fix CVE-2021-4166CVE-2021-4192CVE-2021-4193

2022-01-08 17:41:21 +08:00 · 2022-01-08 17:41:21 +08:00 · 05db21ac11
commit 05db21ac11
parent c0d8f10409
8 changed files with 544 additions and 1 deletions
--- a/backport-CVE-2021-4166.patch
+++ b/backport-CVE-2021-4166.patch
@ -0,0 +1,61 @@
+From 6f98371532fcff911b462d51bc64f2ce8a6ae682 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 24 Dec 2021 18:11:27 +0000
+Subject: [PATCH] patch 8.2.3884: crash when clearing the argument list while
+ using it
+Conflict:NA
+Reference:https://github.com/vim/vim/commit/6f98371532fcff911b462d51bc64f2ce8a6ae682
+
+Problem:    Crash when clearing the argument list while using it.
+Solution:   Lock the argument list for ":all".
+---
+ src/arglist.c                | 3 +++
+ src/testdir/test_arglist.vim | 7 +++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/src/arglist.c b/src/arglist.c
+index 21c38c1..cdd70ca 100644
+--- a/src/arglist.c
+++ b/src/arglist.c
+@@ -902,6 +902,7 @@ do_arg_all(
+     tabpage_T	*old_curtab, *last_curtab;
+     win_T	*new_curwin = NULL;
+     tabpage_T	*new_curtab = NULL;
+    int		prev_arglist_locked = arglist_locked;
+ 
+     if (ARGCOUNT <= 0)
+     {
+@@ -921,6 +922,7 @@ do_arg_all(
+     // watch out for its size to be changed.
+     alist = curwin->w_alist;
+     ++alist->al_refcount;
+    arglist_locked = TRUE;
+ 
+     old_curwin = curwin;
+     old_curtab = curtab;
+@@ -1132,6 +1134,7 @@ do_arg_all(
+ 
+     // Remove the "lock" on the argument list.
+     alist_unlink(alist);
+    arglist_locked = prev_arglist_locked;
+ 
+     --autocmd_no_enter;
+ 
+diff --git a/src/testdir/test_arglist.vim b/src/testdir/test_arglist.vim
+index c486b18..1c94fe9 100644
+--- a/src/testdir/test_arglist.vim
+++ b/src/testdir/test_arglist.vim
+@@ -505,3 +505,10 @@ func Test_argdo()
+   call assert_equal(['Xa.c', 'Xb.c', 'Xc.c'], l)
+   bwipe Xa.c Xb.c Xc.c
+ endfunc
+
+func Test_clear_arglist_in_all()
+  n 0 00 000 0000 00000 000000
+  au! * 0 n 0
+  all
+  au! *
+endfunc
+-- 
+2.27.0
+
--- a/backport-CVE-2021-4192.patch
+++ b/backport-CVE-2021-4192.patch
@ -0,0 +1,65 @@
+From 4c13e5e6763c6eb36a343a2b8235ea227202e952 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 30 Dec 2021 14:49:43 +0000
+Subject: [PATCH] patch 8.2.3949: using freed memory with /\%V
+Conflict:NA
+Reference:https://github.com/vim/vim/commit/4c13e5e6763c6eb36a343a2b8235ea227202e952
+
+Problem:    Using freed memory with /\%V.
+Solution:   Get the line again after getvvcol().
+---
+ src/regexp.c                      | 9 +++++++--
+ src/testdir/test_regexp_latin.vim | 8 ++++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/src/regexp.c b/src/regexp.c
+index 2e94e5a..6849cba 100644
+--- a/src/regexp.c
+++ b/src/regexp.c
+@@ -1276,9 +1276,9 @@ reg_match_visual(void)
+     if (lnum < top.lnum || lnum > bot.lnum)
+ 	return FALSE;
+ 
+    col = (colnr_T)(rex.input - rex.line);
+     if (mode == 'v')
+     {
+-	col = (colnr_T)(rex.input - rex.line);
+ 	if ((lnum == top.lnum && col < top.col)
+ 		|| (lnum == bot.lnum && col >= bot.col + (*p_sel != 'e')))
+ 	    return FALSE;
+@@ -1293,7 +1293,12 @@ reg_match_visual(void)
+ 	    end = end2;
+ 	if (top.col == MAXCOL || bot.col == MAXCOL)
+ 	    end = MAXCOL;
+-	cols = win_linetabsize(wp, rex.line, (colnr_T)(rex.input - rex.line));
+
+	// getvvcol() flushes rex.line, need to get it again
+	rex.line = reg_getline(rex.lnum);
+	rex.input = rex.line + col;
+
+	cols = win_linetabsize(wp, rex.line, col);
+ 	if (cols < start || cols > end - (*p_sel == 'e'))
+ 	    return FALSE;
+     }
+diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim
+index 3168edc..044b678 100644
+--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
+@@ -39,6 +39,14 @@ func Test_recursive_substitute()
+   bwipe!
+ endfunc
+ 
+func Test_using_visual_position()
+  " this was using freed memory
+  new
+  exe "norm 0o\<Esc>\<C-V>k\<C-X>o0"
+  /\%V
+  bwipe!
+endfunc
+
+ func Test_nested_backrefs()
+   " Check example in change.txt.
+   new
+-- 
+2.27.0
+
--- a/backport-CVE-2021-4193.patch
+++ b/backport-CVE-2021-4193.patch
@ -0,0 +1,58 @@
+From 94f3192b03ed27474db80b4d3a409e107140738b Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 30 Dec 2021 15:29:18 +0000
+Subject: [PATCH] patch 8.2.3950: going beyond the end of the line with /\%V
+Conflict:NA
+Reference:https://github.com/vim/vim/commit/94f3192b03ed27474db80b4d3a409e107140738b
+
+Problem:    Going beyond the end of the line with /\%V.
+Solution:   Check for valid column in getvcol().
+
+---
+ src/charset.c                     | 13 +++++++++----
+ src/testdir/test_regexp_latin.vim |  8 ++++++++
+ 2 files changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/src/charset.c b/src/charset.c
+index 7505fea..a768c17 100644
+--- a/src/charset.c
+++ b/src/charset.c
+@@ -1226,10 +1226,15 @@ getvcol(
+ 	posptr = NULL;  // continue until the NUL
+     else
+     {
+-	// Special check for an empty line, which can happen on exit, when
+-	// ml_get_buf() always returns an empty string.
+-	if (*ptr == NUL)
+-	    pos->col = 0;
+	colnr_T i;
+
+	// In a few cases the position can be beyond the end of the line.
+	for (i = 0; i < pos->col; ++i)
+	    if (ptr[i] == NUL)
+	    {
+		pos->col = i;
+		break;
+	    }
+ 	posptr = ptr + pos->col;
+ 	if (has_mbyte)
+ 	    // always start on the first byte
+diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim
+index 3168edc..4f52bac 100644
+--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
+@@ -149,3 +149,11 @@ func Test_using_mark_position()
+   call assert_fails("s/\\%')", 'E486:')
+   bwipe!
+ endfunc
+
+func Test_using_invalid_visual_position()
+  " this was going beyond the end of the line
+  new
+  exe "norm 0o000\<Esc>0\<C-V>$s0"
+  /\%V
+  bwipe!
+endfunc
+-- 
+2.27.0
+
--- a/backport-add-the-arglist_locked-flag.patch
+++ b/backport-add-the-arglist_locked-flag.patch
@ -0,0 +1,173 @@
+From 5ed58c7b700fcb9fd03c418300145b616f4bdcdd Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 28 Jan 2021 14:24:55 +0100
+Subject: [PATCH] patch 8.2.2421: double free when using autocommand with
+ "argdel"
+Conflict:NA
+Reference:https://github.com/vim/vim/commit/5ed58c7b700fcb9fd03c418300145b616f4bdcdd
+ 
+Problem:    Double free when using autocommand with "argdel". (Houyunsong)
+Solution:   Add the arglist_locked flag.
+
+---
+ src/arglist.c                | 47 +++++++++++++++++++++++++++++-------
+ src/testdir/test_autocmd.vim |  6 +++++
+ 2 files changed, 44 insertions(+), 9 deletions(-)
+
+diff --git a/src/arglist.c b/src/arglist.c
+index cab74f8..68befa4 100644
+--- a/src/arglist.c
+++ b/src/arglist.c
+@@ -17,12 +17,29 @@
+ #define AL_ADD	2
+ #define AL_DEL	3
+ 
+// This flag is set whenever the argument list is being changed and calling a
+// function that might trigger an autocommand.
+static int arglist_locked = FALSE;
+
+    static int
+check_arglist_locked(void)
+{
+    if (arglist_locked)
+    {
+	emsg(_(e_cannot_change_arglist_recursively));
+	return FAIL;
+    }
+    return OK;
+}
+
+ /*
+  * Clear an argument list: free all file names and reset it to zero entries.
+  */
+     void
+ alist_clear(alist_T *al)
+ {
+    if (check_arglist_locked() == FAIL)
+	return;
+     while (--al->al_ga.ga_len >= 0)
+ 	vim_free(AARGLIST(al)[al->al_ga.ga_len].ae_fname);
+     ga_clear(&al->al_ga);
+@@ -126,14 +143,9 @@ alist_set(
+     int		fnum_len)
+ {
+     int		i;
+-    static int  recursive = 0;
+ 
+-    if (recursive)
+-    {
+-	emsg(_(e_au_recursive));
+    if (check_arglist_locked() == FAIL)
+ 	return;
+-    }
+-    ++recursive;
+ 
+     alist_clear(al);
+     if (ga_grow(&al->al_ga, count) == OK)
+@@ -152,7 +164,11 @@ alist_set(
+ 	    // May set buffer name of a buffer previously used for the
+ 	    // argument list, so that it's re-used by alist_add.
+ 	    if (fnum_list != NULL && i < fnum_len)
+	    {
+		arglist_locked = TRUE;
+ 		buf_set_name(fnum_list[i], files[i]);
+		arglist_locked = FALSE;
+	    }
+ 
+ 	    alist_add(al, files[i], use_curbuf ? 2 : 1);
+ 	    ui_breakcheck();
+@@ -163,8 +179,6 @@ alist_set(
+ 	FreeWild(count, files);
+     if (al == &global_alist)
+ 	arg_had_last = FALSE;
+-
+-    --recursive;
+ }
+ 
+ /*
+@@ -179,6 +193,10 @@ alist_add(
+ {
+     if (fname == NULL)		// don't add NULL file names
+ 	return;
+    if (check_arglist_locked() == FAIL)
+	return;
+    arglist_locked = TRUE;
+
+ #ifdef BACKSLASH_IN_FILENAME
+     slash_adjust(fname);
+ #endif
+@@ -187,6 +205,8 @@ alist_add(
+ 	AARGLIST(al)[al->al_ga.ga_len].ae_fnum =
+ 	    buflist_add(fname, BLN_LISTED | (set_fnum == 2 ? BLN_CURBUF : 0));
+     ++al->al_ga.ga_len;
+
+    arglist_locked = FALSE;
+ }
+ 
+ #if defined(BACKSLASH_IN_FILENAME) || defined(PROTO)
+@@ -334,7 +354,8 @@ alist_add_list(
+     int		i;
+     int		old_argcount = ARGCOUNT;
+ 
+-    if (ga_grow(&ALIST(curwin)->al_ga, count) == OK)
+    if (check_arglist_locked() != FAIL
+	    && ga_grow(&ALIST(curwin)->al_ga, count) == OK)
+     {
+ 	if (after < 0)
+ 	    after = 0;
+@@ -343,6 +364,7 @@ alist_add_list(
+ 	if (after < ARGCOUNT)
+ 	    mch_memmove(&(ARGLIST[after + count]), &(ARGLIST[after]),
+ 				       (ARGCOUNT - after) * sizeof(aentry_T));
+	arglist_locked = TRUE;
+ 	for (i = 0; i < count; ++i)
+ 	{
+ 	    int flags = BLN_LISTED | (will_edit ? BLN_CURBUF : 0);
+@@ -350,6 +372,7 @@ alist_add_list(
+ 	    ARGLIST[after + i].ae_fname = files[i];
+ 	    ARGLIST[after + i].ae_fnum = buflist_add(files[i], flags);
+ 	}
+	arglist_locked = FALSE;
+ 	ALIST(curwin)->al_ga.ga_len += count;
+ 	if (old_argcount > 0 && curwin->w_arg_idx >= after)
+ 	    curwin->w_arg_idx += count;
+@@ -382,6 +405,9 @@ do_arglist(
+     int		match;
+     int		arg_escaped = TRUE;
+ 
+    if (check_arglist_locked() == FAIL)
+	return FAIL;
+
+     // Set default argument for ":argadd" command.
+     if (what == AL_ADD && *str == NUL)
+     {
+@@ -776,6 +802,9 @@ ex_argdelete(exarg_T *eap)
+     int		i;
+     int		n;
+ 
+    if (check_arglist_locked() == FAIL)
+	return;
+
+     if (eap->addr_count > 0 || *eap->arg == NUL)
+     {
+ 	// ":argdel" works like ":argdel"
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index ab02402..4fa3b51 100755
+--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
+@@ -147,6 +147,12 @@ func Test_autocmd_bufunload_with_tabnext()
+   quit
+ endfunc
+ 
+func Test_argdelete_in_next()
+  au BufNew,BufEnter,BufLeave,BufWinEnter * argdel
+  call assert_fails('next a b', 'E1156:')
+  au! BufNew,BufEnter,BufLeave,BufWinEnter *
+endfunc
+
+ func Test_autocmd_bufwinleave_with_tabfirst()
+   tabedit
+   augroup sample
+-- 
+2.27.0
+
--- a/backport-fix-arglist-test-fails.patch
+++ b/backport-fix-arglist-test-fails.patch
@ -0,0 +1,50 @@
+From 679140c56bbabf12a199d94f584b1b9dfc9809fd Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 24 Dec 2021 18:58:46 +0000
+Subject: [PATCH] patch 8.2.3885: arglist test fails
+Conflict:Abridged some of the notes
+Reference:https://github.com/vim/vim/commit/679140c56bbabf12a199d94f584b1b9dfc9809fd
+
+Problem:    Arglist test fails.
+Solution:   Adjust for locking the arglist for ":all".
+
+---
+ src/testdir/test_arglist.vim | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/src/testdir/test_arglist.vim b/src/testdir/test_arglist.vim
+index 7ebe8a2..e5a5e89 100644
+--- a/src/testdir/test_arglist.vim
+++ b/src/testdir/test_arglist.vim
+@@ -470,15 +470,14 @@ func Test_arglist_autocmd()
+   new
+   " redefine arglist; go to Xxx1
+   next! Xxx1 Xxx2 Xxx3
+-  " open window for all args
+-  all
+  " open window for all args; Reading Xxx2 will try to change the arglist and
+  " that will fail
+  call assert_fails("all", "E1156:")
+   call assert_equal('test file Xxx1', getline(1))
+   wincmd w
+-  wincmd w
+-  call assert_equal('test file Xxx1', getline(1))
+-  " should now be in Xxx2
+-  rewind
+   call assert_equal('test file Xxx2', getline(1))
+  wincmd w
+  call assert_equal('test file Xxx3', getline(1))
+ 
+   autocmd! BufReadPost Xxx2
+   enew! | only
+@@ -515,6 +514,6 @@ endfunc
+ func Test_clear_arglist_in_all()
+   n 0 00 000 0000 00000 000000
+   au! * 0 n 0
+-  all
+  call assert_fails("all", "E1156")
+   au! *
+ endfunc
+-- 
+2.27.0
+
--- a/backport-fix-giving-the-error-0-more-files-to-edit.patch
+++ b/backport-fix-giving-the-error-0-more-files-to-edit.patch
@ -0,0 +1,94 @@
+From 7b22117c4ecf383b6f35acef041773a83ec28220 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 17 Aug 2020 19:34:10 +0200
+Subject: [PATCH] patch 8.2.1472: ":argdel" does not work like ":.argdel" as
+ documented
+Conflict:NA
+Reference:https://github.com/vim/vim/commit/7b22117c4ecf383b6f35acef041773a83ec28220
+
+Problem:    ":argdel" does not work like ":.argdel" as documented. (Alexey
+            Demin)
+Solution:   Make ":argdel" work like ":.argdel". (closes #6727)
+            Also fix giving the error "0 more files to edit".
+
+---
+ src/arglist.c                | 18 +++++++++++++-----
+ src/ex_docmd.c               |  2 +-
+ src/testdir/test_arglist.vim | 10 ++++++++--
+ 3 files changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/src/arglist.c b/src/arglist.c
+index b1a6a0b..cab74f8 100644
+--- a/src/arglist.c
+++ b/src/arglist.c
+@@ -776,10 +776,20 @@ ex_argdelete(exarg_T *eap)
+     int		i;
+     int		n;
+ 
+-    if (eap->addr_count > 0)
+    if (eap->addr_count > 0 || *eap->arg == NUL)
+     {
+-	// ":1,4argdel": Delete all arguments in the range.
+-	if (eap->line2 > ARGCOUNT)
+	// ":argdel" works like ":argdel"
+	if (eap->addr_count == 0)
+	{
+	    if (curwin->w_arg_idx >= ARGCOUNT)
+	    {
+		emsg(_("E610: No argument to delete"));
+		return;
+	    }
+	    eap->line1 = eap->line2 = curwin->w_arg_idx + 1;
+	}
+	else if (eap->line2 > ARGCOUNT)
+	    // ":1,4argdel": Delete all arguments in the range.
+ 	    eap->line2 = ARGCOUNT;
+ 	n = eap->line2 - eap->line1 + 1;
+ 	if (*eap->arg != NUL)
+@@ -808,8 +818,6 @@ ex_argdelete(exarg_T *eap)
+ 		curwin->w_arg_idx = ARGCOUNT - 1;
+ 	}
+     }
+-    else if (*eap->arg == NUL)
+-	emsg(_(e_argreq));
+     else
+ 	do_arglist(eap->arg, AL_DEL, 0, FALSE);
+ #ifdef FEAT_TITLE
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index cb6b64a..dfcbf37 100644
+--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
+@@ -4719,7 +4719,7 @@ check_more(
+     int	    n = ARGCOUNT - curwin->w_arg_idx - 1;
+ 
+     if (!forceit && only_one_window()
+-	    && ARGCOUNT > 1 && !arg_had_last && n >= 0 && quitmore == 0)
+	    && ARGCOUNT > 1 && !arg_had_last && n > 0 && quitmore == 0)
+     {
+ 	if (message)
+ 	{
+diff --git a/src/testdir/test_arglist.vim b/src/testdir/test_arglist.vim
+index c486b18..3e1e175 100644
+--- a/src/testdir/test_arglist.vim
+++ b/src/testdir/test_arglist.vim
+@@ -416,9 +416,15 @@ func Test_argdelete()
+   last
+   argdelete %
+   call assert_equal(['b'], argv())
+-  call assert_fails('argdelete', 'E471:')
+  call assert_fails('argdelete', 'E610:')
+   call assert_fails('1,100argdelete', 'E16:')
+-  %argd
+
+  call Reset_arglist()
+  args a b c d
+  next
+  argdel
+  call Assert_argc(['a', 'c', 'd'])
+  %argdel
+ endfunc
+ 
+ func Test_argdelete_completion()
+-- 
+2.27.0
+
--- a/backport-missing-error-message.patch
+++ b/backport-missing-error-message.patch
@ -0,0 +1,29 @@
+From 61015162ba834541c42da5db6f3fa0ebe1d40e87 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 28 Jan 2021 17:56:09 +0100
+Subject: [PATCH] patch 8.2.2423: missing error message
+Conflict:add missing error message
+Reference:https://github.com/vim/vim/commit/61015162ba834541c42da5db6f3fa0ebe1d40e87
+
+Problem:    Missing error message.
+Solution:   Add the error message.
+
+---
+ src/globals.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/globals.h b/src/globals.h
+index 009834c..872e895 100644
+--- a/src/globals.h
+++ b/src/globals.h
+@@ -1451,6 +1451,7 @@ EXTERN int netbeansSuppressNoLines INIT(= 0); // skip "No lines in buffer"
+  */
+ EXTERN char e_abort[]		INIT(= N_("E470: Command aborted"));
+ EXTERN char e_argreq[]	INIT(= N_("E471: Argument required"));
+EXTERN char e_cannot_change_arglist_recursively[]  INIT(= N_("E1156: Cannot change the argument list recursively"));
+ EXTERN char e_backslash[]	INIT(= N_("E10: \\ should be followed by /, ? or &"));
+ #ifdef FEAT_CMDWIN
+ EXTERN char e_cmdwin[]	INIT(= N_("E11: Invalid in command-line window; <CR> executes, CTRL-C quits"));
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        18
+Release:        19
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -62,6 +62,13 @@ Patch6025:      backport-Ruby-missing-function-prototype.patch
 Patch6026:      backport-build-failure-with-some-Ruby-versions.patch
 Patch6027:      backport-compilation-error-with-Ruby-3.0.patch
 Patch6028:      backport-build-failure-with-Ruby-3.0-and-32-bits.patch
+Patch6029:      backport-missing-error-message.patch
+Patch6030:      backport-fix-giving-the-error-0-more-files-to-edit.patch
+Patch6031:      backport-add-the-arglist_locked-flag.patch
+Patch6032:      backport-CVE-2021-4166.patch
+Patch6033:      backport-fix-arglist-test-fails.patch
+Patch6034:      backport-CVE-2021-4192.patch
+Patch6035:      backport-CVE-2021-4193.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -450,6 +457,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Mon Jan 17 2022 yuanxin<yuanxin24@huawei.com> - 2:8.2-19
+- Type:CVE
+- ID:CVE-2021-4166 CVE-2021-4192 CVE-2021-4193
+- SUG:NA
+- DESC:fix CVE-2021-4166 CVE-2021-4192 CVE-2021-4193
+
 * Tue Jan 04 2022 shixuantong<shixuantong@huawei.com> - 2:8.2-18
 - Type:bugfix
 - ID:NA