Fix CVE-2022-1886

(cherry picked from commit c2cc83155a9ce0e76319aeff18c375397d72d162)
2022-06-15 16:28:57 +08:00 · 2022-06-15 16:28:57 +08:00 · 2f9ff2415c
commit 2f9ff2415c
parent 7e2d401b9a
4 changed files with 197 additions and 1 deletions
--- a/backport-CVE-2022-1886.patch
+++ b/backport-CVE-2022-1886.patch
@ -0,0 +1,52 @@
+From 2a585c85013be22f59f184d49612074fd9b115d7 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 25 May 2022 15:15:38 +0100
+Subject: [PATCH] patch 8.2.5016: access before start of text with a put
+ command
+
+Problem:    Access before start of text with a put command.
+Solution:   Check the length is more than zero.
+---
+ src/register.c           | 7 +++++--
+ src/testdir/test_put.vim | 9 +++++++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/src/register.c b/src/register.c
+index 7f77ada..87689f7 100644
+--- a/src/register.c
+++ b/src/register.c
+@@ -2078,9 +2078,12 @@ error:
+ 	    len = STRLEN(y_array[y_size - 1]);
+ 	    col = (colnr_T)len - lendiff;
+ 	    if (col > 1)
+-		curbuf->b_op_end.col = col - 1
+-				- mb_head_off(y_array[y_size - 1],
+	    {
+		curbuf->b_op_end.col = col - 1;
+		if (len > 0)
+		    curbuf->b_op_end.col -= mb_head_off(y_array[y_size - 1],
+ 						y_array[y_size - 1] + len - 1);
+	    }
+ 	    else
+ 		curbuf->b_op_end.col = 0;
+ 
+diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim
+index 07f6387..6df04cf 100644
+--- a/src/testdir/test_put.vim
+++ b/src/testdir/test_put.vim
+@@ -143,3 +143,12 @@ func Test_multibyte_op_end_mark()
+   bwipe!
+ endfunc
+ 
+" this was putting a mark before the start of a line
+func Test_put_empty_register()
+  new
+  norm yy
+  norm [Pi00ggv)s0
+  sil! norm [P
+  bwipe!
+endfunc
+
+-- 
+1.8.3.1
+
--- a/backport-after-a-put-the-mark-is-on-the-last-byte.patch
+++ b/backport-after-a-put-the-mark-is-on-the-last-byte.patch
@ -0,0 +1,94 @@
+From 4d07253a485819b3a9fd923d263e722ea2109c12 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 25 Nov 2021 19:31:15 +0000
+Subject: [PATCH] patch 8.2.3677: after a put the '] mark is on the last byte
+
+Problem:    After a put the '] mark is on the last byte of a multi-byte
+            character.
+Solution:   Move it to the first byte. (closes #9047)
+---
+ src/register.c           | 18 +++++++++++++++---
+ src/testdir/test_put.vim | 13 +++++++++++++
+ 2 files changed, 28 insertions(+), 3 deletions(-)
+
+diff --git a/src/register.c b/src/register.c
+index d5eb011..49f4079 100644
+--- a/src/register.c
+++ b/src/register.c
+@@ -1479,6 +1479,7 @@ do_put(
+     long	cnt;
+     pos_T	orig_start = curbuf->b_op_start;
+     pos_T	orig_end = curbuf->b_op_end;
+    int		first_byte_off = 0;
+ 
+ #ifdef FEAT_CLIPBOARD
+     // Adjust register name for "unnamed" in 'clipboard'.
+@@ -1936,6 +1937,10 @@ do_put(
+ 		    }
+ 		    STRMOVE(ptr, oldp + col);
+ 		    ml_replace(lnum, newp, FALSE);
+
+		    // compute the byte offset for the last character
+		    first_byte_off = mb_head_off(newp, ptr - 1);
+
+ 		    // Place cursor on last putted char.
+ 		    if (lnum == curwin->w_cursor.lnum)
+ 		    {
+@@ -1951,10 +1956,15 @@ do_put(
+ 	    if (VIsual_active) // reset lnum to the last visual line
+ 		lnum--;
+ 
+	    // put '] at the first byte of the last character
+ 	    curbuf->b_op_end = curwin->w_cursor;
+	    curbuf->b_op_end.col -= first_byte_off;
+
+ 	    // For "CTRL-O p" in Insert mode, put cursor after last char
+ 	    if (totlen && (restart_edit != 0 || (flags & PUT_CURSEND)))
+ 		++curwin->w_cursor.col;
+	    else
+		curwin->w_cursor.col -= first_byte_off;
+ 	    changed_bytes(lnum, col);
+ 	}
+ 	else
+@@ -2061,12 +2071,14 @@ error:
+ 		changed_lines(curbuf->b_op_start.lnum, 0,
+ 					   curbuf->b_op_start.lnum, nr_lines);
+ 
+-	    // put '] mark at last inserted character
+	    // Put the '] mark on the first byte of the last inserted character.
+	    // Correct the length for change in indent.
+ 	    curbuf->b_op_end.lnum = lnum;
+-	    // correct length for change in indent
+ 	    col = (colnr_T)STRLEN(y_array[y_size - 1]) - lendiff;
+ 	    if (col > 1)
+-		curbuf->b_op_end.col = col - 1;
+		curbuf->b_op_end.col = col - 1
+				- mb_head_off(y_array[y_size - 1],
+						y_array[y_size - 1] + col - 1);
+ 	    else
+ 		curbuf->b_op_end.col = 0;
+ 
+diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim
+index 42bb7e6..07f6387 100644
+--- a/src/testdir/test_put.vim
+++ b/src/testdir/test_put.vim
+@@ -130,3 +130,16 @@ func Test_very_larg_count()
+   bwipe!
+ endfunc
+ 
+func Test_multibyte_op_end_mark()
+  new
+  call setline(1, 'тест')
+  normal viwdp
+  call assert_equal([0, 1, 7, 0], getpos("'>"))
+  call assert_equal([0, 1, 7, 0], getpos("']"))
+
+  normal Vyp
+  call assert_equal([0, 1, 2147483647, 0], getpos("'>"))
+  call assert_equal([0, 2, 7, 0], getpos("']"))
+  bwipe!
+endfunc
+
+-- 
+1.8.3.1
+
--- a/backport-illegal-memory-access.patch
+++ b/backport-illegal-memory-access.patch
@ -0,0 +1,41 @@
+From 85be8563fe5aff686e9e30d6afff401ccd976f2a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 25 Nov 2021 20:40:11 +0000
+Subject: [PATCH] patch 8.2.3678: illegal memory access
+
+Problem:    Illegal memory access.
+Solution:   Ignore changed indent when computing byte offset.
+---
+ src/register.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/register.c b/src/register.c
+index 49f4079..7f77ada 100644
+--- a/src/register.c
+++ b/src/register.c
+@@ -1969,6 +1969,7 @@ do_put(
+ 	}
+ 	else
+ 	{
+	    size_t	len;
+ 	    // Insert at least one line.  When y_type is MCHAR, break the first
+ 	    // line in two.
+ 	    for (cnt = 1; cnt <= count; ++cnt)
+@@ -2074,11 +2075,12 @@ error:
+ 	    // Put the '] mark on the first byte of the last inserted character.
+ 	    // Correct the length for change in indent.
+ 	    curbuf->b_op_end.lnum = lnum;
+-	    col = (colnr_T)STRLEN(y_array[y_size - 1]) - lendiff;
+	    len = STRLEN(y_array[y_size - 1]);
+	    col = (colnr_T)len - lendiff;
+ 	    if (col > 1)
+ 		curbuf->b_op_end.col = col - 1
+ 				- mb_head_off(y_array[y_size - 1],
+-						y_array[y_size - 1] + col - 1);
+						y_array[y_size - 1] + len - 1);
+ 	    else
+ 		curbuf->b_op_end.col = 0;
+ 
+-- 
+1.8.3.1
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        39
+Release:        40
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -113,6 +113,9 @@ Patch6076:      backport-CVE-2022-1785.patch
 Patch6077:      backport-CVE-2022-1851.patch
 Patch6078:      backport-semicolon-search-dose-not-work-in-first-line.patch
 Patch6079:      backport-CVE-2022-1927.patch
+Patch6080:      backport-after-a-put-the-mark-is-on-the-last-byte.patch
+Patch6081:      backport-illegal-memory-access.patch
+Patch6082:      backport-CVE-2022-1886.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -501,6 +504,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Wed Jun 15 2022 renhongxun <renhongxun@h-partners.com> - 2:8.2-40
+- Type:CVE
+- ID:CVE-2022-1886
+- SUG:NA
+- DESC:fix CVE-2022-1886
+
 * Tue Jun 14 2022 renhongxun <renhongxun@h-partners.com> - 2:8.2-39
 - Type:CVE
 - ID:CVE-2022-1927