fix CVE-2023-1170 CVE-2023-1175

2023-03-08 01:26:07 +00:00 · 2023-03-08 01:26:07 +00:00 · 2a645d2c48
commit 2a645d2c48
parent 0d113eb41c
3 changed files with 119 additions and 1 deletions
--- a/backport-CVE-2023-1170.patch
+++ b/backport-CVE-2023-1170.patch
@ -0,0 +1,63 @@
+From 1c73b65229c25e3c1fd8824ba958f7cc4d604f9c Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 3 Mar 2023 21:11:52 +0000
+Subject: [PATCH] patch 9.0.1376: accessing invalid memory with put in Visual
+ block mode
+
+Problem:    Accessing invalid memory with put in Visual block mode.
+Solution:   Adjust the cursor column if needed.
+---
+ src/register.c           | 11 ++++++++++-
+ src/testdir/test_put.vim | 11 +++++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/src/register.c b/src/register.c
+index 4dc0a68fd7a4..461363be378d 100644
+--- a/src/register.c
+++ b/src/register.c
+@@ -1913,7 +1913,7 @@ do_put(
+ 		ptr += yanklen;
+ 
+ 		// insert block's trailing spaces only if there's text behind
+-		if ((j < count - 1 || !shortline) && spaces)
+		if ((j < count - 1 || !shortline) && spaces > 0)
+ 		{
+ 		    vim_memset(ptr, ' ', (size_t)spaces);
+ 		    ptr += spaces;
+@@ -2274,6 +2274,15 @@ do_put(
+     msgmore(nr_lines);
+     curwin->w_set_curswant = TRUE;
+ 
+    // Make sure the cursor is not after the NUL.
+    int len = (int)STRLEN(ml_get_curline());
+    if (curwin->w_cursor.col > len)
+    {
+	if (cur_ve_flags == VE_ALL)
+	    curwin->w_cursor.coladd = curwin->w_cursor.col - len;
+	curwin->w_cursor.col = len;
+    }
+
+ end:
+     if (cmdmod.cmod_flags & CMOD_LOCKMARKS)
+     {
+diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim
+index 66438bd3f69c..a6cea74efb6c 100644
+--- a/src/testdir/test_put.vim
+++ b/src/testdir/test_put.vim
+@@ -231,5 +231,16 @@ func Test_put_visual_mode()
+   set selection&
+ endfunc
+ 
+func Test_put_visual_block_mode()
+  enew
+  exe "norm 0R\<CR>\<C-C>V"
+  sil exe "norm \<C-V>c	\<MiddleDrag>"
+  set ve=all
+  sil norm vz=p
+
+  bwipe!
+  set ve=
+endfunc
+
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
--- a/backport-CVE-2023-1175.patch
+++ b/backport-CVE-2023-1175.patch
@ -0,0 +1,47 @@
+From c99cbf8f289bdda5d4a77d7ec415850a520330ba Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 4 Mar 2023 14:13:10 +0000
+Subject: [PATCH] patch 9.0.1378: illegal memory access when using virtual
+ editing
+
+Problem:    Illegal memory access when using virtual editing.
+Solution:   Make sure "startspaces" is not negative.
+---
+ src/register.c                   |  2 ++
+ src/testdir/test_virtualedit.vim | 10 ++++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/register.c b/src/register.c
+index 461363be378d..f3df79cfd642 100644
+--- a/src/register.c
+++ b/src/register.c
+@@ -1247,6 +1247,8 @@ op_yank(oparg_T *oap, int deleting, int mess)
+ 				// double-count it.
+ 				bd.startspaces = (ce - cs + 1)
+ 							  - oap->start.coladd;
+				if (bd.startspaces < 0)
+				    bd.startspaces = 0;
+ 				startcol++;
+ 			    }
+ 			}
+diff --git a/src/testdir/test_virtualedit.vim b/src/testdir/test_virtualedit.vim
+index 71cea427bac1..edaae678609d 100644
+--- a/src/testdir/test_virtualedit.vim
+++ b/src/testdir/test_virtualedit.vim
+@@ -88,6 +88,16 @@ func Test_edit_change()
+   set virtualedit=
+ endfunc
+ 
+func Test_edit_special_char()
+  new
+  se ve=all
+  norm a0
+  sil! exe "norm o00000\<Nul>k<a0s"
+
+  bwipe!
+  set virtualedit=
+endfunc
+
+ " Tests for pasting at the beginning, end and middle of a tab character
+ " in virtual edit mode.
+ func Test_paste_in_tab()
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        10
+Release:        11
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -89,6 +89,8 @@ Patch6059:      backport-CVE-2023-0288.patch
 Patch6060:      backport-CVE-2023-0433.patch
 Patch6061:      backport-patch-9.0.0024-may-access-part-of-typeahead-buf-that-is-not-filled.patch
 Patch6062:      backport-patch-9.0.1331-illegal-memory-access-when-using-ball-in-Visual-mode.patch
+Patch6063:      backport-CVE-2023-1170.patch
+Patch6064:      backport-CVE-2023-1175.patch

 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      vim-Add-sw64-architecture.patch
@ -497,6 +499,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Wed Mar 08 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-11
+- Type:CVE
+- ID:CVE-2023-1170 CVE-2023-1175
+- SUG:NA
+- DESC:CVE-2023-1170 CVE-2023-1175
+
 * Wed Feb 22 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-10
 - Type:bugfix
 - ID:NA