!427 [sync] PR-425: fix CVE-2022-3324

From: @openeuler-sync-bot Reviewed-by: @lvying6 Signed-off-by: @lvying6
2022-10-18 07:07:29 +00:00 · 2022-10-18 07:07:29 +00:00 · 62dc2f149d
commit 62dc2f149d
parent 7866537ba3 bc2e577146
2 changed files with 78 additions and 1 deletions
--- a/backport-CVE-2022-3324.patch
+++ b/backport-CVE-2022-3324.patch
@ -0,0 +1,70 @@
+From 8279af514ca7e5fd3c31cf13b0864163d1a0bfeb Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 26 Sep 2022 23:08:22 +0100
+Subject: [PATCH] patch 9.0.0598: using negative array index with negative
+ width window
+
+Problem:    Using negative array index with negative width window.
+Solution:   Make sure the window width does not become negative.
+---
+ src/testdir/test_cmdline.vim | 22 ++++++++++++++++++++++
+ src/window.c                 |  5 ++++-
+ 2 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index c442d7f..0c8b3dd 100644
+--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
+@@ -962,4 +962,26 @@ func Test_cmdwin_freed_buffer_ptr()
+   bwipe!
+ endfunc
+ 
+" This was resulting in a window with negative width.
+" The test doesn't reproduce the illegal memory access though...
+func Test_cmdwin_split_often()
+  let lines = &lines
+  let columns = &columns
+  set t_WS=
+
+  try
+    set encoding=iso8859
+    set ruler
+    winsize 0 0
+    noremap 0 H
+    sil norm 0000000q:
+  catch /E36:/
+  endtry
+
+  bwipe!
+  set encoding=utf8
+  let &lines = lines
+  let &columns = columns
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/window.c b/src/window.c
+index e0df540..42e2742 100644
+--- a/src/window.c
+++ b/src/window.c
+@@ -2045,6 +2045,8 @@ win_equal_rec(
+ 		if (hnc)	    // add next_curwin size
+ 		{
+ 		    next_curwin_size -= p_wiw - (m - n);
+		    if (next_curwin_size < 0)
+			next_curwin_size = 0;
+ 		    new_size += next_curwin_size;
+ 		    room -= new_size - next_curwin_size;
+ 		}
+@@ -6180,7 +6182,8 @@ scroll_to_fraction(win_T *wp, int prev_height)
+     void
+ win_new_width(win_T *wp, int width)
+ {
+-    wp->w_width = width;
+    // Should we give an error if width < 0?
+    wp->w_width = width < 0 ? 0 : width;
+     wp->w_lines_valid = 0;
+     changed_line_abv_curs_win(wp);
+     invalidate_botline_win(wp);
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        70
+Release:        71
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -192,6 +192,7 @@ Patch6150:      backport-CVE-2022-3352.patch
 Patch6151:      backport-CVE-2022-3296.patch
 Patch6152:      backport-CVE-2022-3297.patch
 Patch6153:      backport-9.0.0581-adding-a-character-for-incsearch-fails-at-end-of-line.patch
+Patch6154:      backport-CVE-2022-3324.patch

 BuildRequires:  autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc
 BuildRequires:  perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file
@ -581,6 +582,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Mon Oct 17 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-71
+- Type:CVE
+- ID:CVE-2022-3324
+- SUG:NA
+- DESC:fix CVE-2022-3324
+
 * Fri Oct 14 2022 wangjiang <wangjiang37@h-partners.com> - 2:8.2-70
 - Type:CVE
 - ID:CVE-2022-3297