!518 fix CVE-2023-2426

From: @wangjiang37 Reviewed-by: @znzjugod, @zhoupengcheng11 Signed-off-by: @gaoruoshu
2023-05-05 06:41:48 +00:00 · 2023-05-05 06:41:48 +00:00 · 209fbaa66c
commit 209fbaa66c
parent 1c26e7575b 72b86229ed
2 changed files with 141 additions and 1 deletions
--- a/backport-CVE-2023-2426.patch
+++ b/backport-CVE-2023-2426.patch
@ -0,0 +1,133 @@
 From caf642c25de526229264cab9425e7c9979f3509b Mon Sep 17 00:00:00 2001
 From: Bram Moolenaar <Bram@vim.org>
 Date: Sat, 29 Apr 2023 21:38:04 +0100
 Subject: [PATCH] patch 9.0.1499: using uninitialized memory with fuzzy
 matching
 Problem:    Using uninitialized memory with fuzzy matching.
 Solution:   Initialize the arrays used to store match positions.
 ---
 src/quickfix.c                  |  5 ++++-
 src/search.c                    | 17 +++++++----------
 src/testdir/test_matchfuzzy.vim | 27 +++++++++++++++++++++++++++
 3 files changed, 38 insertions(+), 11 deletions(-)
 diff --git a/src/quickfix.c b/src/quickfix.c
 index 13292e2f7515..553ad457880a 100644
 --- a/src/quickfix.c
 +++ b/src/quickfix.c
@@ -6005,6 +6005,8 @@ vgr_match_buflines(
     long	lnum;
     colnr_T	col;
     int		pat_len = (int)STRLEN(spat);
 +    if (pat_len > MAX_FUZZY_MATCHES)
 +	pat_len = MAX_FUZZY_MATCHES;
     for (lnum = 1; lnum <= buf->b_ml.ml_line_count && *tomatch > 0; ++lnum)
     {
@@ -6013,7 +6015,7 @@ vgr_match_buflines(
 	{
 	    // Regular expression match
 	    while (vim_regexec_multi(regmatch, curwin, buf, lnum,
 -			col, NULL) > 0)
 +								col, NULL) > 0)
 	    {
 		// Pass the buffer number so that it gets used even for a
 		// dummy buffer, unless duplicate_name is set, then the
@@ -6059,6 +6061,7 @@ vgr_match_buflines(
 	    int_u   sz = ARRAY_LENGTH(matches);
 	    // Fuzzy string match
 +	    CLEAR_FIELD(matches);
 	    while (fuzzy_match(str + col, spat, FALSE, &score, matches, sz) > 0)
 	    {
 		// Pass the buffer number so that it gets used even for a
 diff --git a/src/search.c b/src/search.c
 index 74ca8fefb2c5..5e3857078031 100644
 --- a/src/search.c
 +++ b/src/search.c
@@ -4407,14 +4407,14 @@ fuzzy_match_recursive(
 	// Found match
 	if (vim_tolower(c1) == vim_tolower(c2))
 	{
 -	    int_u	recursiveMatches[MAX_FUZZY_MATCHES];
 -	    int		recursiveScore = 0;
 -	    char_u	*next_char;
 -
 	    // Supplied matches buffer was too short
 	    if (nextMatch >= maxMatches)
 		return 0;
 +	    int		recursiveScore = 0;
 +	    int_u	recursiveMatches[MAX_FUZZY_MATCHES];
 +	    CLEAR_FIELD(recursiveMatches);
 +
 	    // "Copy-on-Write" srcMatches into matches
 	    if (first_match && srcMatches)
 	    {
@@ -4423,10 +4423,7 @@ fuzzy_match_recursive(
 	    }
 	    // Recursive call that "skips" this match
 -	    if (has_mbyte)
 -		next_char = str + (*mb_ptr2len)(str);
 -	    else
 -		next_char = str + 1;
 +	    char_u *next_char = str + (has_mbyte ? (*mb_ptr2len)(str) : 1);
 	    if (fuzzy_match_recursive(fuzpat, next_char, strIdx + 1,
 			&recursiveScore, strBegin, strLen, matches,
 			recursiveMatches,
@@ -4491,8 +4488,8 @@ fuzzy_match_recursive(
  * Uses char_u for match indices. Therefore patterns are limited to
  * MAX_FUZZY_MATCHES characters.
  *
 - * Returns TRUE if 'pat_arg' matches 'str'. Also returns the match score in
 - * 'outScore' and the matching character positions in 'matches'.
 + * Returns TRUE if "pat_arg" matches "str". Also returns the match score in
 + * "outScore" and the matching character positions in "matches".
  */
     int
 fuzzy_match(
 diff --git a/src/testdir/test_matchfuzzy.vim b/src/testdir/test_matchfuzzy.vim
 index 502d136ccf2a..43eca8ff08af 100644
 --- a/src/testdir/test_matchfuzzy.vim
 +++ b/src/testdir/test_matchfuzzy.vim
@@ -2,6 +2,7 @@
 source shared.vim
 source check.vim
 +source term_util.vim
 " Test for matchfuzzy()
 func Test_matchfuzzy()
@@ -253,4 +254,30 @@ func Test_matchfuzzy_limit()
   call assert_equal([{'id': 5, 'val': 'crayon'}], l->matchfuzzy('c', #{key: 'val', limit: 1}))
 endfunc
 +" This was using uninitialized memory
 +func Test_matchfuzzy_initialized()
 +  CheckRunVimInTerminal
 +
 +  " This can take a very long time (esp. when using valgrind).  Run in a
 +  " separate Vim instance and kill it after two seconds.  We only check for
 +  " memory errors.
 +  let lines =<< trim END
 +      lvimgrep [ss [fg*
 +  END
 +  call writefile(lines, 'XTest_matchfuzzy', 'D')
 +
 +  let buf = RunVimInTerminal('-u NONE -X -Z', {})
 +  call term_sendkeys(buf, ":source XTest_matchfuzzy\n")
 +  call TermWait(buf, 2000)
 +
 +  let job = term_getjob(buf)
 +  if job_status(job) == "run"
 +    call job_stop(job, "int")
 +    call TermWait(buf, 50)
 +  endif
 +
 +  " clean up
 +  call StopVimInTerminal(buf)
 +endfunc
 +
 " vim: shiftwidth=2 sts=2 expandtab
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        13
+Release:        14
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -93,6 +93,7 @@ Patch6063:      backport-CVE-2023-1170.patch
 Patch6064:      backport-CVE-2023-1175.patch
 Patch6065:      backport-CVE-2023-1264.patch
 Patch6066:      backport-vim-7.0-rclocation.patch
 Patch6067:      backport-CVE-2023-2426.patch
 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      vim-Add-sw64-architecture.patch
@ -501,6 +502,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 %changelog
 * Thu May 04 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-14
 - Type:CVE
 - ID:CVE-2023-2426
 - SUG:NA
 - DESC:CVE-2023-2426
 * Fri Mar 24 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-13
 - Type:bugfix
 - ID:NA