packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-3234,CVE-2022-3235

Browse Source 
(cherry picked from commit 00c4d86f261df01bf23ac7a3d4e06d619d4058b6)
This commit is contained in:
dongyuzhen 2022-09-19 17:16:39 +08:00 committed by openeuler-sync-bot
parent b2f2919a87
commit ee064d150f
3 changed files with 162 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
backport-CVE-2022-3234.patch Normal file
View File

@ -0,0 +1,78 @@
From c249913edc35c0e666d783bfc21595cf9f7d9e0d Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 16 Sep 2022 22:16:59 +0100
Subject: [PATCH] patch 9.0.0483: illegal memory access when replacing in
virtualedit mode
Problem: Illegal memory access when replacing in virtualedit mode.
Solution: Check for replacing NUL after Tab.
---
src/ops.c | 12 ++++++++++--
src/testdir/test_virtualedit.vim | 14 ++++++++++++++
2 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/src/ops.c b/src/ops.c
index b930878..33cbd8e 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -1160,6 +1160,8 @@ op_replace(oparg_T *oap, int c)
while (LTOREQ_POS(curwin->w_cursor, oap->end))
{
+ int done = FALSE;
+
n = gchar_cursor();
if (n != NUL)
{
@@ -1173,6 +1175,7 @@ op_replace(oparg_T *oap, int c)
if (curwin->w_cursor.lnum == oap->end.lnum)
oap->end.col += new_byte_len - old_byte_len;
replace_character(c);
+ done = TRUE;
}
else
{
@@ -1191,10 +1194,15 @@ op_replace(oparg_T *oap, int c)
if (curwin->w_cursor.lnum == oap->end.lnum)
getvpos(&oap->end, end_vcol);
}
- PBYTE(curwin->w_cursor, c);
+ // with "coladd" set may move to just after a TAB
+ if (gchar_cursor() != NUL)
+ {
+ PBYTE(curwin->w_cursor, c);
+ done = TRUE;
+ }
}
}
- else if (virtual_op && curwin->w_cursor.lnum == oap->end.lnum)
+ if (!done && virtual_op && curwin->w_cursor.lnum == oap->end.lnum)
{
int virtcols = oap->end.coladd;
diff --git a/src/testdir/test_virtualedit.vim b/src/testdir/test_virtualedit.vim
index b31f3a2..0031b22 100644
--- a/src/testdir/test_virtualedit.vim
+++ b/src/testdir/test_virtualedit.vim
@@ -537,4 +537,18 @@ func Test_global_local_virtualedit()
set virtualedit&
endfunc
+" this was replacing the NUL at the end of the line
+func Test_virtualedit_replace_after_tab()
+ new
+ s/\v/ 0
+ set ve=all
+ let @" = ''
+ sil! norm vPvr0
+
+ call assert_equal("\t0", getline(1))
+ set ve&
+ bwipe!
+endfunc
+
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0

75
backport-CVE-2022-3235.patch Normal file
View File

@ -0,0 +1,75 @@
From 1c3dd8ddcba63c1af5112e567215b3cec2de11d0 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 17 Sep 2022 19:43:23 +0100
Subject: [PATCH] patch 9.0.0490: using freed memory with cmdwin and BufEnter
autocmd
Problem: Using freed memory with cmdwin and BufEnter autocmd.
Solution: Make sure pointer to b_p_iminsert is still valid.
---
src/ex_getln.c | 8 ++++++--
src/testdir/test_cmdline.vim | 10 ++++++++++
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/ex_getln.c b/src/ex_getln.c
index 8dc03dc..535bfb5 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -1607,6 +1607,7 @@ getcmdline_int(
#endif
expand_T xpc;
long *b_im_ptr = NULL;
+ buf_T *b_im_ptr_buf = NULL; // buffer where b_im_ptr is valid
cmdline_info_T save_ccline;
int did_save_ccline = FALSE;
int cmdline_type;
@@ -1703,6 +1704,7 @@ getcmdline_int(
b_im_ptr = &curbuf->b_p_iminsert;
else
b_im_ptr = &curbuf->b_p_imsearch;
+ b_im_ptr_buf = curbuf;
if (*b_im_ptr == B_IMODE_LMAP)
State |= MODE_LANGMAP;
#ifdef HAVE_INPUT_METHOD
@@ -2060,7 +2062,8 @@ getcmdline_int(
goto cmdline_not_changed;
case Ctrl_HAT:
- cmdline_toggle_langmap(b_im_ptr);
+ cmdline_toggle_langmap(
+ buf_valid(b_im_ptr_buf) ? b_im_ptr : NULL);
goto cmdline_not_changed;
// case '@': only in very old vi
@@ -2573,7 +2576,8 @@ returncmd:
#endif
#ifdef HAVE_INPUT_METHOD
- if (b_im_ptr != NULL && *b_im_ptr != B_IMODE_LMAP)
+ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf)
+ && *b_im_ptr != B_IMODE_LMAP)
im_save_status(b_im_ptr);
im_set_active(FALSE);
#endif
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index 08e2de7..440df96 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -3447,4 +3447,14 @@ func Test_cmdwin_virtual_edit()
set ve= cpo-=$
endfunc
+" This was using a pointer to a freed buffer
+func Test_cmdwin_freed_buffer_ptr()
+ au BufEnter * next 0| file
+ edit 0
+ silent! norm q/
+
+ au! BufEnter
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0

10
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim Name: vim
Epoch: 2 Epoch: 2
Version: 9.0 Version: 9.0
Release: 14 Release: 15
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT License: Vim and MIT
URL: http://www.vim.org URL: http://www.vim.org
@ -63,6 +63,8 @@ Patch6032: backport-CVE-2022-3037.patch
Patch6033: backport-CVE-2022-3099.patch Patch6033: backport-CVE-2022-3099.patch
Patch6034: backport-CVE-2022-3134.patch Patch6034: backport-CVE-2022-3134.patch
Patch6035: backport-CVE-2022-3153.patch Patch6035: backport-CVE-2022-3153.patch
Patch6036: backport-CVE-2022-3234.patch
Patch6037: backport-CVE-2022-3235.patch
Patch9000: bugfix-rm-modify-info-version.patch Patch9000: bugfix-rm-modify-info-version.patch
@ -461,6 +463,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
%{_mandir}/man1/evim.* %{_mandir}/man1/evim.*
%changelog %changelog
* Mon Sep 19 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:9.0-15
- Type:CVE
- ID:CVE-2022-3234 CVE-2022-3235
- SUG:NA
- DESC:fix CVE-2022-3234 CVE-2022-3235
* Fri Sep 16 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-14 * Fri Sep 16 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-14
- Type:enhancement - Type:enhancement
- ID:NA - ID:NA