!264 [sync] PR-248: fix CVE-2022-1771

From: @openeuler-sync-bot Reviewed-by: @lvying6 Signed-off-by: @lvying6
2022-06-30 07:08:30 +00:00 · 2022-06-30 07:08:30 +00:00 · 854f0e0921
commit 854f0e0921
parent 196903b05c 1ef12cbdf9
2 changed files with 104 additions and 1 deletions
--- a/backport-CVE-2022-1771.patch
+++ b/backport-CVE-2022-1771.patch
@ -0,0 +1,96 @@
+From 51f0bfb88a3554ca2dde777d78a59880d1ee37a8 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 17 May 2022 20:11:02 +0100
+Subject: [PATCH] patch 8.2.4975: recursive command line loop may cause a crash
+ 
+Problem:    Recursive command line loop may cause a crash.
+Solution:   Limit recursion of getcmdline().
+ 
+Reference:https://github.com/vim/vim/commit/51f0bfb88a3554ca2dde777d78a59880d1ee37a8
+Conflict:(1)The src/version.c file is not modified
+(2)add e_command_too_recursive in src/globals.h
+---
+ src/ex_getln.c               | 12 ++++++++++++
+ src/globals.h                |  3 +++
+ src/testdir/test_cmdline.vim | 11 +++++++++++
+ 3 files changed, 26 insertions(+)
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 7571ae2..aa01f80 100644
+--- a/src/ex_getln.c
+++ b/src/ex_getln.c
+@@ -791,6 +791,7 @@ getcmdline_int(
+     int		indent,		// indent for inside conditionals
+     int		init_ccline)	// clear ccline first
+ {
+    static int	depth = 0;	    // call depth
+     int		c;
+     int		i;
+     int		j;
+@@ -820,6 +821,9 @@ getcmdline_int(
+     int		did_save_ccline = FALSE;
+     int		cmdline_type;
+ 
+    // one recursion level deeper
+    ++depth;
+
+     if (ccline.cmdbuff != NULL)
+     {
+ 	// Being called recursively.  Since ccline is global, we need to save
+@@ -873,6 +877,13 @@ getcmdline_int(
+ 	ccline.cmdlen = indent;
+     }
+ 
+    if (depth == 50)
+    {
+	// Somehow got into a loop recursively calling getcmdline(), bail out.
+	emsg(_(e_command_too_recursive));
+	goto theend;
+    }
+
+     ExpandInit(&xpc);
+     ccline.xpc = &xpc;
+ 
+@@ -2425,6 +2436,7 @@ theend:
+     {
+ 	char_u *p = ccline.cmdbuff;
+ 
+	--depth;
+ 	if (did_save_ccline)
+ 	    restore_cmdline(&save_ccline);
+ 	else
+diff --git a/src/globals.h b/src/globals.h
+index 54f68b3..01ebbb8 100644
+--- a/src/globals.h
+++ b/src/globals.h
+@@ -1755,3 +1755,6 @@ EXTERN int did_repeated_msg INIT(= 0);
+ EXTERN char e_illegal_character_in_word[]
+        INIT(= N_("E1280: Illegal character in word"));
+ #endif
+
+EXTERN char e_command_too_recursive[]
+	INIT(= N_("E169: Command too recursive"));
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index c55ee0b..4665c75 100644
+--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
+@@ -913,5 +913,16 @@ func Test_zero_line_search()
+   q!
+ endfunc
+ 
+func Test_recursive_register()
+  let @= = ''
+  silent! ?e/
+  let caught = 'no'
+  try
+    normal // 
+  catch /E169:/
+    let caught = 'yes'
+  endtry
+  call assert_equal('yes', caught)
+endfunc
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        42
+Release:        43
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -121,6 +121,7 @@ Patch6084:      backport-CVE-2022-1942.patch
 Patch6085:      backport-fix-test-failed.patch
 Patch6086:      backport-CVE-2022-1897.patch
 Patch6087:      backport-CVE-2022-1968.patch
+Patch6088:      backport-CVE-2022-1771.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -509,6 +510,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Tue Jun 21 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-43
+- Type:CVE
+- ID:CVE-2022-1771
+- SUG:NA
+- DESC:fix CVE-2022-1771
+
 * Sat Jun 18 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-42
 - Type:CVE
 - ID:CVE-2022-1897 CVE-2022-1968