fix CVE-2022-4292 CVE-2022-4293

2022-12-08 10:36:27 +08:00 · 2022-12-08 10:36:27 +08:00 · 79f2104080
commit 79f2104080
parent 50d9d890a7
4 changed files with 257 additions and 1 deletions
--- a/backport-CVE-2022-4292.patch
+++ b/backport-CVE-2022-4292.patch
@ -0,0 +1,55 @@
+From c3d27ada14acd02db357f2d16347acc22cb17e93 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 14 Nov 2022 20:52:14 +0000
+Subject: [PATCH] patch 9.0.0882: using freed memory after SpellFileMissing
+ autocmd uses bwipe
+
+Problem:    Using freed memory after SpellFileMissing autocmd uses bwipe.
+Solution:   Bail out if the window no longer exists.
+---
+ src/spell.c                |  4 ++--
+ src/testdir/test_spell.vim | 13 +++++++++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/src/spell.c b/src/spell.c
+index 3664425..d204a95 100644
+--- a/src/spell.c
+++ b/src/spell.c
+@@ -2101,8 +2101,8 @@ did_set_spelllang(win_T *wp)
+ 	    {
+ 		spell_load_lang(lang);
+ 		// SpellFileMissing autocommands may do anything, including
+-		// destroying the buffer we are using...
+-		if (!bufref_valid(&bufref))
+		// destroying the buffer we are using or closing the window.
+		if (!bufref_valid(&bufref) || !win_valid_any_tab(wp))
+ 		{
+ 		    ret_msg = N_(e_spellfilemising_autocommand_deleted_buffer);
+ 		    goto theend;
+diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
+index bc948b0..33f0931 100644
+--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
+@@ -157,6 +157,19 @@ func Test_spell_file_missing()
+   %bwipe!
+ endfunc
+ 
+func Test_spell_file_missing_bwipe()
+  " this was using a window that was wiped out in a SpellFileMissing autocmd
+  set spelllang=xy
+  au SpellFileMissing * n0
+  set spell
+  au SpellFileMissing * bw
+  snext somefile
+
+  au! SpellFileMissing
+  bwipe!
+  set nospell spelllang=en
+endfunc
+
+ func Test_spelldump()
+   " In case the spell file is not found avoid getting the download dialog, we
+   " would get stuck at the prompt.
+-- 
+2.33.0
+
--- a/backport-CVE-2022-4293.patch
+++ b/backport-CVE-2022-4293.patch
@ -0,0 +1,55 @@
+From cdef1cefa2a440911c727558562f83ed9b00e16b Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 20 Oct 2022 14:17:18 +0100
+Subject: [PATCH] patch 9.0.0804: crash when trying to divide a number by -1
+
+Problem:    Crash when trying to divice the largest negative number by -1.
+Solution:   Handle this case specifically.
+---
+ src/eval.c                | 8 +++++++-
+ src/testdir/test_expr.vim | 6 ++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/eval.c b/src/eval.c
+index 1652fcb4ae48..062fab0ac949 100644
+--- a/src/eval.c
+++ b/src/eval.c
+@@ -82,6 +82,12 @@ num_divide(varnumber_T n1, varnumber_T n2, int *failed)
+ 	else
+ 	    result = VARNUM_MAX;
+     }
+    else if (n1 == VARNUM_MIN && n2 == -1)
+    {
+	// specific case: trying to do VARNUM_MIN / -1 results in a positive
+	// number that doesn't fit in varnumber_T and causes an FPE
+	result = VARNUM_MAX;
+    }
+     else
+ 	result = n1 / n2;
+ 
+@@ -5906,7 +5912,7 @@ var2fpos(
+ }
+ 
+ /*
+- * Convert list in "arg" into position "psop" and optional file number "fnump".
+ * Convert list in "arg" into position "posp" and optional file number "fnump".
+  * When "fnump" is NULL there is no file number, only 3 items: [lnum, col, off]
+  * Note that the column is passed on as-is, the caller may want to decrement
+  * it to use 1 for the first column.
+diff --git a/src/testdir/test_expr.vim b/src/testdir/test_expr.vim
+index b47896340f60..e1fed369b747 100644
+--- a/src/testdir/test_expr.vim
+++ b/src/testdir/test_expr.vim
+@@ -764,6 +764,12 @@ func Test_eval_after_if()
+   call assert_equal('b', s:val)
+ endfunc
+ 
+func Test_divide_by_zero()
+  " only tests that this doesn't crash, the result is not important
+  echo 0 / 0
+  echo 0 / 0 / -1
+endfunc
+
+ " Test for command-line completion of expressions
+ func Test_expr_completion()
+   CheckFeature cmdline_compl
--- a/backport-patch-9.0.0712-wrong-column-when-calling-setcursorch-with-zero-lnum.patch
+++ b/backport-patch-9.0.0712-wrong-column-when-calling-setcursorch-with-zero-lnum.patch
@ -0,0 +1,137 @@
+From 79f234499b6692cc16970b7455bc9b002242632f Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 10 Oct 2022 12:42:57 +0100
+Subject: [PATCH] patch 9.0.0712: wrong column when calling setcursorcharpos()
+ with zero lnum
+
+Problem:    Wrong column when calling setcursorcharpos() with zero lnum.
+Solution:   Set the line number before calling buf_charidx_to_byteidx().
+            (closes #11329)
+---
+ src/eval.c                       | 10 +++++++---
+ src/evalfunc.c                   | 26 ++++++++++++++------------
+ src/testdir/test_cursor_func.vim |  6 ++++++
+ 3 files changed, 27 insertions(+), 15 deletions(-)
+
+diff --git a/src/eval.c b/src/eval.c
+index 8df374a..cbd4740 100644
+--- a/src/eval.c
+++ b/src/eval.c
+@@ -5906,10 +5906,12 @@ var2fpos(
+ }
+ 
+ /*
+- * Convert list in "arg" into a position and optional file number.
+- * When "fnump" is NULL there is no file number, only 3 items.
+ * Convert list in "arg" into position "psop" and optional file number "fnump".
+ * When "fnump" is NULL there is no file number, only 3 items: [lnum, col, off]
+  * Note that the column is passed on as-is, the caller may want to decrement
+  * it to use 1 for the first column.
+ * If "charcol" is TRUE use the column as the character index instead of the
+ * byte index.
+  * Return FAIL when conversion is not possible, doesn't check the position for
+  * validity.
+  */
+@@ -5952,6 +5954,7 @@ list2fpos(
+     if (n < 0)
+ 	return FAIL;
+     // If character position is specified, then convert to byte position
+    // If the line number is zero use the cursor line.
+     if (charcol)
+     {
+ 	buf_T	*buf;
+@@ -5961,7 +5964,8 @@ list2fpos(
+ 	if (buf == NULL || buf->b_ml.ml_mfp == NULL)
+ 	    return FAIL;
+ 
+-	n = buf_charidx_to_byteidx(buf, posp->lnum, n) + 1;
+	n = buf_charidx_to_byteidx(buf,
+		  posp->lnum == 0 ? curwin->w_cursor.lnum : posp->lnum, n) + 1;
+     }
+     posp->col = n;
+ 
+diff --git a/src/evalfunc.c b/src/evalfunc.c
+index cb12a46..2703865 100644
+--- a/src/evalfunc.c
+++ b/src/evalfunc.c
+@@ -3484,7 +3484,7 @@ f_copy(typval_T *argvars, typval_T *rettv)
+     static void
+ set_cursorpos(typval_T *argvars, typval_T *rettv, int charcol)
+ {
+-    long	line, col;
+    long	lnum, col;
+     long	coladd = 0;
+     int		set_curswant = TRUE;
+ 
+@@ -3506,7 +3506,7 @@ set_cursorpos(typval_T *argvars, typval_T *rettv, int charcol)
+ 	    emsg(_(e_invalid_argument));
+ 	    return;
+ 	}
+-	line = pos.lnum;
+	lnum = pos.lnum;
+ 	col = pos.col;
+ 	coladd = pos.coladd;
+ 	if (curswant >= 0)
+@@ -3515,17 +3515,19 @@ set_cursorpos(typval_T *argvars, typval_T *rettv, int charcol)
+ 	    set_curswant = FALSE;
+ 	}
+     }
+-    else if ((argvars[0].v_type == VAR_NUMBER ||
+-					argvars[0].v_type == VAR_STRING)
+-	    && (argvars[1].v_type == VAR_NUMBER ||
+-					argvars[1].v_type == VAR_STRING))
+    else if ((argvars[0].v_type == VAR_NUMBER
+					    || argvars[0].v_type == VAR_STRING)
+	    && (argvars[1].v_type == VAR_NUMBER
+					   || argvars[1].v_type == VAR_STRING))
+     {
+-	line = tv_get_lnum(argvars);
+-	if (line < 0)
+	lnum = tv_get_lnum(argvars);
+	if (lnum < 0)
+ 	    semsg(_(e_invalid_argument_str), tv_get_string(&argvars[0]));
+	else if (lnum == 0)
+	    lnum = curwin->w_cursor.lnum;
+ 	col = (long)tv_get_number_chk(&argvars[1], NULL);
+ 	if (charcol)
+-	    col = buf_charidx_to_byteidx(curbuf, line, col) + 1;
+	    col = buf_charidx_to_byteidx(curbuf, lnum, col) + 1;
+ 	if (argvars[2].v_type != VAR_UNKNOWN)
+ 	    coladd = (long)tv_get_number_chk(&argvars[2], NULL);
+     }
+@@ -3534,10 +3536,10 @@ set_cursorpos(typval_T *argvars, typval_T *rettv, int charcol)
+ 	emsg(_(e_invalid_argument));
+ 	return;
+     }
+-    if (line < 0 || col < 0 || coladd < 0)
+    if (lnum < 0 || col < 0 || coladd < 0)
+ 	return;		// type error; errmsg already given
+-    if (line > 0)
+-	curwin->w_cursor.lnum = line;
+    if (lnum > 0)
+	curwin->w_cursor.lnum = lnum;
+     if (col > 0)
+ 	curwin->w_cursor.col = col - 1;
+     curwin->w_cursor.coladd = coladd;
+diff --git a/src/testdir/test_cursor_func.vim b/src/testdir/test_cursor_func.vim
+index d5f0ac7..d2685ed 100644
+--- a/src/testdir/test_cursor_func.vim
+++ b/src/testdir/test_cursor_func.vim
+@@ -399,8 +399,14 @@ func Test_setcursorcharpos()
+   normal G
+   call setcursorcharpos([1, 1])
+   call assert_equal([1, 1], [line('.'), col('.')])
+
+   call setcursorcharpos([2, 7, 0])
+   call assert_equal([2, 9], [line('.'), col('.')])
+  call setcursorcharpos([0, 7, 0])
+  call assert_equal([2, 9], [line('.'), col('.')])
+  call setcursorcharpos(0, 7, 0)
+  call assert_equal([2, 9], [line('.'), col('.')])
+
+   call setcursorcharpos(3, 4)
+   call assert_equal([3, 1], [line('.'), col('.')])
+   call setcursorcharpos([3, 1])
+-- 
+2.33.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        4
+Release:        5
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -78,6 +78,9 @@ Patch6048:      backport-CVE-2022-3491.patch
 Patch6049:      backport-CVE-2022-3520.patch
 Patch6050:      backport-CVE-2022-3591.patch
 Patch6051:      backport-patch-9.0.0790-test-for-dummy-buffer-does-not-always.patch
+Patch6052:      backport-CVE-2022-4292.patch
+Patch6053:      backport-patch-9.0.0712-wrong-column-when-calling-setcursorch-with-zero-lnum.patch
+Patch6054:      backport-CVE-2022-4293.patch

 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      vim-Add-sw64-architecture.patch
@ -478,6 +481,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Thu Dec 08 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-5
+- Type:CVE
+- ID:CVE-2022-4292 CVE-2022-4293
+- SUG:NA
+- DESC:fix CVE-2022-4292 CVE-2022-4293
+
 * Tue Dec 06 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-4
 - Type:CVE
 - ID:CVE-2022-3491 CVE-2022-3520 CVE-2022-3591