fix CVE-2021-3872 CVE-2021-3875

(cherry picked from commit b5cc6a5a1a526366507ac96f11e18a4c32470ca1)
2021-10-23 09:47:15 +08:00 · 2021-10-23 09:47:15 +08:00 · 567a3e2f5b
commit 567a3e2f5b
parent a95e946293
3 changed files with 133 additions and 1 deletions
--- a/backport-CVE-2021-3872.patch
+++ b/backport-CVE-2021-3872.patch
@ -0,0 +1,70 @@
+From 826bfe4bbd7594188e3d74d2539d9707b1c6a14b Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 8 Oct 2021 18:39:28 +0100
+Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very
+ long
+
+Problem:    Illegal memory access if buffer name is very long.
+Solution:   Make sure not to go over the end of the buffer.
+---
+ src/drawscreen.c                | 10 +++++-----
+ src/testdir/test_statusline.vim | 10 ++++++++++
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/src/drawscreen.c b/src/drawscreen.c
+index 3a88ee9..9acb705 100644
+--- a/src/drawscreen.c
+++ b/src/drawscreen.c
+@@ -446,13 +446,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
+ 	    *(p + len++) = ' ';
+ 	if (bt_help(wp->w_buffer))
+ 	{
+-	    STRCPY(p + len, _("[Help]"));
+	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ #ifdef FEAT_QUICKFIX
+ 	if (wp->w_p_pvw)
+ 	{
+-	    STRCPY(p + len, _("[Preview]"));
+	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ #endif
+@@ -462,12 +462,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
+ #endif
+ 		)
+ 	{
+-	    STRCPY(p + len, "[+]");
+-	    len += 3;
+	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
+	    len += (int)STRLEN(p + len);
+ 	}
+ 	if (wp->w_buffer->b_p_ro)
+ 	{
+-	    STRCPY(p + len, _("[RO]"));
+	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ 
+diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim
+index 1f705b8..febb5d6 100644
+--- a/src/testdir/test_statusline.vim
+++ b/src/testdir/test_statusline.vim
+@@ -393,3 +393,13 @@ func Test_statusline_visual()
+   bwipe! x1
+   bwipe! x2
+ endfunc
+
+" Used to write beyond allocated memory.  This assumes MAXPATHL is 4096 bytes.
+func Test_statusline_verylong_filename()
+  let fname = repeat('x', 4090)
+  exe "new " .. fname
+  set buftype=help
+  set previewwindow
+  redraw
+  bwipe!
+endfunc
+-- 
+2.27.0
+
--- a/backport-CVE-2021-3875.patch
+++ b/backport-CVE-2021-3875.patch
@ -0,0 +1,54 @@
+From 35a319b77f897744eec1155b736e9372c9c5575f Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 9 Oct 2021 13:58:55 +0100
+Subject: [PATCH] patch 8.2.3489: ml_get error after search with range
+
+Problem:    ml_get error after search with range.
+Solution:   Limit the line number to the buffer line count.
+---
+ src/ex_docmd.c              |  6 ++++--
+ src/testdir/test_search.vim | 14 ++++++++++++++
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index 76daf43..12554fa 100644
+--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
+@@ -3586,8 +3586,10 @@ get_address(
+ 
+ 		    // When '/' or '?' follows another address, start from
+ 		    // there.
+-		    if (lnum != MAXLNUM)
+-			curwin->w_cursor.lnum = lnum;
+		    if (lnum > 0 && lnum != MAXLNUM)
+			curwin->w_cursor.lnum =
+				lnum > curbuf->b_ml.ml_line_count
+					   ? curbuf->b_ml.ml_line_count : lnum;
+ 
+ 		    // Start a forward search at the end of the line (unless
+ 		    // before the first line).
+diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim
+index 1876713..ac0881c 100644
+--- a/src/testdir/test_search.vim
+++ b/src/testdir/test_search.vim
+@@ -1366,3 +1366,17 @@ func Test_searchdecl()
+ 
+   bwipe!
+ endfunc
+
+func Test_search_with_invalid_range()
+  new
+  let lines =<< trim END
+    /\%.v
+    5/
+    c
+  END
+  call writefile(lines, 'Xrangesearch')
+  source Xrangesearch
+
+  bwipe!
+  call delete('Xrangesearch')
+endfunc
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        11
+Release:        12
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -40,6 +40,8 @@ Patch6002:      backport-CVE-2021-3770.patch
 Patch6003:      backport-memory-leak-for-retab-with-invalid-argument.patch
 Patch6004:      backport-CVE-2021-3778.patch
 Patch6005:      backport-CVE-2021-3796.patch
+Patch6006:      backport-CVE-2021-3872.patch
+Patch6007:      backport-CVE-2021-3875.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -428,6 +430,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Sat Oct 23 2021 shixuantong<shixuantong@huawei> - 2:8.2-12
+- Type:CVE
+- ID:CVE-2021-3872 CVE-2021-3875
+- SUG:NA
+- DESC:fix CVE-2021-3872 CVE-2021-3875
+
 * Sun Sep 26 2021 shixuantong<shixuantong@huawei> - 2:8.2-11
 - Type:CVE
 - ID:CVE-2021-3778 CVE-2021-3796