fix CVE-2022-3234,CVE-2022-3235

(cherry picked from commit 00c4d86f261df01bf23ac7a3d4e06d619d4058b6)
2022-09-19 17:16:39 +08:00 · 2022-09-19 17:16:39 +08:00 · ee064d150f
commit ee064d150f
parent b2f2919a87
3 changed files with 162 additions and 1 deletions
--- a/backport-CVE-2022-3234.patch
+++ b/backport-CVE-2022-3234.patch
@ -0,0 +1,78 @@
+From c249913edc35c0e666d783bfc21595cf9f7d9e0d Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 16 Sep 2022 22:16:59 +0100
+Subject: [PATCH] patch 9.0.0483: illegal memory access when replacing in
+ virtualedit mode
+
+Problem:    Illegal memory access when replacing in virtualedit mode.
+Solution:   Check for replacing NUL after Tab.
+---
+ src/ops.c                        | 12 ++++++++++--
+ src/testdir/test_virtualedit.vim | 14 ++++++++++++++
+ 2 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/src/ops.c b/src/ops.c
+index b930878..33cbd8e 100644
+--- a/src/ops.c
+++ b/src/ops.c
+@@ -1160,6 +1160,8 @@ op_replace(oparg_T *oap, int c)
+ 
+ 	while (LTOREQ_POS(curwin->w_cursor, oap->end))
+ 	{
+	    int done = FALSE;
+
+ 	    n = gchar_cursor();
+ 	    if (n != NUL)
+ 	    {
+@@ -1173,6 +1175,7 @@ op_replace(oparg_T *oap, int c)
+ 		    if (curwin->w_cursor.lnum == oap->end.lnum)
+ 			oap->end.col += new_byte_len - old_byte_len;
+ 		    replace_character(c);
+		    done = TRUE;
+ 		}
+ 		else
+ 		{
+@@ -1191,10 +1194,15 @@ op_replace(oparg_T *oap, int c)
+ 			if (curwin->w_cursor.lnum == oap->end.lnum)
+ 			    getvpos(&oap->end, end_vcol);
+ 		    }
+-		    PBYTE(curwin->w_cursor, c);
+		    // with "coladd" set may move to just after a TAB
+		    if (gchar_cursor() != NUL)
+		    {
+			PBYTE(curwin->w_cursor, c);
+			done = TRUE;
+		    }
+ 		}
+ 	    }
+-	    else if (virtual_op && curwin->w_cursor.lnum == oap->end.lnum)
+	    if (!done && virtual_op && curwin->w_cursor.lnum == oap->end.lnum)
+ 	    {
+ 		int virtcols = oap->end.coladd;
+ 
+diff --git a/src/testdir/test_virtualedit.vim b/src/testdir/test_virtualedit.vim
+index b31f3a2..0031b22 100644
+--- a/src/testdir/test_virtualedit.vim
+++ b/src/testdir/test_virtualedit.vim
+@@ -537,4 +537,18 @@ func Test_global_local_virtualedit()
+   set virtualedit&
+ endfunc
+ 
+" this was replacing the NUL at the end of the line 
+func Test_virtualedit_replace_after_tab()
+  new
+  s/\v/	0
+  set ve=all
+  let @" = ''
+  sil! norm vPvr0
+  
+  call assert_equal("\t0", getline(1))
+  set ve&
+  bwipe!
+endfunc
+
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.27.0
+
--- a/backport-CVE-2022-3235.patch
+++ b/backport-CVE-2022-3235.patch
@ -0,0 +1,75 @@
+From 1c3dd8ddcba63c1af5112e567215b3cec2de11d0 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 17 Sep 2022 19:43:23 +0100
+Subject: [PATCH] patch 9.0.0490: using freed memory with cmdwin and BufEnter
+ autocmd
+
+Problem:    Using freed memory with cmdwin and BufEnter autocmd.
+Solution:   Make sure pointer to b_p_iminsert is still valid.
+---
+ src/ex_getln.c               |  8 ++++++--
+ src/testdir/test_cmdline.vim | 10 ++++++++++
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 8dc03dc..535bfb5 100644
+--- a/src/ex_getln.c
+++ b/src/ex_getln.c
+@@ -1607,6 +1607,7 @@ getcmdline_int(
+ #endif
+     expand_T	xpc;
+     long	*b_im_ptr = NULL;
+    buf_T	*b_im_ptr_buf = NULL;	// buffer where b_im_ptr is valid
+     cmdline_info_T save_ccline;
+     int		did_save_ccline = FALSE;
+     int		cmdline_type;
+@@ -1703,6 +1704,7 @@ getcmdline_int(
+ 	    b_im_ptr = &curbuf->b_p_iminsert;
+ 	else
+ 	    b_im_ptr = &curbuf->b_p_imsearch;
+	b_im_ptr_buf = curbuf;
+ 	if (*b_im_ptr == B_IMODE_LMAP)
+ 	    State |= MODE_LANGMAP;
+ #ifdef HAVE_INPUT_METHOD
+@@ -2060,7 +2062,8 @@ getcmdline_int(
+ 		goto cmdline_not_changed;
+ 
+ 	case Ctrl_HAT:
+-		cmdline_toggle_langmap(b_im_ptr);
+		cmdline_toggle_langmap(
+				    buf_valid(b_im_ptr_buf) ? b_im_ptr : NULL);
+ 		goto cmdline_not_changed;
+ 
+ //	case '@':   only in very old vi
+@@ -2573,7 +2576,8 @@ returncmd:
+ #endif
+ 
+ #ifdef HAVE_INPUT_METHOD
+-    if (b_im_ptr != NULL && *b_im_ptr != B_IMODE_LMAP)
+    if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf)
+						  && *b_im_ptr != B_IMODE_LMAP)
+ 	im_save_status(b_im_ptr);
+     im_set_active(FALSE);
+ #endif
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index 08e2de7..440df96 100644
+--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
+@@ -3447,4 +3447,14 @@ func Test_cmdwin_virtual_edit()
+   set ve= cpo-=$
+ endfunc
+ 
+" This was using a pointer to a freed buffer
+func Test_cmdwin_freed_buffer_ptr()
+  au BufEnter * next 0| file 
+  edit 0
+  silent! norm q/
+
+  au! BufEnter
+  bwipe!
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        14
+Release:        15
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -63,6 +63,8 @@ Patch6032:      backport-CVE-2022-3037.patch
 Patch6033:      backport-CVE-2022-3099.patch
 Patch6034:      backport-CVE-2022-3134.patch
 Patch6035:      backport-CVE-2022-3153.patch
+Patch6036:      backport-CVE-2022-3234.patch
+Patch6037:      backport-CVE-2022-3235.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -461,6 +463,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Mon Sep 19 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:9.0-15
+- Type:CVE
+- ID:CVE-2022-3234 CVE-2022-3235
+- SUG:NA
+- DESC:fix CVE-2022-3234 CVE-2022-3235
+
 * Fri Sep 16 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-14
 - Type:enhancement
 - ID:NA