!340 [sync] PR-337: fix CVE-2022-1725

From: @openeuler-sync-bot Reviewed-by: @znzjugod, @lvying6 Signed-off-by: @lvying6
2022-08-10 08:39:35 +00:00 · 2022-08-10 08:39:35 +00:00 · 11aa3247a2
commit 11aa3247a2
parent 90329ffad0 c4d34ea508
2 changed files with 127 additions and 1 deletions
--- a/backport-CVE-2022-1725.patch
+++ b/backport-CVE-2022-1725.patch
@ -0,0 +1,119 @@
+From b62dc5e7825bc195efe3041d5b3a9f1528359e1c Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 15 May 2022 14:50:12 +0100
+Subject: [PATCH] patch 8.2.4959: using NULL regexp program
+
+Problem:    Using NULL regexp program.
+Solution:   Check for regexp program becoming NULL in more places.
+---
+ src/buffer.c                | 32 +++++++++++++++++++-------------
+ src/testdir/test_buffer.vim |  6 ++++++
+ 2 files changed, 25 insertions(+), 13 deletions(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 8fabbdb..f66c234 100644
+--- a/src/buffer.c
+++ b/src/buffer.c
+@@ -2583,13 +2583,15 @@ buflist_findpat(
+ 		if (*p == '^' && !(attempt & 1))	 // add/remove '^'
+ 		    ++p;
+ 		regmatch.regprog = vim_regcomp(p, p_magic ? RE_MAGIC : 0);
+-		if (regmatch.regprog == NULL)
+-		{
+-		    vim_free(pat);
+-		    return -1;
+-		}
+ 
+ 		for (buf = lastbuf; buf != NULL; buf = buf->b_prev)
+                {
+                    if (regmatch.regprog == NULL)
+                    {
+                        // invalid pattern, possibly after switching engine
+                        vim_free(pat);
+                        return -1;
+                    }
+ 		    if (buf->b_p_bl == find_listed
+ #ifdef FEAT_DIFF
+ 			    && (!diffmode || diff_mode_buf(buf))
+@@ -2615,6 +2617,7 @@ buflist_findpat(
+ 			}
+ 			match = buf->b_fnum;	// remember first match
+ 		    }
+                }
+ 
+ 		vim_regfree(regmatch.regprog);
+ 		if (match >= 0)			// found one match
+@@ -2693,12 +2696,6 @@ ExpandBufnames(
+ 	if (attempt > 0 && patc == pat)
+ 	    break;	// there was no anchor, no need to try again
+ 	regmatch.regprog = vim_regcomp(patc + attempt * 11, RE_MAGIC);
+-	if (regmatch.regprog == NULL)
+-	{
+-	    if (patc != pat)
+-		vim_free(patc);
+-	    return FAIL;
+-	}
+ 
+ 	/*
+ 	 * round == 1: Count the matches.
+@@ -2711,6 +2708,12 @@ ExpandBufnames(
+ 	    {
+ 		if (!buf->b_p_bl)	// skip unlisted buffers
+ 		    continue;
+	        if (regmatch.regprog == NULL)
+	        {
+	            if (patc != pat)
+		        vim_free(patc);
+	            return FAIL;
+	        }
+ 		p = buflist_match(&regmatch, buf, p_wic);
+ 		if (p != NULL)
+ 		{
+@@ -2789,6 +2792,7 @@ ExpandBufnames(
+ 
+ /*
+  * Check for a match on the file name for buffer "buf" with regprog "prog".
+ * Note that rmp->regprog may become NULL when switching regexp engine.
+  */
+     static char_u *
+ buflist_match(
+@@ -2807,7 +2811,8 @@ buflist_match(
+ }
+ 
+ /*
+- * Try matching the regexp in "prog" with file name "name".
+ * Try matching the regexp in "rmp->regprog" with file name "name".
+ * Note that rmp->regprog may become NULL when switching regexp engine.
+  * Return "name" when there is a match, NULL when not.
+  */
+     static char_u *
+@@ -2819,7 +2824,8 @@ fname_match(
+     char_u	*match = NULL;
+     char_u	*p;
+ 
+-    if (name != NULL)
+    // extra check for valid arguments
+    if (name != NULL && rmp->regprog != NULL)
+     {
+ 	// Ignore case when 'fileignorecase' or the argument is set.
+ 	rmp->rm_ic = p_fic || ignore_case;
+diff --git a/src/testdir/test_buffer.vim b/src/testdir/test_buffer.vim
+index 6039ff8..cef0213 100644
+--- a/src/testdir/test_buffer.vim
+++ b/src/testdir/test_buffer.vim
+@@ -72,6 +72,12 @@ func Test_buf_pattern_invalid()
+   vsplit 00000000000000000000000000
+   silent! buf [0--]\&\zs*\zs*e
+   bwipe!
+
+ " similar case with different code path
+  split 0
+  edit ÿ
+  silent! buf [0--]\&\zs*\zs*0
+  bwipe!
+ endfunc
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        57
+Release:        58
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -162,6 +162,7 @@ Patch6125:      backport-CVE-2022-2522.patch
 Patch6126:      backport-patch-8.2.0310-autocmd-test-fails-on-a-slow-system.patch
 Patch6127:      backport-CVE-2022-2598.patch
 Patch6128:      backport-CVE-2022-2571.patch
+Patch6129:      backport-CVE-2022-1725.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -550,6 +551,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Mon Aug 08 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-58
+- Type:CVE
+- ID:CVE-2022-1725
+- SUG:NA
+- DESC:fix CVE-2022-1725
+
 * Tue Aug 02 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-57
 - Type:CVE
 - ID:CVE-2022-2598 CVE-2022-2571