packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-3256

Browse Source 
(cherry picked from commit 9e50adea3869fa41438608813ffa2aec414c8d76)
This commit is contained in:
dongyuzhen 2022-09-23 15:13:07 +08:00 committed by openeuler-sync-bot
parent 5a8cbdc1db
commit 2c93e09295
2 changed files with 74 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
backport-CVE-2022-3256.patch Normal file
View File

@ -0,0 +1,66 @@
From 8ecfa2c56b4992c7f067b92488aa9acea5a454ad Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 21 Sep 2022 13:07:22 +0100
Subject: [PATCH] patch 9.0.0530: using freed memory when autocmd changes mark
Problem: Using freed memory when autocmd changes mark.
Solution: Copy the mark before editing another buffer.
---
src/mark.c | 12 +++++++-----
src/testdir/test_marks.vim | 13 +++++++++++++
2 files changed, 20 insertions(+), 5 deletions(-)
diff --git a/src/mark.c b/src/mark.c
index ba24220..9f817c0 100644
--- a/src/mark.c
+++ b/src/mark.c
@@ -249,17 +249,19 @@ movemark(int count)
fname2fnum(jmp);
if (jmp->fmark.fnum != curbuf->b_fnum)
{
- // jump to other file
- if (buflist_findnr(jmp->fmark.fnum) == NULL)
+ // Make a copy, an autocommand may make "jmp" invalid.
+ fmark_T fmark = jmp->fmark;
+
+ // jump to the file with the mark
+ if (buflist_findnr(fmark.fnum) == NULL)
{ // Skip this one ..
count += count < 0 ? -1 : 1;
continue;
}
- if (buflist_getfile(jmp->fmark.fnum, jmp->fmark.mark.lnum,
- 0, FALSE) == FAIL)
+ if (buflist_getfile(fmark.fnum, fmark.mark.lnum, 0, FALSE) == FAIL)
return (pos_T *)NULL;
// Set lnum again, autocommands my have changed it
- curwin->w_cursor = jmp->fmark.mark;
+ curwin->w_cursor = fmark.mark;
pos = (pos_T *)-1;
}
else
diff --git a/src/testdir/test_marks.vim b/src/testdir/test_marks.vim
index 96a7766..47cdfb0 100644
--- a/src/testdir/test_marks.vim
+++ b/src/testdir/test_marks.vim
@@ -190,4 +190,17 @@ func Test_lockmarks_with_put()
bwipe!
endfunc
+" This was using freed memory
+func Test_jump_mark_autocmd()
+ next 00
+ edit 0
+ sargument
+ au BufEnter 0 all
+ sil norm 
+
+ au! BufEnter
+ bwipe!
+endfunc
+
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0

9
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim Name: vim
Epoch: 2 Epoch: 2
Version: 8.2 Version: 8.2
Release: 66 Release: 67
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT License: Vim and MIT
URL: http://www.vim.org URL: http://www.vim.org
@ -187,6 +187,7 @@ Patch6145: backport-CVE-2022-3099.patch
Patch6146: backport-CVE-2022-3134.patch Patch6146: backport-CVE-2022-3134.patch
Patch6147: backport-CVE-2022-3234.patch Patch6147: backport-CVE-2022-3234.patch
Patch6148: backport-CVE-2022-3235.patch Patch6148: backport-CVE-2022-3235.patch
Patch6149: backport-CVE-2022-3256.patch
BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc
BuildRequires: perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file BuildRequires: perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file
@ -575,6 +576,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
%{_mandir}/man1/evim.* %{_mandir}/man1/evim.*
%changelog %changelog
* Fri Sep 23 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-67
- Type:CVE
- ID:CVE-2022-3256
- SUG:NA
- DESC:fix CVE-2022-3256
* Tue Sep 20 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-66 * Tue Sep 20 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-66
- Type:CVE - Type:CVE
- ID:CVE-2022-3234 CVE-2022-3235 - ID:CVE-2022-3234 CVE-2022-3235