!194 fix CVE-2021-4069

From: @wangjiang37 Reviewed-by: @xiezhipeng1 Signed-off-by: @xiezhipeng1
2022-04-01 06:12:14 +00:00 · 2022-04-01 06:12:14 +00:00 · 0956f57e7b
commit 0956f57e7b
parent 7eed38a822 113a404ec7
2 changed files with 64 additions and 1 deletions
--- a/backport-CVE-2021-4069.patch
+++ b/backport-CVE-2021-4069.patch
@ -0,0 +1,56 @@
+From e031fe90cf2e375ce861ff5e5e281e4ad229ebb9 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 5 Dec 2021 12:06:24 +0000
+Subject: [PATCH] patch 8.2.3741: using freed memory in open command
+
+Problem:    Using freed memory in open command.
+Solution:   Make a copy of the current line.
+
+Reference:https://github.com/vim/vim/commit/e031fe90cf2e375ce861ff5e5e281e4ad229ebb9
+Conflict:src/testdir/test_ex_mode.vim, The current version does not exist and therefore does not fit into this test case
+---
+ src/ex_docmd.c | 10 +++++++---
+ src/version.c  |  2 ++
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index 203174a..cb6b64a 100644
+--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
+@@ -6030,13 +6030,17 @@ ex_open(exarg_T *eap)
+ 	regmatch.regprog = vim_regcomp(eap->arg, p_magic ? RE_MAGIC : 0);
+ 	if (regmatch.regprog != NULL)
+ 	{
+	    // make a copy of the line, when searching for a mark it might be
+	    // flushed
+	    char_u *line = vim_strsave(ml_get_curline());
+
+ 	    regmatch.rm_ic = p_ic;
+-	    p = ml_get_curline();
+-	    if (vim_regexec(&regmatch, p, (colnr_T)0))
+-		curwin->w_cursor.col = (colnr_T)(regmatch.startp[0] - p);
+	    if (vim_regexec(&regmatch, line, (colnr_T)0))
+		curwin->w_cursor.col = (colnr_T)(regmatch.startp[0] - line);
+ 	    else
+ 		emsg(_(e_nomatch));
+ 	    vim_regfree(regmatch.regprog);
+	    vim_free(line);
+ 	}
+ 	// Move to the NUL, ignore any other arguments.
+ 	eap->arg += STRLEN(eap->arg);
+diff --git a/src/version.c b/src/version.c
+index 035c46f..bd45631 100644
+--- a/src/version.c
+++ b/src/version.c
+@@ -742,6 +742,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
+/**/
+    3741,
+ /**/
+     3403,
+ /**/
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        29
+Release:        30
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -91,6 +91,7 @@ Patch6054:      backport-CVE-2022-0685.patch
 Patch6055:      backport-CVE-2022-0319.patch
 Patch6056:      backport-CVE-2022-0554.patch
 Patch6057:      backport-CVE-2022-0943.patch
+Patch6058:	backport-CVE-2021-4069.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -479,6 +480,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Wed Mar 30 2022 wangjiang <wangjiang37#h-partners.com> - 2:8.2-30
+- Type:CVE
+- ID:CVE-2021-4069
+- SUG:NA
+- DESC:fix CVE-2021-4069
+
 * Thu Mar 24 2022 yuanxin <yuanxin24@h-partners.com> - 2:8.2-29
 - Type:CVE
 - ID:CVE-2022-0943