!524 fix CVE-2023-2609 CVE-2023-2610

From: @wangjiang37 Reviewed-by: @zhoupengcheng11, @znzjugod, @gaoruoshu Signed-off-by: @gaoruoshu
2023-05-16 02:22:52 +00:00 · 2023-05-16 02:22:52 +00:00 · 3d28f9eecb
commit 3d28f9eecb
parent 209fbaa66c 5bc6866757
3 changed files with 160 additions and 1 deletions
--- a/backport-CVE-2023-2609.patch
+++ b/backport-CVE-2023-2609.patch
@ -0,0 +1,54 @@
+From d1ae8366aff286d41e7f5bc513cc0a1af5130aad Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 9 May 2023 17:09:30 +0100
+Subject: [PATCH] patch 9.0.1531: crash when register contents ends up being
+ invalid
+
+Problem:    Crash when register contents ends up being invalid.
+Solution:   Check "y_array" is not NULL.
+---
+ src/register.c                 |  2 +-
+ src/testdir/test_registers.vim | 17 +++++++++++++++++
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/src/register.c b/src/register.c
+index f3df79cfd642..e481d843c249 100644
+--- a/src/register.c
+++ b/src/register.c
+@@ -300,7 +300,7 @@ get_register(
+ 	if (copy)
+ 	{
+ 	    // If we run out of memory some or all of the lines are empty.
+-	    if (reg->y_size == 0)
+	    if (reg->y_size == 0 || y_current->y_array == NULL)
+ 		reg->y_array = NULL;
+ 	    else
+ 		reg->y_array = ALLOC_MULT(char_u *, reg->y_size);
+diff --git a/src/testdir/test_registers.vim b/src/testdir/test_registers.vim
+index e966932478d8..33ea0f4bd3e6 100644
+--- a/src/testdir/test_registers.vim
+++ b/src/testdir/test_registers.vim
+@@ -798,6 +798,23 @@ func Test_end_reg_executing()
+   bwipe!
+ endfunc
+ 
+" This was causing a crash because y_append was ending up being NULL
+func Test_zero_y_append()
+  " Run in a separate Vim instance because changing 'encoding' may cause
+  " trouble for later tests.
+  let lines =<< trim END
+      d
+      silent ?n
+      next <sfile>
+      so
+      sil! norm 0VPSP
+      set enc=latin1
+       
+  END
+  call writefile(lines, 'XTest_zero_y_append', 'D')
+  call RunVim([], [], '-u NONE -i NONE -e -s -S XTest_zero_y_append -c qa\!')
+endfunc
+
+ " Make sure that y_append is correctly reset
+ " and the previous register is working as expected
+ func Test_register_y_append_reset()
--- a/backport-CVE-2023-2610.patch
+++ b/backport-CVE-2023-2610.patch
@ -0,0 +1,97 @@
+From ab9a2d884b3a4abe319606ea95a5a6d6b01cd73a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 9 May 2023 21:15:30 +0100
+Subject: [PATCH] patch 9.0.1532: crash when expanding "~" in substitute causes
+ very long text
+
+Problem:    Crash when expanding "~" in substitute causes very long text.
+Solution:   Limit the text length to MAXCOL.
+---
+ src/regexp.c                    | 30 +++++++++++++++++++-----------
+ src/testdir/test_substitute.vim | 14 ++++++++++++++
+ 2 files changed, 33 insertions(+), 11 deletions(-)
+
+diff --git a/src/regexp.c b/src/regexp.c
+index 33b36d11a8be..0e6c746df819 100644
+--- a/src/regexp.c
+++ b/src/regexp.c
+@@ -1723,10 +1723,7 @@ do_Lower(int *d, int c)
+ regtilde(char_u *source, int magic)
+ {
+     char_u	*newsub = source;
+-    char_u	*tmpsub;
+     char_u	*p;
+-    int		len;
+-    int		prevlen;
+ 
+     for (p = newsub; *p; ++p)
+     {
+@@ -1735,24 +1732,35 @@ regtilde(char_u *source, int magic)
+ 	    if (reg_prev_sub != NULL)
+ 	    {
+ 		// length = len(newsub) - 1 + len(prev_sub) + 1
+-		prevlen = (int)STRLEN(reg_prev_sub);
+-		tmpsub = alloc(STRLEN(newsub) + prevlen);
+		// Avoid making the text longer than MAXCOL, it will cause
+		// trouble at some point.
+		size_t	prevsublen = STRLEN(reg_prev_sub);
+		size_t  newsublen = STRLEN(newsub);
+		if (prevsublen > MAXCOL || newsublen > MAXCOL
+					    || newsublen + prevsublen > MAXCOL)
+		{
+		    emsg(_(e_resulting_text_too_long));
+		    break;
+		}
+
+		char_u *tmpsub = alloc(newsublen + prevsublen);
+ 		if (tmpsub != NULL)
+ 		{
+ 		    // copy prefix
+-		    len = (int)(p - newsub);	// not including ~
+-		    mch_memmove(tmpsub, newsub, (size_t)len);
+		    size_t prefixlen = p - newsub;	// not including ~
+		    mch_memmove(tmpsub, newsub, prefixlen);
+ 		    // interpret tilde
+-		    mch_memmove(tmpsub + len, reg_prev_sub, (size_t)prevlen);
+		    mch_memmove(tmpsub + prefixlen, reg_prev_sub,
+							       prevsublen);
+ 		    // copy postfix
+ 		    if (!magic)
+ 			++p;			// back off backslash
+-		    STRCPY(tmpsub + len + prevlen, p + 1);
+		    STRCPY(tmpsub + prefixlen + prevsublen, p + 1);
+ 
+-		    if (newsub != source)	// already allocated newsub
+		    if (newsub != source)	// allocated newsub before
+ 			vim_free(newsub);
+ 		    newsub = tmpsub;
+-		    p = newsub + len + prevlen;
+		    p = newsub + prefixlen + prevsublen;
+ 		}
+ 	    }
+ 	    else if (magic)
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index 7491b6163dc8..32e2f2785479 100644
+--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
+@@ -1394,6 +1394,20 @@ func Test_substitute_short_cmd()
+   bw!
+ endfunc
+ 
+" Check handling expanding "~" resulting in extremely long text.
+func Test_substitute_tilde_too_long()
+  enew!
+
+  s/.*/ixxx
+  s//~~~~~~~~~AAAAAAA@(
+
+  " Either fails with "out of memory" or "text too long".
+  " This can take a long time.
+  call assert_fails('sil! norm &&&&&&&&&', ['E1240:\|E342:'])
+
+  bwipe!
+endfunc
+
+ " This should be done last to reveal a memory leak when vim_regsub_both() is
+ " called to evaluate an expression but it is not used in a second call.
+ func Test_z_substitute_expr_leak()
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        14
+Release:        15
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -94,6 +94,8 @@ Patch6064:      backport-CVE-2023-1175.patch
 Patch6065:      backport-CVE-2023-1264.patch
 Patch6066:      backport-vim-7.0-rclocation.patch
 Patch6067:      backport-CVE-2023-2426.patch
+Patch6068:      backport-CVE-2023-2609.patch
+Patch6069:      backport-CVE-2023-2610.patch

 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      vim-Add-sw64-architecture.patch
@ -502,6 +504,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Sat May 13 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-15
+- Type:CVE
+- ID:CVE-2023-2609 CVE-2023-2610
+- SUG:NA
+- DESC:CVE-2023-2609 CVE-2023-2610
+
 * Thu May 04 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-14
 - Type:CVE
 - ID:CVE-2023-2426