fix CVE-2022-3234,CVE-2022-3235

(cherry picked from commit 3d21769aa1662e5f11db81ce3b0cece350d65b38)
2022-09-20 14:16:51 +08:00 · 2022-09-20 14:16:51 +08:00 · 0687988b4c
commit 0687988b4c
parent 56c77ff05a
3 changed files with 160 additions and 1 deletions
--- a/backport-CVE-2022-3234.patch
+++ b/backport-CVE-2022-3234.patch
@ -0,0 +1,78 @@
+From c249913edc35c0e666d783bfc21595cf9f7d9e0d Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 16 Sep 2022 22:16:59 +0100
+Subject: [PATCH] patch 9.0.0483: illegal memory access when replacing in
+ virtualedit mode
+
+Problem:    Illegal memory access when replacing in virtualedit mode.
+Solution:   Check for replacing NUL after Tab.
+---
+ src/ops.c                        | 12 ++++++++++--
+ src/testdir/test_virtualedit.vim | 14 ++++++++++++++
+ 2 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/src/ops.c b/src/ops.c
+index 9926c00..b4185c7 100644
+--- a/src/ops.c
+++ b/src/ops.c
+@@ -1183,6 +1183,8 @@ op_replace(oparg_T *oap, int c)
+ 
+ 	while (LTOREQ_POS(curwin->w_cursor, oap->end))
+ 	{
+	    int done = FALSE;
+
+ 	    n = gchar_cursor();
+ 	    if (n != NUL)
+ 	    {
+@@ -1193,6 +1195,7 @@ op_replace(oparg_T *oap, int c)
+ 		    if (curwin->w_cursor.lnum == oap->end.lnum)
+ 			oap->end.col += (*mb_char2len)(c) - (*mb_char2len)(n);
+ 		    replace_character(c);
+		    done = TRUE;
+ 		}
+ 		else
+ 		{
+@@ -1211,10 +1214,15 @@ op_replace(oparg_T *oap, int c)
+ 			if (curwin->w_cursor.lnum == oap->end.lnum)
+ 			    getvpos(&oap->end, end_vcol);
+ 		    }
+-		    PBYTE(curwin->w_cursor, c);
+		    // with "coladd" set may move to just after a TAB
+		    if (gchar_cursor() != NUL)
+		    {
+			PBYTE(curwin->w_cursor, c);
+			done = TRUE;
+		    }
+ 		}
+ 	    }
+-	    else if (virtual_op && curwin->w_cursor.lnum == oap->end.lnum)
+	    if (!done && virtual_op && curwin->w_cursor.lnum == oap->end.lnum)
+ 	    {
+ 		int virtcols = oap->end.coladd;
+ 
+diff --git a/src/testdir/test_virtualedit.vim b/src/testdir/test_virtualedit.vim
+index 25ca33f..451a996 100644
+--- a/src/testdir/test_virtualedit.vim
+++ b/src/testdir/test_virtualedit.vim
+@@ -343,4 +343,18 @@ func Test_yank_paste_small_del_reg()
+   set virtualedit=
+ endfunc
+ 
+" this was replacing the NUL at the end of the line 
+func Test_virtualedit_replace_after_tab()
+  new
+  s/\v/	0
+  set ve=all
+  let @" = ''
+  sil! norm vPvr0
+  
+  call assert_equal("\t0", getline(1))
+  set ve&
+  bwipe!
+endfunc
+
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.27.0
+
--- a/backport-CVE-2022-3235.patch
+++ b/backport-CVE-2022-3235.patch
@ -0,0 +1,73 @@
+From 1c3dd8ddcba63c1af5112e567215b3cec2de11d0 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 17 Sep 2022 19:43:23 +0100
+Subject: [PATCH] patch 9.0.0490: using freed memory with cmdwin and BufEnter
+ autocmd
+
+Problem:    Using freed memory with cmdwin and BufEnter autocmd.
+Solution:   Make sure pointer to b_p_iminsert is still valid.
+---
+ src/ex_getln.c               |  6 +++++-
+ src/testdir/test_cmdline.vim | 10 ++++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 8383eee..b299bd0 100644
+--- a/src/ex_getln.c
+++ b/src/ex_getln.c
+@@ -817,6 +817,7 @@ getcmdline_int(
+ #endif
+     expand_T	xpc;
+     long	*b_im_ptr = NULL;
+    buf_T	*b_im_ptr_buf = NULL;	// buffer where b_im_ptr is valid
+     cmdline_info_T save_ccline;
+     int		did_save_ccline = FALSE;
+     int		cmdline_type;
+@@ -938,6 +939,7 @@ getcmdline_int(
+ 	    b_im_ptr = &curbuf->b_p_iminsert;
+ 	else
+ 	    b_im_ptr = &curbuf->b_p_imsearch;
+	b_im_ptr_buf = curbuf;
+ 	if (*b_im_ptr == B_IMODE_LMAP)
+ 	    State |= LANGMAP;
+ #ifdef HAVE_INPUT_METHOD
+@@ -1666,6 +1668,7 @@ getcmdline_int(
+ 		goto cmdline_not_changed;
+ 
+ 	case Ctrl_HAT:
+		b_im_ptr = buf_valid(b_im_ptr_buf) ? b_im_ptr : NULL;
+ 		if (map_to_exists_mode((char_u *)"", LANGMAP, FALSE))
+ 		{
+ 		    // ":lmap" mappings exists, toggle use of mappings.
+@@ -2430,7 +2433,8 @@ returncmd:
+ 
+     State = save_State;
+ #ifdef HAVE_INPUT_METHOD
+-    if (b_im_ptr != NULL && *b_im_ptr != B_IMODE_LMAP)
+    if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf)
+						  && *b_im_ptr != B_IMODE_LMAP)
+ 	im_save_status(b_im_ptr);
+     im_set_active(FALSE);
+ #endif
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index 68852a7..c442d7f 100644
+--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
+@@ -952,4 +952,14 @@ func Test_cmdline_expand_special()
+   call assert_fails('e <amatch>', 'E497:')
+ endfunc
+ 
+" This was using a pointer to a freed buffer
+func Test_cmdwin_freed_buffer_ptr()
+  au BufEnter * next 0| file 
+  edit 0
+  silent! norm q/
+
+  au! BufEnter
+  bwipe!
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        65
+Release:        66
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -185,6 +185,8 @@ Patch6143:      backport-patch-8.2.4152-block-insert-with-double-wide-charact.pa
 Patch6144:      backport-patch-8.2.0195-some-tests-fail-when-run-in-the-GUI.patch
 Patch6145:      backport-CVE-2022-3099.patch
 Patch6146:      backport-CVE-2022-3134.patch 
+Patch6147:      backport-CVE-2022-3234.patch
+Patch6148:      backport-CVE-2022-3235.patch

 BuildRequires:  autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc
 BuildRequires:  perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file
@ -573,6 +575,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Tue Sep 20 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-66
+- Type:CVE
+- ID:CVE-2022-3234 CVE-2022-3235
+- SUG:NA
+- DESC:fix CVE-2022-3234 CVE-2022-3235
+
 * Tue Sep 13 2022 wangjiang <wangjiang37@h-partners.com> - 2:8.2-65
 - Type:CVE
 - ID:CVE-2022-3134