packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

CVE-2022-1616

Browse Source 
(cherry picked from commit b2adf98c277dab6f069da4536af193f2db41538a)
This commit is contained in:
shangyibin 2022-05-09 16:07:18 +08:00 committed by openeuler-sync-bot
parent 95aecaeb53
commit 5909454d62
2 changed files with 66 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
backport-CVE-2022-1616.patch Normal file
View File

@ -0,0 +1,58 @@
From d88934406c5375d88f8f1b65331c9f0cab68cc6c Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 6 May 2022 20:38:47 +0100
Subject: [PATCH] patch 8.2.4895: buffer overflow with invalid command with
composing chars
Problem: Buffer overflow with invalid command with composing chars.
Solution: Check that the whole character fits in the buffer.
---
src/ex_docmd.c | 4 +++-
src/testdir/test_cmdline.vim | 11 +++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index dfcbf37..f142c46 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -3092,7 +3092,7 @@ append_command(char_u *cmd)
STRCAT(IObuff, ": ");
d = IObuff + STRLEN(IObuff);
- while (*s != NUL && d - IObuff < IOSIZE - 7)
+ while (*s != NUL && d - IObuff + 5 < IOSIZE)
{
if (enc_utf8 ? (s[0] == 0xc2 && s[1] == 0xa0) : *s == 0xa0)
{
@@ -3100,6 +3100,8 @@ append_command(char_u *cmd)
STRCPY(d, "<a0>");
d += 4;
}
+ else if (d - IObuff + (*mb_ptr2len)(s) + 1 >= IOSIZE)
+ break;
else
MB_COPY_CHAR(s, d);
}
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index 5297951..41a73d2 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -870,4 +870,15 @@ func Test_cmdwin_cedit()
delfunc CmdWinType
endfunc
+" this was going over the end of IObuff
+func Test_report_error_with_composing()
+ let caught = 'no'
+ try
+ exe repeat('0', 987) .. "0\xdd\x80\xdd\x80\xdd\x80\xdd\x80"
+ catch /E492:/
+ let caught = 'yes'
+ endtry
+ call assert_equal('yes', caught)
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0

9
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim Name: vim
Epoch: 2 Epoch: 2
Version: 8.2 Version: 8.2
Release: 31 Release: 32
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT License: Vim and MIT
URL: http://www.vim.org URL: http://www.vim.org
@ -93,6 +93,7 @@ Patch6056: backport-CVE-2022-0554.patch
Patch6057: backport-CVE-2022-0943.patch Patch6057: backport-CVE-2022-0943.patch
Patch6058: backport-CVE-2021-4069.patch Patch6058: backport-CVE-2021-4069.patch
Patch6059: backport-CVE-2022-0629.patch Patch6059: backport-CVE-2022-0629.patch
Patch6060: backport-CVE-2022-1616.patch
Patch9000: bugfix-rm-modify-info-version.patch Patch9000: bugfix-rm-modify-info-version.patch
@ -481,6 +482,12 @@ popd
%{_mandir}/man1/evim.* %{_mandir}/man1/evim.*
%changelog %changelog
* Mon May 09 2022 shangyibin <shangyibin1@h-partners.com> - 2:8.2-32
- Type:CVE
- ID:CVE-2022-1616
- SUG:NA
- DESC:fix CVE-2022-1616
* Fri Apr 1 2022 wangjiang <wangjiang37@h-partners.com> - 2:8.2-31 * Fri Apr 1 2022 wangjiang <wangjiang37@h-partners.com> - 2:8.2-31
- Type:CVE - Type:CVE
- ID:CVE-2022-0629 - ID:CVE-2022-0629