fix CVE-2022-2923 CVE-2022-2946

(cherry picked from commit 7836ddcb362df79773677ccbf8c1d0854f40a295)
2022-08-22 14:24:43 +08:00 · 2022-08-22 14:24:43 +08:00 · 803e4a6182
commit 803e4a6182
parent 4961ba6d55
3 changed files with 134 additions and 1 deletions
--- a/backport-CVE-2022-2923.patch
+++ b/backport-CVE-2022-2923.patch
@ -0,0 +1,54 @@
+From 6669de1b235843968e88844ca6d3c8dec4b01a9e Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 21 Aug 2022 20:33:47 +0100
+Subject: [PATCH] patch 9.0.0240: crash when using ":mkspell" with an
+empty
+ .dic file
+
+Problem:    Crash when using ":mkspell" with an empty .dic file.
+Solution:   Check for an empty word tree.
+---
+ src/spellfile.c                |  4 +++-
+ src/testdir/test_spellfile.vim | 11 +++++++++++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/spellfile.c b/src/spellfile.c
+index aeeb6ad..08dcc1b 100644
+--- a/src/spellfile.c
+++ b/src/spellfile.c
+@@ -5561,10 +5561,12 @@ sug_filltree(spellinfo_T *spin, slang_T *slang)
+ 
+     /*
+      * Go through the whole case-folded tree, soundfold each word and put it
+-     * in the trie.
+     * in the trie.  Bail out if the tree is empty.
+      */
+     byts = slang->sl_fbyts;
+     idxs = slang->sl_fidxs;
+    if (byts == NULL || idxs == NULL)
+	return FAIL;
+ 
+     arridx[0] = 0;
+     curi[0] = 1;
+diff --git a/src/testdir/test_spellfile.vim b/src/testdir/test_spellfile.vim
+index 1382c02..4de7389 100644
+--- a/src/testdir/test_spellfile.vim
+++ b/src/testdir/test_spellfile.vim
+@@ -176,3 +176,14 @@ func Test_check_for_valid_word()
+   call assert_fails("spellgood! 0^B\xac", 'E1280:')
+ endfunc
+ 
+" this was using a NULL pointer
+func Test_mkspell_empty_dic()
+  call writefile(['1'], 'XtestEmpty.dic')
+  call writefile(['SOFOFROM abcd', 'SOFOTO ABCD', 'SAL CIA X'], 'XtestEmpty.aff')
+  mkspell! XtestEmpty.spl XtestEmpty
+
+  call delete('XtestEmpty.dic')
+  call delete('XtestEmpty.aff')
+  call delete('XtestEmpty.spl')
+endfunc
+
+-- 
+2.27.0
+
--- a/backport-CVE-2022-2946.patch
+++ b/backport-CVE-2022-2946.patch
@ -0,0 +1,71 @@
+From adce965162dd89bf29ee0e5baf53652e7515762c Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 22 Aug 2022 16:35:45 +0100
+Subject: [PATCH] patch 9.0.0246: using freed memory when 'tagfunc' deletes the
+ buffer
+
+Problem:    Using freed memory when 'tagfunc' deletes the buffer.
+Solution:   Make a copy of the tag name.
+---
+ src/tag.c                    |  9 ++++++++-
+ src/testdir/test_tagfunc.vim | 12 ++++++++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/src/tag.c b/src/tag.c
+index c00f5fb..aceb6e4 100644
+--- a/src/tag.c
+++ b/src/tag.c
+@@ -161,6 +161,7 @@ do_tag(
+     char_u	*buf_ffname = curbuf->b_ffname;	    // name to use for
+ 						    // priority computation
+     int         use_tfu = 1;
+    char_u      *tofree = NULL;
+ 
+     // remember the matches for the last used tag
+     static int		num_matches = 0;
+@@ -510,7 +511,12 @@ do_tag(
+ 	 * When desired match not found yet, try to find it (and others).
+ 	 */
+ 	if (use_tagstack)
+-	    name = tagstack[tagstackidx].tagname;
+	{
+	    // make a copy, the tagstack may change in 'tagfunc'
+	    name = vim_strsave(tagstack[tagstackidx].tagname);
+	    vim_free(tofree);
+	    tofree = name;
+	}
+ #if defined(FEAT_QUICKFIX)
+ 	else if (g_do_tagpreview != 0)
+ 	    name = ptag_entry.tagname;
+@@ -802,6 +808,7 @@ end_do_tag:
+     g_do_tagpreview = 0;	// don't do tag preview next time
+ # endif
+ 
+    vim_free(tofree);
+ #ifdef FEAT_CSCOPE
+     return jumped_to_tag;
+ #else
+diff --git a/src/testdir/test_tagfunc.vim b/src/testdir/test_tagfunc.vim
+index 242aa3a..74ad3d1 100644
+--- a/src/testdir/test_tagfunc.vim
+++ b/src/testdir/test_tagfunc.vim
+@@ -81,4 +81,16 @@ func Test_tagfunc()
+   call delete('Xfile1')
+ endfunc
+ 
+func Test_tagfunc_wipes_buffer()
+  func g:Tag0unc0(t,f,o)
+   bwipe
+  endfunc
+  set tagfunc=g:Tag0unc0
+  new
+  cal assert_fails('tag 0', 'E426:')
+
+  delfunc g:Tag0unc0
+  set tagfunc=
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        59
+Release:        60
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -164,6 +164,8 @@ Patch6127:      backport-CVE-2022-2598.patch
 Patch6128:      backport-CVE-2022-2571.patch
 Patch6129:      backport-CVE-2022-1725.patch
 Patch6130:      backport-CVE-2022-2845.patch 
+Patch6131:      backport-CVE-2022-2923.patch
+Patch6132:      backport-CVE-2022-2946.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -552,6 +554,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Mon Aug 22 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-60
+- Type:CVE
+- ID:CVE-2022-2923 CVE-2022-2946
+- SUG:NA
+- DESC:fix CVE-2022-2923 CVE-2022-2946
+
 * Fri Aug 19 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-59
 - Type:CVE
 - ID:CVE-2022-2845