packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-2609 CVE-2023-2610

Browse Source
This commit is contained in:
wangjiang 2023-05-13 14:41:02 +08:00
parent 209fbaa66c
commit 5bc6866757
3 changed files with 160 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
backport-CVE-2023-2609.patch Normal file
View File

@ -0,0 +1,54 @@
From d1ae8366aff286d41e7f5bc513cc0a1af5130aad Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 9 May 2023 17:09:30 +0100
Subject: [PATCH] patch 9.0.1531: crash when register contents ends up being
invalid
Problem: Crash when register contents ends up being invalid.
Solution: Check "y_array" is not NULL.
---
src/register.c | 2 +-
src/testdir/test_registers.vim | 17 +++++++++++++++++
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/src/register.c b/src/register.c
index f3df79cfd642..e481d843c249 100644
--- a/src/register.c
+++ b/src/register.c
@@ -300,7 +300,7 @@ get_register(
if (copy)
{
// If we run out of memory some or all of the lines are empty.
- if (reg->y_size == 0)
+ if (reg->y_size == 0 || y_current->y_array == NULL)
reg->y_array = NULL;
else
reg->y_array = ALLOC_MULT(char_u *, reg->y_size);
diff --git a/src/testdir/test_registers.vim b/src/testdir/test_registers.vim
index e966932478d8..33ea0f4bd3e6 100644
--- a/src/testdir/test_registers.vim
+++ b/src/testdir/test_registers.vim
@@ -798,6 +798,23 @@ func Test_end_reg_executing()
bwipe!
endfunc
+" This was causing a crash because y_append was ending up being NULL
+func Test_zero_y_append()
+ " Run in a separate Vim instance because changing 'encoding' may cause
+ " trouble for later tests.
+ let lines =<< trim END
+ d
+ silent ?n
+ next <sfile>
+ so
+ sil! norm 0V€PSP
+ set enc=latin1
+  
+ END
+ call writefile(lines, 'XTest_zero_y_append', 'D')
+ call RunVim([], [], '-u NONE -i NONE -e -s -S XTest_zero_y_append -c qa\!')
+endfunc
+
" Make sure that y_append is correctly reset
" and the previous register is working as expected
func Test_register_y_append_reset()

97
backport-CVE-2023-2610.patch Normal file
View File

@ -0,0 +1,97 @@
From ab9a2d884b3a4abe319606ea95a5a6d6b01cd73a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 9 May 2023 21:15:30 +0100
Subject: [PATCH] patch 9.0.1532: crash when expanding "~" in substitute causes
very long text
Problem: Crash when expanding "~" in substitute causes very long text.
Solution: Limit the text length to MAXCOL.
---
src/regexp.c | 30 +++++++++++++++++++-----------
src/testdir/test_substitute.vim | 14 ++++++++++++++
2 files changed, 33 insertions(+), 11 deletions(-)
diff --git a/src/regexp.c b/src/regexp.c
index 33b36d11a8be..0e6c746df819 100644
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -1723,10 +1723,7 @@ do_Lower(int *d, int c)
regtilde(char_u *source, int magic)
{
char_u *newsub = source;
- char_u *tmpsub;
char_u *p;
- int len;
- int prevlen;
for (p = newsub; *p; ++p)
{
@@ -1735,24 +1732,35 @@ regtilde(char_u *source, int magic)
if (reg_prev_sub != NULL)
{
// length = len(newsub) - 1 + len(prev_sub) + 1
- prevlen = (int)STRLEN(reg_prev_sub);
- tmpsub = alloc(STRLEN(newsub) + prevlen);
+ // Avoid making the text longer than MAXCOL, it will cause
+ // trouble at some point.
+ size_t prevsublen = STRLEN(reg_prev_sub);
+ size_t newsublen = STRLEN(newsub);
+ if (prevsublen > MAXCOL || newsublen > MAXCOL
+ || newsublen + prevsublen > MAXCOL)
+ {
+ emsg(_(e_resulting_text_too_long));
+ break;
+ }
+
+ char_u *tmpsub = alloc(newsublen + prevsublen);
if (tmpsub != NULL)
{
// copy prefix
- len = (int)(p - newsub); // not including ~
- mch_memmove(tmpsub, newsub, (size_t)len);
+ size_t prefixlen = p - newsub; // not including ~
+ mch_memmove(tmpsub, newsub, prefixlen);
// interpret tilde
- mch_memmove(tmpsub + len, reg_prev_sub, (size_t)prevlen);
+ mch_memmove(tmpsub + prefixlen, reg_prev_sub,
+ prevsublen);
// copy postfix
if (!magic)
++p; // back off backslash
- STRCPY(tmpsub + len + prevlen, p + 1);
+ STRCPY(tmpsub + prefixlen + prevsublen, p + 1);
- if (newsub != source) // already allocated newsub
+ if (newsub != source) // allocated newsub before
vim_free(newsub);
newsub = tmpsub;
- p = newsub + len + prevlen;
+ p = newsub + prefixlen + prevsublen;
}
}
else if (magic)
diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
index 7491b6163dc8..32e2f2785479 100644
--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
@@ -1394,6 +1394,20 @@ func Test_substitute_short_cmd()
bw!
endfunc
+" Check handling expanding "~" resulting in extremely long text.
+func Test_substitute_tilde_too_long()
+ enew!
+
+ s/.*/ixxx
+ s//~~~~~~~~~AAAAAAA@(
+
+ " Either fails with "out of memory" or "text too long".
+ " This can take a long time.
+ call assert_fails('sil! norm &&&&&&&&&', ['E1240:\|E342:'])
+
+ bwipe!
+endfunc
+
" This should be done last to reveal a memory leak when vim_regsub_both() is
" called to evaluate an expression but it is not used in a second call.
func Test_z_substitute_expr_leak()

10
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim
Epoch: 2
Version: 9.0
Release: 14
Release: 15
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT
URL: http://www.vim.org
@ -94,6 +94,8 @@ Patch6064: backport-CVE-2023-1175.patch
Patch6065: backport-CVE-2023-1264.patch
Patch6066: backport-vim-7.0-rclocation.patch
Patch6067: backport-CVE-2023-2426.patch
Patch6068: backport-CVE-2023-2609.patch
Patch6069: backport-CVE-2023-2610.patch
Patch9000: bugfix-rm-modify-info-version.patch
Patch9001: vim-Add-sw64-architecture.patch
@ -502,6 +504,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
%{_mandir}/man1/evim.*
%changelog
* Sat May 13 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-15
- Type:CVE
- ID:CVE-2023-2609 CVE-2023-2610
- SUG:NA
- DESC:CVE-2023-2609 CVE-2023-2610
* Thu May 04 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-14
- Type:CVE
- ID:CVE-2023-2426