packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-3872 CVE-2021-3875

Browse Source 
(cherry picked from commit b5cc6a5a1a526366507ac96f11e18a4c32470ca1)
This commit is contained in:
shixuantong 2021-10-23 09:47:15 +08:00 committed by openeuler-sync-bot
parent a95e946293
commit 567a3e2f5b
3 changed files with 133 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
backport-CVE-2021-3872.patch Normal file
View File

@ -0,0 +1,70 @@
From 826bfe4bbd7594188e3d74d2539d9707b1c6a14b Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 8 Oct 2021 18:39:28 +0100
Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very
long
Problem: Illegal memory access if buffer name is very long.
Solution: Make sure not to go over the end of the buffer.
---
src/drawscreen.c | 10 +++++-----
src/testdir/test_statusline.vim | 10 ++++++++++
2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/src/drawscreen.c b/src/drawscreen.c
index 3a88ee9..9acb705 100644
--- a/src/drawscreen.c
+++ b/src/drawscreen.c
@@ -446,13 +446,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
*(p + len++) = ' ';
if (bt_help(wp->w_buffer))
{
- STRCPY(p + len, _("[Help]"));
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
len += (int)STRLEN(p + len);
}
#ifdef FEAT_QUICKFIX
if (wp->w_p_pvw)
{
- STRCPY(p + len, _("[Preview]"));
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
len += (int)STRLEN(p + len);
}
#endif
@@ -462,12 +462,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
#endif
)
{
- STRCPY(p + len, "[+]");
- len += 3;
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
+ len += (int)STRLEN(p + len);
}
if (wp->w_buffer->b_p_ro)
{
- STRCPY(p + len, _("[RO]"));
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
len += (int)STRLEN(p + len);
}
diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim
index 1f705b8..febb5d6 100644
--- a/src/testdir/test_statusline.vim
+++ b/src/testdir/test_statusline.vim
@@ -393,3 +393,13 @@ func Test_statusline_visual()
bwipe! x1
bwipe! x2
endfunc
+
+" Used to write beyond allocated memory. This assumes MAXPATHL is 4096 bytes.
+func Test_statusline_verylong_filename()
+ let fname = repeat('x', 4090)
+ exe "new " .. fname
+ set buftype=help
+ set previewwindow
+ redraw
+ bwipe!
+endfunc
--
2.27.0

54
backport-CVE-2021-3875.patch Normal file
View File

@ -0,0 +1,54 @@
From 35a319b77f897744eec1155b736e9372c9c5575f Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 9 Oct 2021 13:58:55 +0100
Subject: [PATCH] patch 8.2.3489: ml_get error after search with range
Problem: ml_get error after search with range.
Solution: Limit the line number to the buffer line count.
---
src/ex_docmd.c | 6 ++++--
src/testdir/test_search.vim | 14 ++++++++++++++
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index 76daf43..12554fa 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -3586,8 +3586,10 @@ get_address(
// When '/' or '?' follows another address, start from
// there.
- if (lnum != MAXLNUM)
- curwin->w_cursor.lnum = lnum;
+ if (lnum > 0 && lnum != MAXLNUM)
+ curwin->w_cursor.lnum =
+ lnum > curbuf->b_ml.ml_line_count
+ ? curbuf->b_ml.ml_line_count : lnum;
// Start a forward search at the end of the line (unless
// before the first line).
diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim
index 1876713..ac0881c 100644
--- a/src/testdir/test_search.vim
+++ b/src/testdir/test_search.vim
@@ -1366,3 +1366,17 @@ func Test_searchdecl()
bwipe!
endfunc
+
+func Test_search_with_invalid_range()
+ new
+ let lines =<< trim END
+ /\%.v
+ 5/
+ c
+ END
+ call writefile(lines, 'Xrangesearch')
+ source Xrangesearch
+
+ bwipe!
+ call delete('Xrangesearch')
+endfunc
--
2.27.0

10
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim Name: vim
Epoch: 2 Epoch: 2
Version: 8.2 Version: 8.2
Release: 11 Release: 12
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT License: Vim and MIT
URL: http://www.vim.org URL: http://www.vim.org
@ -40,6 +40,8 @@ Patch6002: backport-CVE-2021-3770.patch
Patch6003: backport-memory-leak-for-retab-with-invalid-argument.patch Patch6003: backport-memory-leak-for-retab-with-invalid-argument.patch
Patch6004: backport-CVE-2021-3778.patch Patch6004: backport-CVE-2021-3778.patch
Patch6005: backport-CVE-2021-3796.patch Patch6005: backport-CVE-2021-3796.patch
Patch6006: backport-CVE-2021-3872.patch
Patch6007: backport-CVE-2021-3875.patch
Patch9000: bugfix-rm-modify-info-version.patch Patch9000: bugfix-rm-modify-info-version.patch
@ -428,6 +430,12 @@ popd
%{_mandir}/man1/evim.* %{_mandir}/man1/evim.*
%changelog %changelog
* Sat Oct 23 2021 shixuantong<shixuantong@huawei> - 2:8.2-12
- Type:CVE
- ID:CVE-2021-3872 CVE-2021-3875
- SUG:NA
- DESC:fix CVE-2021-3872 CVE-2021-3875
* Sun Sep 26 2021 shixuantong<shixuantong@huawei> - 2:8.2-11 * Sun Sep 26 2021 shixuantong<shixuantong@huawei> - 2:8.2-11
- Type:CVE - Type:CVE
- ID:CVE-2021-3778 CVE-2021-3796 - ID:CVE-2021-3778 CVE-2021-3796