fix CVE-2022-0351 CVE-2022-0361 CVE-2022-0408 CVE-2022-0359 CVE-2022-0368 CVE-2022-0413

(cherry picked from commit 13e64223e934a5ac08bf434b998cf45530cc6822)
2022-02-07 19:25:58 +08:00 · 2022-02-07 19:25:58 +08:00 · 0842389d6c
commit 0842389d6c
parent d3fc029884
7 changed files with 402 additions and 1 deletions
--- a/backport-CVE-2022-0351.patch
+++ b/backport-CVE-2022-0351.patch
@ -0,0 +1,78 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 24 Jan 2022 18:16:12 +0000
+Subject: [PATCH] patch 8.2.4206: condition with many "(" causes a crash
+
+Problem:    Condition with many "(" causes a crash.
+Solution:   Limit recursion to 1000.
+---
+ src/eval.c                      | 12 ++++++++++++
+ src/globals.h                   |  2 ++
+ src/testdir/test_eval_stuff.vim |  5 +++++
+ 3 files changed, 19 insertions(+)
+
+diff --git a/src/eval.c b/src/eval.c
+index 3b563f7..95dda90 100644
+--- a/src/eval.c
+++ b/src/eval.c
+@@ -2495,6 +2495,7 @@ eval7(
+     char_u	*start_leader, *end_leader;
+     int		ret = OK;
+     char_u	*alias;
+    static	int recurse = 0;
+ 
+     /*
+      * Initialise variable so that clear_tv() can't mistake this for a
+@@ -2521,6 +2522,15 @@ eval7(
+ 	return FAIL;
+     }
+ 
+    // Limit recursion to 1000 levels.  At least at 10000 we run out of stack
+    // and crash.
+    if (recurse == 1000)
+    {
+	semsg(_(e_expression_too_recursive_str), *arg);
+	return FAIL;
+    }
+    ++recurse;
+
+     switch (**arg)
+     {
+     /*
+@@ -2761,6 +2771,8 @@ eval7(
+      */
+     if (ret == OK && evaluate && end_leader > start_leader)
+ 	ret = eval7_leader(rettv, start_leader, &end_leader);
+
+    --recurse;
+     return ret;
+ }
+ 
+diff --git a/src/globals.h b/src/globals.h
+index 75092b7..659bad6 100644
+--- a/src/globals.h
+++ b/src/globals.h
+@@ -1464,6 +1464,8 @@ EXTERN char e_endwhile[]	INIT(= N_("E170: Missing :endwhile"));
+ EXTERN char e_endfor[]	INIT(= N_("E170: Missing :endfor"));
+ EXTERN char e_while[]		INIT(= N_("E588: :endwhile without :while"));
+ EXTERN char e_for[]		INIT(= N_("E588: :endfor without :for"));
+EXTERN char e_expression_too_recursive_str[]
+       INIT(= N_("E1169: Expression too recursive: %s"));
+ #endif
+ EXTERN char e_exists[]	INIT(= N_("E13: File exists (add ! to override)"));
+ EXTERN char e_failed[]	INIT(= N_("E472: Command failed"));
+diff --git a/src/testdir/test_eval_stuff.vim b/src/testdir/test_eval_stuff.vim
+index ec566da..32a5411 100644
+--- a/src/testdir/test_eval_stuff.vim
+++ b/src/testdir/test_eval_stuff.vim
+@@ -216,3 +216,8 @@ func Test_scriptversion_fail()
+   call assert_fails('source Xversionscript', 'E999:')
+   call delete('Xversionscript')
+ endfunc
+
+func Test_deep_recursion()
+  " this was running out of stack
+  call assert_fails("exe 'if ' .. repeat('(', 1002)", 'E1169: Expression too recursive: ((')+endfunc
+endfunc
+-- 
+1.8.3.1
+
--- a/backport-CVE-2022-0359.patch
+++ b/backport-CVE-2022-0359.patch
@ -0,0 +1,28 @@
+From 85b6747abc15a7a81086db31289cf1b8b17e6cb1 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 25 Jan 2022 11:55:02 +0000
+Subject: [PATCH] patch 8.2.4214: illegal memory access with large 'tabstop' in
+ Ex mode
+
+Problem:    Illegal memory access with large 'tabstop' in Ex mode.
+Solution:   Allocate enough memory.
+---
+ src/ex_getln.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 769dcb8..68b4757 100644
+--- a/src/ex_getln.c
+++ b/src/ex_getln.c
+@@ -856,7 +856,7 @@ getcmdline_int(
+     ccline.cmdindent = (firstc > 0 ? indent : 0);
+ 
+     // alloc initial ccline.cmdbuff
+-    alloc_cmdbuff(exmode_active ? 250 : indent + 1);
+    alloc_cmdbuff(indent + 50);
+     if (ccline.cmdbuff == NULL)
+ 	goto theend;	// out of memory
+     ccline.cmdlen = ccline.cmdpos = 0;
+-- 
+1.8.3.1
+
--- a/backport-CVE-2022-0361.patch
+++ b/backport-CVE-2022-0361.patch
@ -0,0 +1,51 @@
+From dc5490e2cbc8c16022a23b449b48c1bd0083f366 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 25 Jan 2022 13:52:53 +0000
+Subject: [PATCH] patch 8.2.4215: illegal memory access when copying lines in
+ Visual mode
+
+Problem:    Illegal memory access when copying lines in Visual mode.
+Solution:   Adjust the Visual position after copying lines.
+---
+ src/ex_cmds.c               |  2 ++
+ src/testdir/test_visual.vim | 11 +++++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 8f6444f..cccdf47 100644
+--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
+@@ -864,6 +864,8 @@ ex_copy(linenr_T line1, linenr_T line2, linenr_T n)
+     }
+ 
+     appended_lines_mark(n, count);
+    if (VIsual_active)
+	check_pos(curbuf, &VIsual);
+ 
+     msgmore((long)count);
+ }
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index 3ed927a..dbc28eb 100644
+--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
+@@ -659,6 +659,17 @@ func Test_linewise_select_mode()
+   exe "normal GkkgH\<Del>"
+   call assert_equal(['', 'b', 'c'], getline(1, '$'))
+ 
+" this was leaving the end of the Visual area beyond the end of a line
+func Test_visual_ex_copy_line()
+  new
+  call setline(1, ["aaa", "bbbbbbbbbxbb"])
+  /x
+  exe "normal ggvjfxO"
+  t0
+  normal gNU
+  bwipe!
+endfunc
+
+ 
+   " linewise select mode: delete middle two lines
+   call deletebufline('', 1, '$')
+-- 
+1.8.3.1
+
--- a/backport-CVE-2022-0368.patch
+++ b/backport-CVE-2022-0368.patch
@ -0,0 +1,55 @@
+From 8d02ce1ed75d008c34a5c9aaa51b67cbb9d33baa Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 25 Jan 2022 18:24:00 +0000
+Subject: [PATCH] patch 8.2.4217: illegal memory access when undo makes Visual
+ area invalid
+
+Problem:    Illegal memory access when undo makes Visual area invalid.
+Solution:   Correct the Visual area after undo.
+---
+ src/testdir/test_visual.vim | 15 +++++++++++++++
+ src/undo.c                  |  2 ++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index dbc28eb..cf7e351 100644
+--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
+@@ -670,6 +670,21 @@ func Test_visual_ex_copy_line()
+   bwipe!
+ endfunc
+ 
+" This was leaving the end of the Visual area beyond the end of a line.
+" Set 'undolevels' to start a new undo block.
+func Test_visual_undo_deletes_last_line()
+  new
+  call setline(1, ["aaa", "ccc", "dyd"])
+  set undolevels=100
+  exe "normal obbbbbbbbbxbb\<Esc>"
+  set undolevels=100
+  /y
+  exe "normal ggvjfxO"
+  undo
+  normal gNU
+  bwipe!
+endfunc
+
+ 
+   " linewise select mode: delete middle two lines
+   call deletebufline('', 1, '$')
+diff --git a/src/undo.c b/src/undo.c
+index 54a6e1c..706dee9 100644
+--- a/src/undo.c
+++ b/src/undo.c
+@@ -2985,6 +2985,8 @@ u_undo_end(
+ 	}
+     }
+ #endif
+    if (VIsual_active)
+	check_pos(curbuf, &VIsual);
+ 
+     smsg_attr_keep(0, _("%ld %s; %s #%ld  %s"),
+ 	    u_oldcount < 0 ? -u_oldcount : u_oldcount,
+-- 
+1.8.3.1
+
--- a/backport-CVE-2022-0408.patch
+++ b/backport-CVE-2022-0408.patch
@ -0,0 +1,92 @@
+From 06f15416bb8d5636200a10776f1752c4d6e49f31 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 29 Jan 2022 10:51:59 +0000
+Subject: [PATCH] patch 8.2.4247: stack corruption when looking for spell
+ suggestions
+
+Problem:    Stack corruption when looking for spell suggestions.
+Solution:   Prevent the depth increased too much.  Add a five second time
+limit to finding suggestions.
+---
+ src/spellsuggest.c         | 17 +++++++++++++++--
+ src/testdir/test_spell.vim |  8 ++++++++
+ 2 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/src/spellsuggest.c b/src/spellsuggest.c
+index 8615d52..a73e695 100644
+--- a/src/spellsuggest.c
+++ b/src/spellsuggest.c
+@@ -1187,7 +1187,7 @@ suggest_try_change(suginfo_T *su)
+ 
+ // Check the maximum score, if we go over it we won't try this change.
+ #define TRY_DEEPER(su, stack, depth, add) \
+-		(stack[depth].ts_score + (add) < su->su_maxscore)
+	   (depth < MAXWLEN && stack[depth].ts_score + (add) < su->su_maxscore)
+ 
+ /*
+  * Try finding suggestions by adding/removing/swapping letters.
+@@ -1259,6 +1259,9 @@ suggest_trie_walk(
+     char_u	changename[MAXWLEN][80];
+ #endif
+     int		breakcheckcount = 1000;
+#ifdef FEAT_RELTIME
+    proftime_T	time_limit;
+#endif
+     int		compound_ok;
+ 
+     // Go through the whole case-fold tree, try changes at each node.
+@@ -1303,6 +1306,11 @@ suggest_trie_walk(
+ 	    sp->ts_state = STATE_START;
+ 	}
+     }
+#ifdef FEAT_RELTIME
+    // The loop may take an indefinite amount of time. Break out after five
+    // sectonds. TODO: add an option for the time limit.
+    profile_setlimit(5000, &time_limit);
+#endif
+ 
+     // Loop to find all suggestions.  At each round we either:
+     // - For the current state try one operation, advance "ts_curi",
+@@ -1337,7 +1345,8 @@ suggest_trie_walk(
+ 
+ 		// At end of a prefix or at start of prefixtree: check for
+ 		// following word.
+-		if (byts[arridx] == 0 || n == (int)STATE_NOPREFIX)
+		if (depth < MAXWLEN
+			    && (byts[arridx] == 0 || n == (int)STATE_NOPREFIX))
+ 		{
+ 		    // Set su->su_badflags to the caps type at this position.
+ 		    // Use the caps type until here for the prefix itself.
+@@ -2630,6 +2639,10 @@ suggest_trie_walk(
+ 	    {
+ 		ui_breakcheck();
+ 		breakcheckcount = 1000;
+#ifdef FEAT_RELTIME
+		if (profile_passed_limit(&time_limit))
+		    got_int = TRUE;
+#endif
+ 	    }
+ 	}
+     }
+diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
+index e435e91..271d034 100644
+--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
+@@ -427,6 +427,14 @@ func Test_spell_long_word()
+   set nospell
+ endfunc
+ 
+func Test_spellsuggest_too_deep()
+  " This was incrementing "depth" over MAXWLEN.
+  new
+  norm s000G00ý000000000000
+  sil norm ..vzG................vvzG0     v z=
+  bwipe!
+endfunc
+
+ func LoadAffAndDic(aff_contents, dic_contents)
+   set enc=latin1
+   set spellfile=
+-- 
+1.8.3.1
+
--- a/backport-CVE-2022-0413.patch
+++ b/backport-CVE-2022-0413.patch
@ -0,0 +1,85 @@
+From 37f47958b8a2a44abc60614271d9537e7f14e51a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 29 Jan 2022 14:21:51 +0000
+Subject: [PATCH] patch 8.2.4253: using freed memory when substitute with
+ function call
+
+Problem:    Using freed memory when substitute uses a recursive function call.
+Solution:   Make a copy of the substitute text.
+---
+ src/ex_cmds.c                   | 19 +++++++++++++++----
+ src/testdir/test_substitute.vim | 16 ++++++++++++++++
+ 2 files changed, 31 insertions(+), 4 deletions(-)
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index cccdf47..aa97b40 100644
+--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
+@@ -3577,6 +3577,7 @@ do_sub(exarg_T *eap)
+     int		save_do_all;		// remember user specified 'g' flag
+     int		save_do_ask;		// remember user specified 'c' flag
+     char_u	*pat = NULL, *sub = NULL;	// init for GCC
+    char_u	*sub_copy = NULL;
+     int		delimiter;
+     int		sublen;
+     int		got_quit = FALSE;
+@@ -3866,11 +3867,20 @@ do_sub(exarg_T *eap)
+     sub_firstline = NULL;
+ 
+     /*
+-     * ~ in the substitute pattern is replaced with the old pattern.
+-     * We do it here once to avoid it to be replaced over and over again.
+-     * But don't do it when it starts with "\=", then it's an expression.
+     * If the substitute pattern starts with "\=" then it's an expression.
+     * Make a copy, a recursive function may free it.
+     * Otherwise, '~' in the substitute pattern is replaced with the old
+     * pattern.  We do it here once to avoid it to be replaced over and over
+     * again.
+      */
+-    if (!(sub[0] == '\\' && sub[1] == '='))
+    if (sub[0] == '\\' && sub[1] == '=')
+    {
+       sub = vim_strsave(sub);
+       if (sub == NULL)
+           return;
+       sub_copy = sub;
+    }
+    else
+ 	sub = regtilde(sub, p_magic);
+ 
+     /*
+@@ -4670,6 +4680,7 @@ outofmem:
+ #endif
+ 
+     vim_regfree(regmatch.regprog);
+    vim_free(sub_copy);
+ 
+     // Restore the flag values, they can be used for ":&&".
+     subflags.do_all = save_do_all;
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index c7532fb..3e6bc5c 100644
+--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
+@@ -745,3 +745,19 @@ func Test_sub_beyond_end()
+   call assert_equal('#', getline(1))
+   bwipe!
+ endfunc
+
+" This was using "old_sub" after it was freed.
+func Test_using_old_sub()
+  set compatible maxfuncdepth=10
+  new
+  call setline(1, 'some text.')
+  func Repl()
+    ~
+    s/
+  endfunc
+  silent!  s/\%')/\=Repl()
+
+  delfunc Repl
+  bwipe!
+  set nocompatible
+endfunc
+-- 
+1.8.3.1
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        21
+Release:        22
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -73,6 +73,12 @@ Patch6036:      backport-CVE-2022-0213.patch
 Patch6037:      backport-CVE-2022-0261.patch
 Patch6038:      backport-CVE-2022-0318.patch
 Patch6039:      backport-vim-fix-garbled-characters-display-when-file-name-ma.patch
+Patch6040:      backport-CVE-2022-0351.patch
+Patch6041:      backport-CVE-2022-0408.patch
+Patch6042:      backport-CVE-2022-0361.patch
+Patch6043:      backport-CVE-2022-0359.patch
+Patch6044:      backport-CVE-2022-0413.patch
+Patch6045:      backport-CVE-2022-0368.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -461,6 +467,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Mon Feb 07 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-22
+- Type:CVE
+- ID:CVE-2022-0351 CVE-2022-0361 CVE-2022-0408 CVE-2022-0359 CVE-2022-0368 CVE-2022-0413
+- SUG:NA
+- DESC:fix CVE-2022-0351 CVE-2022-0361 CVE-2022-0408 CVE-2022-0359 CVE-2022-0368 CVE-2022-0413
+
 * Sun Jan 30 2022 yuanxin<yuanxin24@h-partners.com> - 2:8.2-21
 - Type:bugfix
 - ID:NA