packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-3778 CVE-2021-3796

Browse Source 
(cherry picked from commit d4716c3ee0cdc291d68f1e0c5b9cd8308c0d7ce7)
This commit is contained in:
shixuantong 2021-09-26 17:36:46 +08:00 committed by openeuler-sync-bot
parent f0de01956c
commit 63b09b20ef
3 changed files with 122 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
backport-CVE-2021-3778.patch Normal file
View File

@ -0,0 +1,46 @@
From 65b605665997fad54ef39a93199e305af2fe4d7f Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 7 Sep 2021 19:26:53 +0200
Subject: [PATCH] patch 8.2.3409: reading beyond end of line with invalid utf-8
character
Problem: Reading beyond end of line with invalid utf-8 character.
Solution: Check for NUL when advancing.
---
src/regexp_nfa.c | 3 ++-
src/testdir/test_regexp_utf8.vim | 8 ++++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
index fb512f9..bc4a4b6 100644
--- a/src/regexp_nfa.c
+++ b/src/regexp_nfa.c
@@ -5455,7 +5455,8 @@ find_match_text(colnr_T startcol, int regstart, char_u *match_text)
match = FALSE;
break;
}
- len2 += MB_CHAR2LEN(c2);
+ len2 += enc_utf8 ? utf_ptr2len(rex.line + col + len2)
+ : MB_CHAR2LEN(c2);
}
if (match
// check that no composing char follows
diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim
index 19ff882..6d0ce59 100644
--- a/src/testdir/test_regexp_utf8.vim
+++ b/src/testdir/test_regexp_utf8.vim
@@ -215,3 +215,11 @@ func Test_optmatch_toolong()
set re=0
endfunc
+func Test_match_invalid_byte()
+ call writefile(0z630a.765d30aa0a.2e0a.790a.4030, 'Xinvalid')
+ new
+ source Xinvalid
+ bwipe!
+ call delete('Xinvalid')
+endfunc
+
--
1.8.3.1

67
backport-CVE-2021-3796.patch Normal file
View File

@ -0,0 +1,67 @@
From 35a9a00afcb20897d462a766793ff45534810dc3 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 11 Sep 2021 21:14:20 +0200
Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
Problem: Using freed memory when replacing. (Dhiraj Mishra)
Solution: Get the line pointer after calling ins_copychar().
---
src/normal.c | 10 +++++++---
src/testdir/test_edit.vim | 13 +++++++++++++
2 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/src/normal.c b/src/normal.c
index c4963e6..d6333b9 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap)
{
/*
* Get ptr again, because u_save and/or showmatch() will have
- * released the line. At the same time we let know that the
- * line will be changed.
+ * released the line. This may also happen in ins_copychar().
+ * At the same time we let know that the line will be changed.
*/
- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
{
int c = ins_copychar(curwin->w_cursor.lnum
+ (cap->nchar == Ctrl_Y ? -1 : 1));
+
+ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
if (c != NUL)
ptr[curwin->w_cursor.col] = c;
}
else
+ {
+ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
ptr[curwin->w_cursor.col] = cap->nchar;
+ }
if (p_sm && msg_silent == 0)
showmatch(cap->nchar);
++curwin->w_cursor.col;
diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
index 4e29e7f..c3b1af5 100644
--- a/src/testdir/test_edit.vim
+++ b/src/testdir/test_edit.vim
@@ -1519,3 +1519,16 @@ func Test_edit_noesckeys()
bwipe!
set esckeys
endfunc
+
+" Test for getting the character of the line below after "p"
+func Test_edit_put_CTRL_E()
+ set encoding=latin1
+ new
+ let @" = ''
+ sil! norm orggRx
+ sil! norm pr
+ call assert_equal(['r', 'r'], getline(1, 2))
+ bwipe!
+ set encoding=utf-8
+endfunc
+
--
1.8.3.1

10
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim Name: vim
Epoch: 2 Epoch: 2
Version: 8.2 Version: 8.2
Release: 10 Release: 11
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT License: Vim and MIT
URL: http://www.vim.org URL: http://www.vim.org
@ -38,6 +38,8 @@ Patch6000: backport-Configure-does-not-recognize-gcc-10.0-and-later.patch
Patch6001: backport-8.2.2550-signal-stack-size-is-wrong-with-lates.patch Patch6001: backport-8.2.2550-signal-stack-size-is-wrong-with-lates.patch
Patch6002: backport-CVE-2021-3770.patch Patch6002: backport-CVE-2021-3770.patch
Patch6003: backport-memory-leak-for-retab-with-invalid-argument.patch Patch6003: backport-memory-leak-for-retab-with-invalid-argument.patch
Patch6004: backport-CVE-2021-3778.patch
Patch6005: backport-CVE-2021-3796.patch
Patch9000: bugfix-rm-modify-info-version.patch Patch9000: bugfix-rm-modify-info-version.patch
@ -426,6 +428,12 @@ popd
%{_mandir}/man1/evim.* %{_mandir}/man1/evim.*
%changelog %changelog
* Sun Sep 26 2021 shixuantong<shixuantong@huawei> - 2:8.2-11
- Type:CVE
- ID:CVE-2021-3778 CVE-2021-3796
- SUG:NA
- DESC:fix CVE-2021-3778 CVE-2021-3796
* Sat Sep 11 2021 shixuantong<shixuantong@huawei> - 2:8.2-10 * Sat Sep 11 2021 shixuantong<shixuantong@huawei> - 2:8.2-10
- Type:CVE - Type:CVE
- ID:NA - ID:NA