fix CVE-2022-2980 CVE-2022-2982

2022-08-27 17:20:39 +08:00 · 2022-08-27 17:20:39 +08:00 · f1c767fe79
commit f1c767fe79
parent df12be2dee
3 changed files with 254 additions and 1 deletions
--- a/backport-CVE-2022-2980.patch
+++ b/backport-CVE-2022-2980.patch
@ -0,0 +1,172 @@
+From 80525751c5ce9ed82c41d83faf9ef38667bf61b1 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 24 Aug 2022 19:27:45 +0100
+Subject: [PATCH] patch 9.0.0259: crash with mouse click when not initialized
+
+Problem:    Crash with mouse click when not initialized.
+Solution:   Check TabPageIdxs[] is not NULL.
+---
+ src/mouse.c                  | 107 ++++++++++++++++++++++---------------------
+ src/testdir/test_tabline.vim |  14 ++++++
+ 2 files changed, 69 insertions(+), 52 deletions(-)
+
+diff --git a/src/mouse.c b/src/mouse.c
+index c39f614..12895f8 100644
+--- a/src/mouse.c
+++ b/src/mouse.c
+@@ -471,74 +471,77 @@ do_mouse(
+ 
+     start_visual.lnum = 0;
+ 
+-    // Check for clicking in the tab page line.
+-    if (mouse_row == 0 && firstwin->w_winrow > 0)
+    if (TabPageIdxs != NULL)  // only when initialized
+     {
+-	if (is_drag)
+	// Check for clicking in the tab page line.
+	if (mouse_row == 0 && firstwin->w_winrow > 0)
+ 	{
+-	    if (in_tab_line)
+	    if (is_drag)
+ 	    {
+-		c1 = TabPageIdxs[mouse_col];
+-		tabpage_move(c1 <= 0 ? 9999 : c1 < tabpage_index(curtab)
+-								? c1 - 1 : c1);
+		if (in_tab_line)
+		{
+		    c1 = TabPageIdxs[mouse_col];
+		    tabpage_move(c1 <= 0 ? 9999 : c1 < tabpage_index(curtab)
+								    ? c1 - 1 : c1);
+		}
+		return FALSE;
+ 	    }
+-	    return FALSE;
+-	}
+ 
+-	// click in a tab selects that tab page
+-	if (is_click
+	    // click in a tab selects that tab page
+	    if (is_click
+ # ifdef FEAT_CMDWIN
+-		&& cmdwin_type == 0
+		    && cmdwin_type == 0
+ # endif
+-		&& mouse_col < Columns)
+-	{
+-	    in_tab_line = TRUE;
+-	    c1 = TabPageIdxs[mouse_col];
+-	    if (c1 >= 0)
+		    && mouse_col < Columns)
+ 	    {
+-		if ((mod_mask & MOD_MASK_MULTI_CLICK) == MOD_MASK_2CLICK)
+-		{
+-		    // double click opens new page
+-		    end_visual_mode_keep_button();
+-		    tabpage_new();
+-		    tabpage_move(c1 == 0 ? 9999 : c1 - 1);
+-		}
+-		else
+		in_tab_line = TRUE;
+		c1 = TabPageIdxs[mouse_col];
+		if (c1 >= 0)
+ 		{
+-		    // Go to specified tab page, or next one if not clicking
+-		    // on a label.
+-		    goto_tabpage(c1);
+-
+-		    // It's like clicking on the status line of a window.
+-		    if (curwin != old_curwin)
+		    if ((mod_mask & MOD_MASK_MULTI_CLICK) == MOD_MASK_2CLICK)
+		    {
+			// double click opens new page
+ 			end_visual_mode_keep_button();
+-		}
+-	    }
+-	    else
+-	    {
+-		tabpage_T	*tp;
+			tabpage_new();
+			tabpage_move(c1 == 0 ? 9999 : c1 - 1);
+		    }
+		    else
+		    {
+			// Go to specified tab page, or next one if not clicking
+			// on a label.
+			goto_tabpage(c1);
+ 
+-		// Close the current or specified tab page.
+-		if (c1 == -999)
+-		    tp = curtab;
+			// It's like clicking on the status line of a window.
+			if (curwin != old_curwin)
+			    end_visual_mode_keep_button();
+		    }
+		}
+ 		else
+-		    tp = find_tabpage(-c1);
+-		if (tp == curtab)
+ 		{
+-		    if (first_tabpage->tp_next != NULL)
+-			tabpage_close(FALSE);
+		    tabpage_T	*tp;
+
+		    // Close the current or specified tab page.
+		    if (c1 == -999)
+			tp = curtab;
+		    else
+			tp = find_tabpage(-c1);
+		    if (tp == curtab)
+		    {
+			if (first_tabpage->tp_next != NULL)
+			    tabpage_close(FALSE);
+		    }
+		    else if (tp != NULL)
+			tabpage_close_other(tp, FALSE);
+ 		}
+-		else if (tp != NULL)
+-		    tabpage_close_other(tp, FALSE);
+ 	    }
+	    return TRUE;
+	}
+	else if (is_drag && in_tab_line)
+	{
+	    c1 = TabPageIdxs[mouse_col];
+	    tabpage_move(c1 <= 0 ? 9999 : c1 - 1);
+	    return FALSE;
+ 	}
+-	return TRUE;
+-    }
+-    else if (is_drag && in_tab_line)
+-    {
+-	c1 = TabPageIdxs[mouse_col];
+-	tabpage_move(c1 <= 0 ? 9999 : c1 - 1);
+-	return FALSE;
+     }
+ 
+     // When 'mousemodel' is "popup" or "popup_setpos", translate mouse events:
+diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim
+index e58a412..556b859 100644
+--- a/src/testdir/test_tabline.vim
+++ b/src/testdir/test_tabline.vim
+@@ -147,4 +147,18 @@ func Test_tabline_20_format_items_no_overrun()
+   set showtabline& tabline&
+ endfunc
+ 
+func Test_mouse_click_in_tab()
+  " This used to crash because TabPageIdxs[] was not initialized
+  let lines =<< trim END
+      tabnew
+      set mouse=a
+      exe "norm \<LeftMouse>"
+  END
+  call writefile(lines, 'Xclickscript')
+  call RunVim([], [], "-e -s -S Xclickscript -c qa")
+
+  call delete('Xclickscript')
+endfunc
+
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+1.8.3.1
+
--- a/backport-CVE-2022-2982.patch
+++ b/backport-CVE-2022-2982.patch
@ -0,0 +1,73 @@
+From d6c67629ed05aae436164eec474832daf8ba7420 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 24 Aug 2022 20:07:22 +0100
+Subject: [PATCH] patch 9.0.0260: using freed memory when usinger
+ 'quickfixtextfunc' recursivelyxe
+
+Problem:    Using freed memory when using 'quickfixtextfunc' recursively.
+Solution:   Do not allow for recursion.
+---
+ src/quickfix.c                |  9 +++++++++
+ src/testdir/test_quickfix.vim | 13 +++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/src/quickfix.c b/src/quickfix.c
+index c37caa5..5547233 100644
+--- a/src/quickfix.c
+++ b/src/quickfix.c
+@@ -4656,6 +4656,11 @@ call_qftf_func(qf_list_T *qfl, int qf_winid, long start_idx, long end_idx)
+ {
+     callback_T	*cb = &qftf_cb;
+     list_T	*qftf_list = NULL;
+    static int	recursive = FALSE;
+
+    if (recursive)
+	return NULL;  // this doesn't work properly recursively
+    recursive = TRUE;
+ 
+     // If 'quickfixtextfunc' is set, then use the user-supplied function to get
+     // the text to display. Use the local value of 'quickfixtextfunc' if it is
+@@ -4670,7 +4675,10 @@ call_qftf_func(qf_list_T *qfl, int qf_winid, long start_idx, long end_idx)
+ 
+ 	// create the dict argument
+ 	if ((d = dict_alloc_lock(VAR_FIXED)) == NULL)
+	{
+	    recursive = FALSE;
+ 	    return NULL;
+	}
+ 	dict_add_number(d, "quickfix", (long)IS_QF_LIST(qfl));
+ 	dict_add_number(d, "winid", (long)qf_winid);
+ 	dict_add_number(d, "id", (long)qfl->qf_id);
+@@ -4693,6 +4701,7 @@ call_qftf_func(qf_list_T *qfl, int qf_winid, long start_idx, long end_idx)
+ 	dict_unref(d);
+     }
+ 
+    recursive = FALSE;
+     return qftf_list;
+ }
+ 
+diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
+index 182d570..46b2cb6 100644
+--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
+@@ -6334,4 +6334,17 @@ func Test_qflist_statusmsg()
+   %bw!
+ endfunc
+ 
+func Test_quickfixtextfunc_recursive()
+  func s:QFTfunc(o)
+    cgete '0'
+  endfunc
+  copen
+  let &quickfixtextfunc = 's:QFTfunc'
+  cex ""
+
+  let &quickfixtextfunc = ''
+  cclose
+endfunc
+
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.36.1
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        8
+Release:        9
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -56,6 +56,8 @@ Patch6025:      backport-CVE-2022-2874.patch
 Patch6026:      backport-CVE-2022-2889.patch
 Patch6027:      backport-CVE-2022-2923.patch
 Patch6028:      backport-CVE-2022-2946.patch
+Patch6029:      backport-CVE-2022-2980.patch
+Patch6030:      backport-CVE-2022-2982.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -454,6 +456,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Sat Aug 27 2022 shixuantong <shixuantong@h-partners.com> - 2:9.0-9
+- Type:CVE
+- ID:CVE-2022-2980 CVE-2022-2982
+- SUG:NA
+- DESC:fix CVE-2022-2980 CVE-2022-2982
+
 * Sat Aug 27 2022 shixuantong <shixuantong@h-partners.com> - 2:9.0-8
 - Type:enhancement
 - ID:NA