fix CVE-2022-0319 CVE-2022-0554

2022-03-21 10:26:02 +08:00 · 2022-03-21 10:26:02 +08:00 · 4425b65cd8
commit 4425b65cd8
parent c8b8ee7ca4
3 changed files with 188 additions and 2 deletions
--- a/backport-CVE-2022-0319.patch
+++ b/backport-CVE-2022-0319.patch
@ -0,0 +1,65 @@
+From 05b27615481e72e3b338bb12990fb3e0c2ecc2a9 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 20 Jan 2022 13:32:50 +0000
+Subject: [PATCH] patch 8.2.4154: ml_get error when exchanging windows in
+ Visual mode
+
+Problem:    ml_get error when exchanging windows in Visual mode.
+Solution:   Correct end of Visual area when entering another buffer
+
+Reference:https://github.com/vim/vim/commit/05b27615481e72e3b338bb12990fb3e0c2ecc2a9
+Conflict:NA
+---
+ src/testdir/test_visual.vim | 10 ++++++++++
+ src/window.c                |  7 ++++++-
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index fcf6473..4f8f056 100644
+--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
+@@ -705,6 +705,16 @@ func Test_visual_undo_deletes_last_line()
+   bwipe!
+ endfunc
+ 
+" this was causing an ml_get error
+func Test_visual_exchange_windows()
+  enew!
+  new
+  call setline(1, ['foo', 'bar'])
+  exe "normal G\<C-V>gg\<C-W>\<C-X>OO\<Esc>"
+  bwipe!
+  bwipe!
+endfunc
+
+ func Test_visual_mode_put()
+   new
+ 
+diff --git a/src/window.c b/src/window.c
+index 5b407d5..bb17167 100644
+--- a/src/window.c
+++ b/src/window.c
+@@ -1661,6 +1661,11 @@ win_exchange(long Prenum)
+ 
+     (void)win_comp_pos();		// recompute window positions
+ 
+    if (wp->w_buffer != curbuf)
+	reset_VIsual_and_resel();
+    else if (VIsual_active)
+	wp->w_cursor = curwin->w_cursor;
+
+     win_enter(wp, TRUE);
+     redraw_all_later(NOT_VALID);
+ }
+@@ -5114,7 +5119,7 @@ frame_remove(frame_T *frp)
+ win_alloc_lines(win_T *wp)
+ {
+     wp->w_lines_valid = 0;
+-    wp->w_lines = ALLOC_CLEAR_MULT(wline_T, Rows );
+    wp->w_lines = ALLOC_CLEAR_MULT(wline_T, Rows);
+     if (wp->w_lines == NULL)
+ 	return FAIL;
+     return OK;
+-- 
+2.27.0
+
--- a/backport-CVE-2022-0554.patch
+++ b/backport-CVE-2022-0554.patch
@ -0,0 +1,113 @@
+From e3537aec2f8d6470010547af28dcbd83d41461b8 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 8 Feb 2022 15:05:20 +0000
+Subject: [PATCH] patch 8.2.4327: may end up with no current buffer
+
+Problem:    May end up with no current buffer.
+Solution:   When deleting the current buffer to not pick a quickfix buffer as
+            the new current buffer
+
+Reference:https://github.com/vim/vim/commit/e3537aec2f8d6470010547af28dcbd83d41461b8
+Conflict:NA
+---
+ src/buffer.c                  | 26 ++++++++++++++++++++++----
+ src/testdir/test_quickfix.vim | 25 +++++++++++++++++++++++++
+ 2 files changed, 47 insertions(+), 4 deletions(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index e5f6a9b..3617c63 100644
+--- a/src/buffer.c
+++ b/src/buffer.c
+@@ -1520,8 +1520,14 @@ do_buffer(
+ 		buf = buflist_findnr(curwin->w_jumplist[jumpidx].fmark.fnum);
+ 		if (buf != NULL)
+ 		{
+-		    if (buf == curbuf || !buf->b_p_bl)
+-			buf = NULL;	// skip current and unlisted bufs
+		    // Skip current and unlisted bufs.  Also skip a quickfix
+		    // buffer, it might be deleted soon.
+		    if (buf == curbuf || !buf->b_p_bl
+#if defined(FEAT_QUICKFIX)
+			    || bt_quickfix(buf)
+#endif
+			    )
+			buf = NULL;
+ 		    else if (buf->b_ml.ml_mfp == NULL)
+ 		    {
+ 			// skip unloaded buf, but may keep it for later
+@@ -1558,7 +1564,11 @@ do_buffer(
+ 		    continue;
+ 		}
+ 		// in non-help buffer, try to skip help buffers, and vv
+-		if (buf->b_help == curbuf->b_help && buf->b_p_bl)
+		if (buf->b_help == curbuf->b_help && buf->b_p_bl
+#if defined(FEAT_QUICKFIX)
+			    && !bt_quickfix(buf)
+#endif
+			   )
+ 		{
+ 		    if (buf->b_ml.ml_mfp != NULL)   // found loaded buffer
+ 			break;
+@@ -1576,7 +1586,11 @@ do_buffer(
+ 	if (buf == NULL)	// No loaded buffer, find listed one
+ 	{
+ 	    FOR_ALL_BUFFERS(buf)
+-		if (buf->b_p_bl && buf != curbuf)
+		if (buf->b_p_bl && buf != curbuf
+#if defined(FEAT_QUICKFIX)
+			    && !bt_quickfix(buf)
+#endif
+		       )
+ 		    break;
+ 	}
+ 	if (buf == NULL)	// Still no buffer, just take one
+@@ -1585,6 +1599,10 @@ do_buffer(
+ 		buf = curbuf->b_next;
+ 	    else
+ 		buf = curbuf->b_prev;
+#if defined(FEAT_QUICKFIX)
+	    if (bt_quickfix(buf))
+		buf = NULL;
+#endif
+ 	}
+     }
+ 
+diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
+index 38a5236..72f3172 100644
+--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
+@@ -325,6 +325,31 @@ func Test_copenHeight_tabline()
+   set tabline& showtabline&
+ endfunc
+ 
+" Another sequence of commands that caused all buffers to be wiped out
+func Test_lopen_bwipe_all()
+  let lines =<< trim END
+    func R()
+      silent! tab lopen
+      e foo
+      silent! lfile
+    endfunc
+    cal R()
+    exe "norm \<C-W>\<C-V>0"
+    cal R()
+    bwipe
+
+    call writefile(['done'], 'Xresult')
+    qall!
+  END
+  call writefile(lines, 'Xscript')
+  if RunVim([], [], '-u NONE -n -X -Z -e -m -s -S Xscript')
+    call assert_equal(['done'], readfile('Xresult'))
+  endif
+
+  call delete('Xscript')
+  call delete('Xresult')
+endfunc
+
+ 
+ " Tests for the :cfile, :lfile, :caddfile, :laddfile, :cgetfile and :lgetfile
+ " commands.
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        27
+Release:        28
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -88,6 +88,8 @@ Patch6051:      backport-CVE-2022-0572.patch
 Patch6052:      backport-CVE-2022-0714.patch
 Patch6053:      backport-CVE-2022-0729.patch
 Patch6054:      backport-CVE-2022-0685.patch
+Patch6055:      backport-CVE-2022-0319.patch
+Patch6056:      backport-CVE-2022-0554.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -476,6 +478,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Mon Mar 21 2022 yuanxin <yuanxin24@h-partners.com> - 2:8.2-28
+- Type:CVE
+- ID:CVE-2022-0319 CVE-2022-0554
+- SUG:NA
+- DESC:fix CVE-2022-0319 CVE-2022-0554
+
 * Sat Mar 19 2022 yuanxin <yuanxin24@h-partners.com> - 2:8.2-27
 - Type:bugfix
 - ID:NA
@ -490,7 +498,7 @@ popd

 * Sat Mar 05 2022 yuanxin <yuanxin24@h-partners.com> - 2:8.2-25
 - Type:CVE
- ID:fix CVE-2022-0714 CVE-2022-0729
+- ID:CVE-2022-0714 CVE-2022-0729
 - SUG:NA
 - DESC:fix CVE-2022-0714 CVE-2022-0729