packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-1264

Browse Source
This commit is contained in:
wangjiang 2023-03-16 09:16:04 +00:00
parent 1be74814c9
commit 438a9e51aa
2 changed files with 145 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

137
backport-CVE-2023-1264.patch Normal file
View File

@ -0,0 +1,137 @@
From 7ac5023a5f1a37baafbe1043645f97ba3443d9f6 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 7 Mar 2023 21:05:04 +0000
Subject: [PATCH] patch 9.0.1392: using NULL pointer with nested :open command
Problem: Using NULL pointer with nested :open command.
Solution: Check that ccline.cmdbuff is not NULL.
---
src/getchar.c | 17 ++++++++++-------
src/testdir/term_util.vim | 5 +++++
src/testdir/test_ex_mode.vim | 22 ++++++++++++++++++++++
3 files changed, 37 insertions(+), 7 deletions(-)
diff --git a/src/getchar.c b/src/getchar.c
index 6645be8a0ebd..dac57eb26c61 100644
--- a/src/getchar.c
+++ b/src/getchar.c
@@ -3019,7 +3019,7 @@ check_end_reg_executing(int advance)
static int
vgetorpeek(int advance)
{
- int c, c1;
+ int c;
int timedout = FALSE; // waited for more than 1 second
// for mapping to complete
int mapdepth = 0; // check for recursive mapping
@@ -3386,7 +3386,7 @@ vgetorpeek(int advance)
#ifdef FEAT_CMDL_INFO
showcmd_idx = 0;
#endif
- c1 = 0;
+ int showing_partial = FALSE;
if (typebuf.tb_len > 0 && advance && !exmode_active)
{
if (((State & (MODE_NORMAL | MODE_INSERT))
@@ -3401,7 +3401,7 @@ vgetorpeek(int advance)
edit_putchar(typebuf.tb_buf[typebuf.tb_off
+ typebuf.tb_len - 1], FALSE);
setcursor(); // put cursor back where it belongs
- c1 = 1;
+ showing_partial = TRUE;
}
#ifdef FEAT_CMDL_INFO
// need to use the col and row from above here
@@ -3420,8 +3420,10 @@ vgetorpeek(int advance)
#endif
}
- // this looks nice when typing a dead character map
+ // This looks nice when typing a dead character map.
+ // There is no actual command line for get_number().
if ((State & MODE_CMDLINE)
+ && get_cmdline_info()->cmdbuff != NULL
#if defined(FEAT_CRYPT) || defined(FEAT_EVAL)
&& cmdline_star == 0
#endif
@@ -3430,7 +3432,7 @@ vgetorpeek(int advance)
{
putcmdline(typebuf.tb_buf[typebuf.tb_off
+ typebuf.tb_len - 1], FALSE);
- c1 = 1;
+ showing_partial = TRUE;
}
}
@@ -3466,11 +3468,12 @@ vgetorpeek(int advance)
if (showcmd_idx != 0)
pop_showcmd();
#endif
- if (c1 == 1)
+ if (showing_partial)
{
if (State & MODE_INSERT)
edit_unputchar();
- if (State & MODE_CMDLINE)
+ if ((State & MODE_CMDLINE)
+ && get_cmdline_info()->cmdbuff != NULL)
unputcmdline();
else
setcursor(); // put cursor back where it belongs
diff --git a/src/testdir/term_util.vim b/src/testdir/term_util.vim
index 0f0373184505..88e2b33d083b 100644
--- a/src/testdir/term_util.vim
+++ b/src/testdir/term_util.vim
@@ -55,6 +55,7 @@ endfunc
" "cols" - width of the terminal window (max. 78)
" "statusoff" - number of lines the status is offset from default
" "wait_for_ruler" - if zero then don't wait for ruler to show
+" "no_clean" - if non-zero then remove "--clean" from the command
func RunVimInTerminal(arguments, options)
" If Vim doesn't exit a swap file remains, causing other tests to fail.
" Remove it here.
@@ -91,6 +92,10 @@ func RunVimInTerminal(arguments, options)
let cmd = GetVimCommandCleanTerm() .. reset_u7 .. a:arguments
+ if get(a:options, 'no_clean', 0)
+ let cmd = substitute(cmd, '--clean', '', '')
+ endif
+
let options = #{curwin: 1}
if &termwinsize == ''
let options.term_rows = rows
diff --git a/src/testdir/test_ex_mode.vim b/src/testdir/test_ex_mode.vim
index a6602227638a..d03ec8f2d81d 100644
--- a/src/testdir/test_ex_mode.vim
+++ b/src/testdir/test_ex_mode.vim
@@ -134,6 +134,28 @@ func Test_open_command_flush_line()
bwipe!
endfunc
+" FIXME: this doesn't fail without the fix but hangs
+func Skip_Test_open_command_state()
+ " Tricky script that failed because State was not set properly
+ let lines =<< trim END
+ !ls ƒ
+ 0scìi
+ so! Xsourced
+ set t_û0=0
+ v/-/o
+ END
+ call writefile(lines, 'XopenScript', '')
+
+ let sourced = ["!f\u0083\x02\<Esc>z=0"]
+ call writefile(sourced, 'Xsourced', 'b')
+
+ CheckRunVimInTerminal
+ let buf = RunVimInTerminal('-u NONE -i NONE -n -m -X -Z -e -s -S XopenScript -c qa!', #{rows: 6, wait_for_ruler: 0, no_clean: 1})
+ sleep 3
+
+ call StopVimInTerminal(buf)
+endfunc
+
" Test for :g/pat/visual to run vi commands in Ex mode
" This used to hang Vim before 8.2.0274.
func Test_Ex_global()

9
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim Name: vim
Epoch: 2 Epoch: 2
Version: 9.0 Version: 9.0
Release: 11 Release: 12
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT License: Vim and MIT
URL: http://www.vim.org URL: http://www.vim.org
@ -91,6 +91,7 @@ Patch6061: backport-patch-9.0.0024-may-access-part-of-typeahead-buf-that-is
Patch6062: backport-patch-9.0.1331-illegal-memory-access-when-using-ball-in-Visual-mode.patch Patch6062: backport-patch-9.0.1331-illegal-memory-access-when-using-ball-in-Visual-mode.patch
Patch6063: backport-CVE-2023-1170.patch Patch6063: backport-CVE-2023-1170.patch
Patch6064: backport-CVE-2023-1175.patch Patch6064: backport-CVE-2023-1175.patch
Patch6065: backport-CVE-2023-1264.patch
Patch9000: bugfix-rm-modify-info-version.patch Patch9000: bugfix-rm-modify-info-version.patch
Patch9001: vim-Add-sw64-architecture.patch Patch9001: vim-Add-sw64-architecture.patch
@ -499,6 +500,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
%{_mandir}/man1/evim.* %{_mandir}/man1/evim.*
%changelog %changelog
* Fri Mar 17 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-12
- Type:CVE
- ID:CVE-2023-1264
- SUG:NA
- DESC:CVE-2023-1264
* Wed Mar 08 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-11 * Wed Mar 08 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-11
- Type:CVE - Type:CVE
- ID:CVE-2023-1170 CVE-2023-1175 - ID:CVE-2023-1170 CVE-2023-1175