fix CVE-2022-1897 CVE-2022-1968

(cherry picked from commit 80ee775a088309791116383cc7d1d1e48e57e364)
2022-06-18 18:01:17 +08:00 · 2022-06-18 18:01:17 +08:00 · 793d4b9ed7
commit 793d4b9ed7
parent d1230baa14
3 changed files with 237 additions and 1 deletions
--- a/backport-CVE-2022-1897.patch
+++ b/backport-CVE-2022-1897.patch
@ -0,0 +1,139 @@
+From 338f1fc0ee3ca929387448fe464579d6113fa76a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 26 May 2022 15:56:23 +0100
+Subject: [PATCH] patch 8.2.5023: substitute overwrites allocated buffer
+
+Problem:    Substitute overwrites allocated buffer.
+Solution:   Disallow undo when in a substitute command.
+---
+ src/normal.c                    | 42 ++++++++++++++++++++---------------------
+ src/testdir/test_substitute.vim | 23 ++++++++++++++++++++++
+ src/undo.c                      |  6 ++++++
+ 3 files changed, 50 insertions(+), 21 deletions(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index f122627..d33a56a 100644
+--- a/src/normal.c
+++ b/src/normal.c
+@@ -161,6 +161,22 @@ typedef void (*nv_func_T)(cmdarg_T *cap);
+  */
+ 
+ /*
+ * If currently editing a cmdline or text is locked: beep and give an error
+ * message, return TRUE.
+ */
+    static int
+check_text_locked(oparg_T *oap)
+{
+    if (text_locked())
+    {
+       clearopbeep(oap);
+       text_locked_msg();
+       return TRUE;
+    }
+    return FALSE;
+}
+
+/*
+  * This table contains one entry for every Normal or Visual mode command.
+  * The order doesn't matter, init_normal_cmds() will create a sorted index.
+  * It is faster when all keys from zero to '~' are present.
+@@ -738,14 +754,9 @@ getcount:
+ 	goto normal_end;
+     }
+ 
+-    if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW))
+-    {
+-	// This command is not allowed while editing a cmdline: beep.
+-	clearopbeep(oap);
+-	text_locked_msg();
+-	goto normal_end;
+-    }
+-    if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked())
+    if ((nv_cmds[idx].cmd_flags & NV_NCW)
+				&& (check_text_locked(oap) || curbuf_locked()))
+	// this command is not allowed now
+ 	goto normal_end;
+ 
+     /*
+@@ -4155,12 +4166,8 @@ nv_gotofile(cmdarg_T *cap)
+     char_u	*ptr;
+     linenr_T	lnum = -1;
+ 
+-    if (text_locked())
+-    {
+-	clearopbeep(cap->oap);
+-	text_locked_msg();
+    if (check_text_locked(cap->oap))
+ 	return;
+-    }
+     if (curbuf_locked())
+     {
+ 	clearop(cap->oap);
+@@ -6288,14 +6295,7 @@ nv_g_cmd(cmdarg_T *cap)
+ 
+     // "gQ": improved Ex mode
+     case 'Q':
+-	if (text_locked())
+-	{
+-	    clearopbeep(cap->oap);
+-	    text_locked_msg();
+-	    break;
+-	}
+-
+-	if (!checkclearopq(oap))
+	if (!check_text_locked(cap->oap) && !checkclearopq(oap))
+ 	    do_exmode(TRUE);
+ 	break;
+ 
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index 2404b32..be7aaa8 100644
+--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
+@@ -800,3 +800,26 @@ func Test_sub_open_cmdline_win()
+   call delete('Xscript')
+   call delete('Xresult')
+ endfunc
+
+" This was undoign a change in between computing the length and using it.
+func Do_Test_sub_undo_change()
+  new
+  norm o0000000000000000000000000000000000000000000000000000
+  silent! s/\%')/\=Repl()
+  bwipe!
+endfunc
+
+func Test_sub_undo_change()
+  func Repl()
+    silent! norm g-
+  endfunc
+  call Do_Test_sub_undo_change()
+
+  func! Repl()
+    silent earlier
+  endfunc
+  call Do_Test_sub_undo_change()
+
+  delfunc Repl
+endfunc
+
+diff --git a/src/undo.c b/src/undo.c
+index 3dcf277..b3a91b5 100644
+--- a/src/undo.c
+++ b/src/undo.c
+@@ -2283,6 +2283,12 @@ undo_time(
+     int		    above = FALSE;
+     int		    did_undo = TRUE;
+ 
+    if (text_locked())
+    {
+	text_locked_msg();
+	return;
+    }
+
+     // First make sure the current undoable change is synced.
+     if (curbuf->b_u_synced == FALSE)
+ 	u_sync(TRUE);
+-- 
+1.8.3.1
+
--- a/backport-CVE-2022-1968.patch
+++ b/backport-CVE-2022-1968.patch
@ -0,0 +1,89 @@
+From 409510c588b1eec1ae33511ae97a21eb8e110895 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 1 Jun 2022 15:23:13 +0100
+Subject: [PATCH] patch 8.2.5050: using freed memory when searching for pattern
+ in path
+
+Problem:    Using freed memory when searching for pattern in path.
+Solution:   Make a copy of the line.
+---
+ src/search.c                 | 21 ++++++++++++++++++---
+ src/testdir/test_tagjump.vim | 11 +++++++++++
+ 2 files changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/src/search.c b/src/search.c
+index 75f0c59..701a8ed 100644
+--- a/src/search.c
+++ b/src/search.c
+@@ -5143,6 +5143,21 @@ search_stat(
+ }
+ 
+ #if defined(FEAT_FIND_ID) || defined(PROTO)
+
+/*
+ * Get line "lnum" and copy it into "buf[LSIZE]".
+ * The copy is made because the regexp may make the line invalid when using a
+ * mark.
+ */
+    static char_u *
+get_line_and_copy(linenr_T lnum, char_u *buf)
+{
+    char_u *line = ml_get(lnum);
+
+    vim_strncpy(buf, line, LSIZE - 1);
+    return buf;
+}
+
+ /*
+  * Find identifiers or defines in included files.
+  * If p_ic && (compl_cont_status & CONT_SOL) then ptr must be in lowercase.
+@@ -5245,7 +5260,7 @@ find_pattern_in_path(
+ 	end_lnum = curbuf->b_ml.ml_line_count;
+     if (lnum > end_lnum)		// do at least one line
+ 	lnum = end_lnum;
+-    line = ml_get(lnum);
+    line = get_line_and_copy(lnum, file_line);
+ 
+     for (;;)
+     {
+@@ -5573,7 +5588,7 @@ search_line:
+ 		    {
+ 			if (lnum >= end_lnum)
+ 			    goto exit_matched;
+-			line = ml_get(++lnum);
+			line = get_line_and_copy(++lnum, file_line);
+ 		    }
+ 		    else if (vim_fgets(line = file_line,
+ 						      LSIZE, files[depth].fp))
+@@ -5783,7 +5798,7 @@ exit_matched:
+ 	{
+ 	    if (++lnum > end_lnum)
+ 		break;
+-	    line = ml_get(lnum);
+	    line = get_line_and_copy(lnum, file_line);
+ 	}
+ 	already = NULL;
+     }
+diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
+index c682682..18a7f9b 100644
+--- a/src/testdir/test_tagjump.vim
+++ b/src/testdir/test_tagjump.vim
+@@ -571,4 +571,15 @@ func Test_define_search()
+ +  bwipe!
+ endfunc
+ 
+" this was using a line from ml_get() freed by the regexp
+func Test_isearch_copy_line()
+  new
+  norm o
+  norm 0
+  0norm o
+  sil! norm bc0
+  sil! isearch \%')
+  bwipe!
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+1.8.3.1
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        41
+Release:        42
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -119,6 +119,8 @@ Patch6082:      backport-CVE-2022-1886.patch
 Patch6083:      backport-CVE-2022-1898.patch
 Patch6084:      backport-CVE-2022-1942.patch
 Patch6085:      backport-fix-test-failed.patch
+Patch6086:      backport-CVE-2022-1897.patch
+Patch6087:      backport-CVE-2022-1968.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -507,6 +509,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Sat Jun 18 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-42
+- Type:CVE
+- ID:CVE-2022-1897 CVE-2022-1968
+- SUG:NA
+- DESC:fix CVE-2022-1897 CVE-2022-1968
+
 * Wed Jun 15 2022 tianwei <tianwei12@h-partners.com> - 2:8.2-41
 - Type:CVE
 - ID:CVE-2022-1898 CVE-2022-1942