!159 [sync] PR-157: Fix CVE-2022-0572

From: @openeuler-sync-bot Reviewed-by: @xiezhipeng1 Signed-off-by: @xiezhipeng1
2022-03-01 02:22:22 +00:00 · 2022-03-01 02:22:22 +00:00 · 32d836bb5c
commit 32d836bb5c
parent 9e89989c8b f1c1e32899
3 changed files with 142 additions and 1 deletions
--- a/backport-CVE-2022-0572.patch
+++ b/backport-CVE-2022-0572.patch
@ -0,0 +1,66 @@
+From 6e28703a8e41f775f64e442c5d11ce1ff599aa3f Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 12 Feb 2022 15:42:18 +0000
+Subject: [PATCH] patch 8.2.4359: crash when repeatedly using :retab
+
+Problem:    crash when repeatedly using :retab.
+Solution:   Bail out when the line is getting too long.
+---
+ src/indent.c               |  5 +++++
+ src/testdir/test_retab.vim | 20 ++++++++++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/indent.c b/src/indent.c
+index e8e93b9..075802c 100644
+--- a/src/indent.c
+++ b/src/indent.c
+@@ -1689,6 +1689,11 @@ ex_retab(exarg_T *eap)
+ 	    if (ptr[col] == NUL)
+ 		break;
+ 	    vcol += chartabsize(ptr + col, (colnr_T)vcol);
+	    if (vcol >= MAXCOL)
+	    {
+		emsg(_(e_resulting_text_too_long));
+		break;
+	    }
+ 	    if (has_mbyte)
+ 		col += (*mb_ptr2len)(ptr + col);
+ 	    else
+diff --git a/src/testdir/test_retab.vim b/src/testdir/test_retab.vim
+index e7b8946..5376f92 100644
+--- a/src/testdir/test_retab.vim
+++ b/src/testdir/test_retab.vim
+@@ -69,6 +69,8 @@ func Test_retab()
+   call assert_equal("    a       b        c    ",         Retab('!', 3))
+   call assert_equal("    a       b        c    ",         Retab('',  5))
+   call assert_equal("    a       b        c    ",         Retab('!', 5))
+
+  set tabstop& expandtab&
+ endfunc
+ 
+ func Test_retab_error()
+@@ -78,3 +80,21 @@ func Test_retab_error()
+   call assert_fails('ret 10000', 'E475:')
+   call assert_fails('ret 80000000000000000000', 'E475:')
+ endfunc
+
+func Test_retab_endless()
+  new
+  call setline(1, "\t0\t")
+  let caught = 'no'
+  try
+    while 1
+      set ts=4000
+      retab 4
+    endwhile
+  catch /E1240/
+    let caught = 'yes'
+  endtry
+  bwipe!
+  set tabstop&
+endfunc
+
+" vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.27.0
+
--- a/backport-crash-when-pasting-too-many-times.patch
+++ b/backport-crash-when-pasting-too-many-times.patch
@ -0,0 +1,67 @@
+From eeed1c7ae090c17f4df51cf97b2a9e4d8b4f4dc7 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 10 Oct 2021 12:35:17 +0100
+Subject: [PATCH] patch 8.2.3492: crash when pasting too many times
+
+Problem:    Crash when pasting too many times.
+Solution:   Limit the size to what fits in an int. (closes #8962)
+
+---
+ src/globals.h            |  1 +
+ src/register.c           | 11 +++++++++--
+ src/testdir/test_put.vim |  8 ++++++++
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/src/globals.h b/src/globals.h
+index fee8c7f..7be3bfd 100644
+--- a/src/globals.h
+++ b/src/globals.h
+@@ -1659,6 +1659,7 @@ EXTERN char e_menuothermode[]	INIT(= N_("E328: Menu only exists in another mode"
+ #endif
+ EXTERN char e_invalwindow[]	INIT(= N_("E957: Invalid window number"));
+ EXTERN char e_listarg[]		INIT(= N_("E686: Argument of %s must be a List"));
+EXTERN char e_resulting_text_too_long[]		INIT(= N_("E1240: Resulting text too long"));
+ 
+ #ifdef FEAT_GUI_MAC
+ EXTERN short disallow_gui	INIT(= FALSE);
+diff --git a/src/register.c b/src/register.c
+index 24e4b99..bab27fe 100644
+--- a/src/register.c
+++ b/src/register.c
+@@ -1908,8 +1908,15 @@ do_put(
+ 	    }
+ 
+ 	    do {
+-		totlen = count * yanklen;
+-		if (totlen > 0)
+		long multlen = count * yanklen;
+
+		totlen = multlen;
+		if (totlen != multlen)
+		{
+		    emsg(_(e_resulting_text_too_long));
+		    break;
+		}
+		else if (totlen > 0)
+ 		{
+ 		    oldp = ml_get(lnum);
+ 		    if (VIsual_active && col > (int)STRLEN(oldp))
+diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim
+index f5037dc..42bb7e6 100644
+--- a/src/testdir/test_put.vim
+++ b/src/testdir/test_put.vim
+@@ -122,3 +122,11 @@ func Test_put_above_first_line()
+   call assert_equal('text', getline(1))
+   bwipe!
+ endfunc
+
+func Test_very_larg_count()
+  new
+  let @" = 'x'
+  call assert_fails('norm 44444444444444p', 'E1240:')
+  bwipe!
+endfunc
+
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        23
+Release:        24
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -83,6 +83,8 @@ Patch6046:      backport-CVE-2022-0443.patch
 Patch6047:      backport-CVE-2022-0392.patch
 Patch6048:      backport-invalid-argument-errmsg.patch
 Patch6049:      backport-CVE-2022-0417.patch
+Patch6050:      backport-crash-when-pasting-too-many-times.patch
+Patch6051:      backport-CVE-2022-0572.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -471,6 +473,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Sat Feb 26 2022 huangduirong <huangduirong@huawei.com> - 2:8.2-24
+- Type:CVE
+- ID:CVE-2022-0572
+- SUG:NA
+- DESC:fix CVE-2022-0572
+
 * Wed Feb 09 2022 tianwei <tianwei12@h-partners.com> - 2:8.2-23
 - Type:CVE
 - ID:CVE-2022-0443 CVE-2022-0392 CVE-2022-0417