packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!354 [sync] PR-353: fix CVE-2022-2923 CVE-2022-2946

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @lvying6 
Signed-off-by: @lvying6
This commit is contained in:
openeuler-ci-bot 2022-08-27 01:49:06 +00:00 committed by Gitee
commit 9fa6049d0e
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 134 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
backport-CVE-2022-2923.patch Normal file
View File

@ -0,0 +1,54 @@
From 6669de1b235843968e88844ca6d3c8dec4b01a9e Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 21 Aug 2022 20:33:47 +0100
Subject: [PATCH] patch 9.0.0240: crash when using ":mkspell" with an
empty
.dic file
Problem: Crash when using ":mkspell" with an empty .dic file.
Solution: Check for an empty word tree.
---
src/spellfile.c | 4 +++-
src/testdir/test_spellfile.vim | 11 +++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/spellfile.c b/src/spellfile.c
index aeeb6ad..08dcc1b 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -5561,10 +5561,12 @@ sug_filltree(spellinfo_T *spin, slang_T *slang)
/*
* Go through the whole case-folded tree, soundfold each word and put it
- * in the trie.
+ * in the trie. Bail out if the tree is empty.
*/
byts = slang->sl_fbyts;
idxs = slang->sl_fidxs;
+ if (byts == NULL || idxs == NULL)
+ return FAIL;
arridx[0] = 0;
curi[0] = 1;
diff --git a/src/testdir/test_spellfile.vim b/src/testdir/test_spellfile.vim
index 1382c02..4de7389 100644
--- a/src/testdir/test_spellfile.vim
+++ b/src/testdir/test_spellfile.vim
@@ -176,3 +176,14 @@ func Test_check_for_valid_word()
call assert_fails("spellgood! 0^B\xac", 'E1280:')
endfunc
+" this was using a NULL pointer
+func Test_mkspell_empty_dic()
+ call writefile(['1'], 'XtestEmpty.dic')
+ call writefile(['SOFOFROM abcd', 'SOFOTO ABCD', 'SAL CIA X'], 'XtestEmpty.aff')
+ mkspell! XtestEmpty.spl XtestEmpty
+
+ call delete('XtestEmpty.dic')
+ call delete('XtestEmpty.aff')
+ call delete('XtestEmpty.spl')
+endfunc
+
--
2.27.0

71
backport-CVE-2022-2946.patch Normal file
View File

@ -0,0 +1,71 @@
From adce965162dd89bf29ee0e5baf53652e7515762c Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 22 Aug 2022 16:35:45 +0100
Subject: [PATCH] patch 9.0.0246: using freed memory when 'tagfunc' deletes the
buffer
Problem: Using freed memory when 'tagfunc' deletes the buffer.
Solution: Make a copy of the tag name.
---
src/tag.c | 9 ++++++++-
src/testdir/test_tagfunc.vim | 12 ++++++++++++
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/src/tag.c b/src/tag.c
index c00f5fb..aceb6e4 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -161,6 +161,7 @@ do_tag(
char_u *buf_ffname = curbuf->b_ffname; // name to use for
// priority computation
int use_tfu = 1;
+ char_u *tofree = NULL;
// remember the matches for the last used tag
static int num_matches = 0;
@@ -510,7 +511,12 @@ do_tag(
* When desired match not found yet, try to find it (and others).
*/
if (use_tagstack)
- name = tagstack[tagstackidx].tagname;
+ {
+ // make a copy, the tagstack may change in 'tagfunc'
+ name = vim_strsave(tagstack[tagstackidx].tagname);
+ vim_free(tofree);
+ tofree = name;
+ }
#if defined(FEAT_QUICKFIX)
else if (g_do_tagpreview != 0)
name = ptag_entry.tagname;
@@ -802,6 +808,7 @@ end_do_tag:
g_do_tagpreview = 0; // don't do tag preview next time
# endif
+ vim_free(tofree);
#ifdef FEAT_CSCOPE
return jumped_to_tag;
#else
diff --git a/src/testdir/test_tagfunc.vim b/src/testdir/test_tagfunc.vim
index 242aa3a..74ad3d1 100644
--- a/src/testdir/test_tagfunc.vim
+++ b/src/testdir/test_tagfunc.vim
@@ -81,4 +81,16 @@ func Test_tagfunc()
call delete('Xfile1')
endfunc
+func Test_tagfunc_wipes_buffer()
+ func g:Tag0unc0(t,f,o)
+ bwipe
+ endfunc
+ set tagfunc=g:Tag0unc0
+ new
+ cal assert_fails('tag 0', 'E426:')
+
+ delfunc g:Tag0unc0
+ set tagfunc=
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0

10
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim Name: vim
Epoch: 2 Epoch: 2
Version: 8.2 Version: 8.2
Release: 59 Release: 60
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT License: Vim and MIT
URL: http://www.vim.org URL: http://www.vim.org
@ -164,6 +164,8 @@ Patch6127: backport-CVE-2022-2598.patch
Patch6128: backport-CVE-2022-2571.patch Patch6128: backport-CVE-2022-2571.patch
Patch6129: backport-CVE-2022-1725.patch Patch6129: backport-CVE-2022-1725.patch
Patch6130: backport-CVE-2022-2845.patch Patch6130: backport-CVE-2022-2845.patch
Patch6131: backport-CVE-2022-2923.patch
Patch6132: backport-CVE-2022-2946.patch
Patch9000: bugfix-rm-modify-info-version.patch Patch9000: bugfix-rm-modify-info-version.patch
@ -552,6 +554,12 @@ popd
%{_mandir}/man1/evim.* %{_mandir}/man1/evim.*
%changelog %changelog
* Mon Aug 22 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-60
- Type:CVE
- ID:CVE-2022-2923 CVE-2022-2946
- SUG:NA
- DESC:fix CVE-2022-2923 CVE-2022-2946
* Fri Aug 19 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-59 * Fri Aug 19 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-59
- Type:CVE - Type:CVE
- ID:CVE-2022-2845 - ID:CVE-2022-2845