE-2022-2344.patch Normal file
View File

@ -0,0 +1,50 @@
From baefde14550231f6468ac2ed2ed495bc381c0c92 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 7 Jul 2022 19:59:49 +0100
Subject: [PATCH] patch 9.0.0046: reading past end of completion with
duplicate match
Problem: Reading past end of completion with duplicate match.
Solution: Check string length
---
src/insexpand.c | 3 ++-
src/testdir/test_ins_complete.vim | 10 ++++++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/insexpand.c b/src/insexpand.c
index 0ecb656..9c598a8 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -786,7 +786,8 @@ ins_compl_add(
{
if (!match_at_original_text(match)
&& STRNCMP(match->cp_str, str, len) == 0
- && match->cp_str[len] == NUL)
+ && ((int)STRLEN(match->cp_str) <= len
+ || match->cp_str[len] == NUL))
return NOTDONE;
match = match->cp_next;
} while (match != NULL && !is_first_match(match));
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 5e5b1bb..2be6d06 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -2112,5 +2112,15 @@ func Test_infercase_very_long_line()
set noic noinfercase
endfunc
+func Test_ins_complete_add()
+ " this was reading past the end of allocated memory
+ new
+ norm o
+ norm 7o€€
+ sil! norm o
+
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

79
backport-CVE-2022-2345.patch Normal file
View File

@ -0,0 +1,79 @@
From 32acf1f1a72ebb9d8942b9c9d80023bf1bb668ea Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 7 Jul 2022 22:20:31 +0100
Subject: [PATCH] patch 9.0.0047: using freed memory with recursive
substitute
Problem: Using freed memory with recursive substitute.
Solution: Always make a copy for reg_prev_sub.
---
src/ex_cmds.c | 11 ++++++++++-
src/regexp.c | 8 ++++----
src/testdir/test_regexp_latin.vim | 11 +++++++++++
3 files changed, 25 insertions(+), 5 deletions(-)
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index eb3016f..5253863 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -3994,7 +3994,16 @@ ex_substitute(exarg_T *eap)
sub_copy = sub;
}
else
- sub = regtilde(sub, magic_isset());
+ {
+ char_u *newsub = regtilde(sub, magic_isset());
+
+ if (newsub != sub)
+ {
+ // newsub was allocated, free it later.
+ sub_copy = newsub;
+ sub = newsub;
+ }
+ }
/*
* Check for a match on each line.
diff --git a/src/regexp.c b/src/regexp.c
index 2cbe64e..f35a5e8 100644
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -1766,11 +1766,11 @@ regtilde(char_u *source, int magic)
}
}
+ // Store a copy of newsub in reg_prev_sub. It is always allocated,
+ // because recursive calls may make the returned string invalid.
vim_free(reg_prev_sub);
- if (newsub != source) // newsub was allocated, just keep it
- reg_prev_sub = newsub;
- else // no ~ found, need to save newsub
- reg_prev_sub = vim_strsave(newsub);
+ reg_prev_sub = vim_strsave(newsub);
+
return newsub;
}
diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim
index 1fe4699..dce6709 100644
--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
@@ -1114,4 +1114,15 @@ func Test_using_two_engines_pattern()
bwipe!
endfunc
+func Test_recursive_substitute_expr()
+ new
+ func Repl()
+ s
+ endfunc
+ silent! s/\%')/~\=Repl()
+
+ bwipe!
+ delfunc Repl
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
1.8.3.1

46
backport-CVE-2022-2522.patch Normal file
View File

@ -0,0 +1,46 @@
From b9e717367c395490149495cf375911b5d9de889e Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 23 Jul 2022 06:53:08 +0100
Subject: [PATCH] patch 9.0.0060: accessing uninitialized memory when
completing long line
Problem: Accessing uninitialized memory when completing long line.
Solution: Terminate string with NUL.
---
src/insexpand.c | 1 +
src/testdir/test_ins_complete.vim | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/src/insexpand.c b/src/insexpand.c
index b49a631..c505158 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -642,6 +642,7 @@ ins_compl_infercase_gettext(
// growarray. Add the character in the next round.
if (ga_grow(&gap, IOSIZE) == FAIL)
return (char_u *)"[failed]";
+ *p = NUL;
STRCPY(gap.ga_data, IObuff);
gap.ga_len = (int)STRLEN(IObuff);
}
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 2be6d06..7bebc5d 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -2108,6 +2108,13 @@ func Test_infercase_very_long_line()
exe "normal 2Go\<C-X>\<C-L>\<Esc>"
call assert_equal(longLine, getline(3))
+ " check that the too long text is NUL terminated
+ %del
+ norm o
+ norm 1987ax
+ exec "norm ox\<C-X>\<C-L>"
+ call assert_equal(repeat('x', 1987), getline(3))
+
bwipe!
set noic noinfercase
endfunc
--
1.8.3.1

32
backport-patch-9.0.0022-spell-test-fails.patch Normal file
View File

@ -0,0 +1,32 @@
From 95afae6d1760b2efcc4968dbd3784799d24e9fdf Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 1 Jul 2022 22:44:19 +0100
Subject: [PATCH] patch 9.0.0022: spell test fails
Problem: Spell test fails.
Solution: Expect new error is given.
---
src/testdir/test_spell_utf8.vim | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim
index fe80689..c71308b 100644
--- a/src/testdir/test_spell_utf8.vim
+++ b/src/testdir/test_spell_utf8.vim
@@ -779,7 +779,12 @@ func Test_no_crash_with_weird_text()
€
END
call setline(1, lines)
- exe "%norm \<C-v>ez=>\<C-v>wzG"
+ try
+ exe "%norm \<C-v>ez=>\<C-v>wzG"
+ catch /E1280:/
+ let caught = 'yes'
+ endtry
+ call assert_equal('yes', caught)
bwipe!
endfunc
--
1.8.3.1

27
backport-patch-9.0.0054-compiler-warning-for-size_t-to-int-co.patch Normal file
View File

@ -0,0 +1,27 @@
From c7bd2f08e531f08723cdc677212a3633d11c9a97 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 15 Jul 2022 20:45:20 +0100
Subject: [PATCH] patch 9.0.0054: compiler warning for size_t to int conversion
Problem: Compiler warning for size_t to int conversion.
Solution: Add type cast. (Mike Williams, closes #10741)
---
src/insexpand.c | 2 +-
1 files changed, 1 insertions(+), 1 deletion(-)
diff --git a/src/insexpand.c b/src/insexpand.c
index 9c598a8..b49a631 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -643,7 +643,7 @@ ins_compl_infercase_gettext(
if (ga_grow(&gap, IOSIZE) == FAIL)
return (char_u *)"[failed]";
STRCPY(gap.ga_data, IObuff);
- gap.ga_len = STRLEN(IObuff);
+ gap.ga_len = (int)STRLEN(IObuff);
}
else if (has_mbyte)
p += (*mb_char2bytes)(wca[i++], p);
--
1.8.3.1

24
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim
Epoch: 2
Version: 9.0
Release: 1
Release: 2
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT
URL: http://www.vim.org
@ -27,6 +27,22 @@ Patch0009: vim-7.4-globalsyntax.patch
Patch0011: vim-8.0-copy-paste.patch
Patch0012: vim-python3-tests.patch
Patch6000: backport-CVE-2022-2257.patch
Patch6001: backport-CVE-2022-2264.patch
Patch6002: backport-CVE-2022-2284.patch
Patch6003: backport-CVE-2022-2285.patch
Patch6004: backport-CVE-2022-2286.patch
Patch6005: backport-CVE-2022-2287.patch
Patch6006: backport-CVE-2022-2288.patch
Patch6007: backport-patch-9.0.0022-spell-test-fails.patch
Patch6008: backport-CVE-2022-2289.patch
Patch6009: backport-CVE-2022-2304.patch
Patch6010: backport-CVE-2022-2343.patch
Patch6011: backport-CVE-2022-2344.patch
Patch6012: backport-CVE-2022-2345.patch
Patch6013: backport-patch-9.0.0054-compiler-warning-for-size_t-to-int-co.patch
Patch6014: backport-CVE-2022-2522.patch
Patch9000: bugfix-rm-modify-info-version.patch
BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc
@ -418,6 +434,12 @@ popd
%{_mandir}/man1/evim.*
%changelog
* Sat Jul 30 2022 shixuantong <shixuantong@h-partners.com> - 2:9.0-2
- Type:CVE
- ID:CVE-2022-2257 CVE-2022-2264 CVE-2022-2284 CVE-2022-2285 CVE-2022-2286 CVE-2022-2287 CVE-2022-2288 CVE-2022-2289 CVE-2022-2304 CVE-2022-2343 CVE-2022-2344 CVE-2022-2345 CVE-2022-2522
- SUG:NA
- DESC:fix CVE-2022-2257 CVE-2022-2264 CVE-2022-2284 CVE-2022-2285 CVE-2022-2286 CVE-2022-2287 CVE-2022-2288 CVE-2022-2289 CVE-2022-2304 CVE-2022-2343 CVE-2022-2344 CVE-2022-2345 CVE-2022-2522
* Tue Jul 05 2022 shixuantong <shixuantong@h-partners.com> - 2:9.0-1
- Type:enhancement
- ID:NA