fix CVE-2025-22134 CVE-2025-24014

2025-01-21 16:52:18 +08:00 · 2025-01-21 16:52:18 +08:00 · fc890a3c60
commit fc890a3c60
parent 6407ebe15e
4 changed files with 269 additions and 1 deletions
--- a/backport-CVE-2025-22134.patch
+++ b/backport-CVE-2025-22134.patch
@ -0,0 +1,126 @@
+From c9a1e257f1630a0866447e53a564f7ff96a80ead Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sat, 11 Jan 2025 15:25:00 +0100
+Subject: [PATCH] patch 9.1.1003: [security]: heap-buffer-overflow with visual
+ mode
+
+Problem:  [security]: heap-buffer-overflow with visual mode when
+          using :all, causing Vim trying to access beyond end-of-line
+          (gandalf)
+Solution: Reset visual mode on :all, validate position in gchar_pos()
+          and charwise_block_prep()
+
+This fixes CVE-2025-22134
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8
+
+Co-authored-by: zeertzjq <zeertzjq@outlook.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/arglist.c               |  4 ++++
+ src/misc1.c                 |  4 ++++
+ src/testdir/test_visual.vim | 26 ++++++++++++++++++++++----
+ 3 files changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/src/arglist.c b/src/arglist.c
+index 8825c8e252ccc5..4eec079df438a3 100644
+--- a/src/arglist.c
+++ b/src/arglist.c
+@@ -1248,6 +1248,10 @@ do_arg_all(
+ 
+     tabpage_T *new_lu_tp = curtab;
+ 
+    // Stop Visual mode, the cursor and "VIsual" may very well be invalid after
+    // switching to another buffer.
+    reset_VIsual_and_resel();
+
+     // Try closing all windows that are not in the argument list.
+     // Also close windows that are not full width;
+     // When 'hidden' or "forceit" set the buffer becomes hidden.
+diff --git a/src/misc1.c b/src/misc1.c
+index 90cf914742b115..142a6161ea6c8a 100644
+--- a/src/misc1.c
+++ b/src/misc1.c
+@@ -535,11 +535,15 @@ plines_m_win(win_T *wp, linenr_T first, linenr_T last, int limit_winheight)
+ gchar_pos(pos_T *pos)
+ {
+     char_u	*ptr;
+    int		ptrlen;
+ 
+     // When searching columns is sometimes put at the end of a line.
+     if (pos->col == MAXCOL)
+ 	return NUL;
+    ptrlen = STRLEN(ml_get(pos->lnum));
+     ptr = ml_get_pos(pos);
+    if (pos->col > ptrlen)
+	return NUL;
+     if (has_mbyte)
+ 	return (*mb_ptr2char)(ptr);
+     return (int)*ptr;
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index 0be73ecc1342b9..03335a464d62f3 100644
+--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
+@@ -469,7 +469,7 @@ func Test_Visual_Block()
+ 	      \ "\t{",
+ 	      \ "\t}"], getline(1, '$'))
+ 
+-  close!
+  bw!
+ endfunc
+ 
+ " Test for 'p'ut in visual block mode
+@@ -1079,7 +1079,7 @@ func Test_star_register()
+ 
+   delmarks < >
+   call assert_fails('*yank', 'E20:')
+-  close!
+  bw!
+ endfunc
+ 
+ " Test for changing text in visual mode with 'exclusive' selection
+@@ -1095,7 +1095,7 @@ func Test_exclusive_selection()
+   call assert_equal('l      one', getline(1))
+   set virtualedit&
+   set selection&
+-  close!
+  bw!
+ endfunc
+ 
+ " Test for starting linewise visual with a count.
+@@ -1152,7 +1152,7 @@ func Test_visual_inner_block()
+   8,9d
+   call cursor(5, 1)
+   call assert_beeps('normal ViBiB')
+-  close!
+  bw!
+ endfunc
+ 
+ func Test_visual_put_in_block()
+@@ -1587,4 +1587,22 @@ func Test_Visual_r_CTRL_C()
+   bw!
+ endfu
+ 
+" the following caused a Heap-Overflow, because Vim was accessing outside of a
+" line end
+func Test_visual_pos_buffer_heap_overflow()
+  set virtualedit=all
+  args Xa Xb
+  all
+  call setline(1, ['', '', ''])
+  call cursor(3, 1)
+  wincmd w
+  call setline(1, 'foobar')
+  normal! $lv0
+  all
+  call setreg('"', 'baz')
+  normal! [P
+  set virtualedit=
+  bw! Xa Xb
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.43.0
+
--- a/backport-CVE-2025-24014.patch
+++ b/backport-CVE-2025-24014.patch
@ -0,0 +1,42 @@
+From 9d1bed5eccdbb46a26b8a484f5e9163c40e63919 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Mon, 20 Jan 2025 22:55:57 +0100
+Subject: [PATCH] patch 9.1.1043: [security]: segfault in win_line()
+
+Problem:  [security]: segfault in win_line()
+          (fizz-is-on-the-way)
+Solution: Check that ScreenLines is not NULL
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-j3g9-wg22-v955
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/gui.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/gui.c b/src/gui.c
+index 8e7b079a5a4ea4..86c40de632aa1e 100644
+--- a/src/gui.c
+++ b/src/gui.c
+@@ -4471,13 +4471,15 @@ gui_do_scroll(void)
+     /*
+      * Don't call updateWindow() when nothing has changed (it will overwrite
+      * the status line!).
+     *
+     * Check for ScreenLines, because in ex-mode, we don't have a valid display.
+      */
+-    if (old_topline != wp->w_topline
+    if (ScreenLines != NULL && (old_topline != wp->w_topline
+ 	    || wp->w_redr_type != 0
+ #ifdef FEAT_DIFF
+ 	    || old_topfill != wp->w_topfill
+ #endif
+-	    )
+	    ))
+     {
+ 	int type = UPD_VALID;
+ 
+-- 
+2.43.0
+
--- a/backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch
+++ b/backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch
@ -0,0 +1,91 @@
+From 4ea37f88e8345ca830271636a2e197a1a46114d2 Mon Sep 17 00:00:00 2001
+From: zeertzjq <zeertzjq@outlook.com>
+Date: Wed, 17 Jan 2024 20:52:13 +0100
+Subject: [PATCH] patch 9.1.0038: Unnecessary loop in getvcol()
+
+Problem:  Unnecessary loop in getvcol().
+Solution: Compare next char position with pos->col directly.
+          (zeertzjq)
+
+The loop below already handles end of line before checking for posptr,
+and the next char is after pos->col whether pos->col is at the start or
+in the middle of the char in question, so neither the NUL check nor the
+mb_head_off() are needed when comparing the position of the next char
+with pos->col directly.
+
+closes: #13878
+
+Signed-off-by: zeertzjq <zeertzjq@outlook.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/charset.c | 30 ++++++------------------------
+ 1 files changed, 6 insertions(+), 24 deletions(-)
+
+diff --git a/src/charset.c b/src/charset.c
+index 3ea2ecb8e216c2..eef2e8983c280e 100644
+--- a/src/charset.c
+++ b/src/charset.c
+@@ -1482,7 +1482,6 @@ getvcol(
+ {
+     colnr_T	vcol;
+     char_u	*ptr;		// points to current char
+-    char_u	*posptr;	// points to char at pos->col
+     char_u	*line;		// start of the line
+     int		incr;
+     int		head;
+@@ -1498,24 +1497,6 @@ getvcol(
+ 
+     vcol = 0;
+     line = ptr = ml_get_buf(wp->w_buffer, pos->lnum, FALSE);
+-    if (pos->col == MAXCOL)
+-	posptr = NULL;  // continue until the NUL
+-    else
+-    {
+-	colnr_T i;
+-
+-	// In a few cases the position can be beyond the end of the line.
+-	for (i = 0; i < pos->col; ++i)
+-	    if (ptr[i] == NUL)
+-	    {
+-		pos->col = i;
+-		break;
+-	    }
+-	posptr = ptr + pos->col;
+-	if (has_mbyte)
+-	    // always start on the first byte
+-	    posptr -= (*mb_head_off)(line, posptr);
+-    }
+ 
+     init_chartabsize_arg(&cts, wp, pos->lnum, 0, line, line);
+     cts.cts_max_head_vcol = -1;
+@@ -1577,11 +1558,12 @@ getvcol(
+ 		    incr = g_chartab[c] & CT_CELL_MASK;
+ 	    }
+ 
+-	    if (posptr != NULL && ptr >= posptr) // character at pos->col
+	    char_u *next_ptr = ptr + (*mb_ptr2len)(ptr);
+	    if (next_ptr - line > pos->col) // character at pos->col
+ 		break;
+ 
+ 	    vcol += incr;
+-	    MB_PTR_ADV(ptr);
+	    ptr = next_ptr;
+ 	}
+     }
+     else
+@@ -1609,12 +1591,12 @@ getvcol(
+ 		wp->w_virtcol_first_char = cts.cts_first_char;
+ #endif
+ 
+-	    if (posptr != NULL && cts.cts_ptr >= posptr)
+-		// character at pos->col
+	    char_u *next_ptr = cts.cts_ptr + (*mb_ptr2len)(cts.cts_ptr);
+	    if (next_ptr - line > pos->col) // character at pos->col
+ 		break;
+ 
+ 	    cts.cts_vcol += incr;
+-	    MB_PTR_ADV(cts.cts_ptr);
+	    cts.cts_ptr = next_ptr;
+ 	}
+ 	vcol = cts.cts_vcol;
+ 	ptr = cts.cts_ptr;
--- a/vim.spec
+++ b/vim.spec
@ -14,7 +14,7 @@
 Name:           vim
 Epoch:          2
 Version:        %{baseversion}.%{patchlevel}
-Release:        15
+Release:        16
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -53,6 +53,9 @@ Patch6018:      backport-CVE-2024-43802.patch
 Patch6019:      backport-patch-9.1.0722-crash-with-large-id-in-text_prop-interface.patch
 Patch6020:      backport-patch-9.1.0730-crash-with-cursor-screenline-and-narrow-window.patch
 Patch6021:      backport-patch-9.1.0918-tiny-vim-crashes-with-fuzzy-buffer-completion.patch
+Patch6022:      backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch
+Patch6023:      backport-CVE-2025-22134.patch
+Patch6024:      backport-CVE-2025-24014.patch

 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      fix-CVE-2024-47814.patch
@ -461,6 +464,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests."
 %{_mandir}/man1/evim.*

 %changelog
+* Mon Jan 20 2025 wangjiang <app@cameyan.com> - 2:9.0.2092-16
+- Type:CVE
+- ID:CVE-2025-22134 CVE-2025-24014
+- SUG:NA
+- DESC:CVE-2025-22134 CVE-2025-24014
+
 * Fri Dec 13 2024 wangjiang <app@cameyan.com> - 2:9.0.2092-15
 - Type:bugfix
 - ID:NA