fix CVE-2021-3973 CVE-2021-3974

Signed-off-by: ExtinctFire <shenyining_00@126.com> (cherry picked from commit 20e53e3a69bad745d01299378ff5fdac9b08aa22)
2021-12-01 11:02:42 +08:00 · 2021-12-01 11:02:42 +08:00 · a1622b8443
commit a1622b8443
parent 234c505506
5 changed files with 269 additions and 9 deletions
--- a/backport-CVE-2021-3973.patch
+++ b/backport-CVE-2021-3973.patch
@ -0,0 +1,79 @@
+From 615ddd5342b50a6878a907062aa471740bd9a847 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 17 Nov 2021 18:00:31 +0000
+Subject: [PATCH] patch 8.2.3611: crash when using CTRL-W f without finding a
+ file name
+
+Problem:    Crash when using CTRL-W f without finding a file name.
+Solution:   Bail out when the file name length is zero.
+
+Reference:https://github.com/vim/vim/commit/615ddd5342b50a6878a907062aa471740bd9a847
+---
+ src/findfile.c              | 8 ++++++++
+ src/normal.c                | 6 ++++--
+ src/testdir/test_visual.vim | 8 ++++++++
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/src/findfile.c b/src/findfile.c
+index ba996c4..7a4dfe5 100644
+--- a/src/findfile.c
+++ b/src/findfile.c
+@@ -1727,6 +1727,9 @@ find_file_in_path_option(
+     proc->pr_WindowPtr = (APTR)-1L;
+ # endif
+ 
+    if (len == 0)
+	return NULL;
+
+     if (first == TRUE)
+     {
+ 	// copy file name into NameBuff, expanding environment variables
+@@ -2103,7 +2106,12 @@ find_file_name_in_path(
+     int		c;
+ # if defined(FEAT_FIND_ID) && defined(FEAT_EVAL)
+     char_u	*tofree = NULL;
+# endif
+ 
+    if (len == 0)
+	return NULL;
+
+# if defined(FEAT_FIND_ID) && defined(FEAT_EVAL)
+     if ((options & FNAME_INCL) && *curbuf->b_p_inex != NUL)
+     {
+ 	tofree = eval_includeexpr(ptr, len);
+diff --git a/src/normal.c b/src/normal.c
+index d6333b9..e9e587d 100644
+--- a/src/normal.c
+++ b/src/normal.c
+@@ -3778,8 +3778,10 @@ get_visual_text(
+ 	    *pp = ml_get_pos(&VIsual);
+ 	    *lenp = curwin->w_cursor.col - VIsual.col + 1;
+ 	}
+-	if (has_mbyte)
+-	    // Correct the length to include the whole last character.
+	if (**pp == NUL)
+	    *lenp = 0;
+	if (has_mbyte && *lenp > 0)
+	    // Correct the length to include all bytes of the last character.
+ 	    *lenp += (*mb_ptr2len)(*pp + (*lenp - 1)) - 1;
+     }
+     reset_VIsual_and_resel();
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index ae28123..0705fdb 100644
+--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
+@@ -894,4 +894,12 @@ func Test_block_insert_replace_tabs()
+   bwipe!
+ endfunc
+ 
+func Test_visual_block_ctrl_w_f()
+  " Emtpy block selected in new buffer should not result in an error.
+  au! BufNew foo sil norm f
+  edit foo
+
+  au! BufNew
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.23.0
--- a/backport-CVE-2021-3974.patch
+++ b/backport-CVE-2021-3974.patch
@ -0,0 +1,67 @@
+From 64066b9acd9f8cffdf4840f797748f938a13f2d6 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 17 Nov 2021 18:22:56 +0000
+Subject: [PATCH] patch 8.2.3612: using freed memory with regexp using a mark
+
+Problem:    Using freed memory with regexp using a mark.
+Solution:   Get the line again after getting the mark position.
+
+Reference:https://github.com/vim/vim/commit/64066b9acd9f8cffdf4840f797748f938a13f2d6
+---
+ src/regexp.c                      | 2 +-
+ src/regexp_nfa.c                  | 8 ++++++++
+ src/testdir/test_regexp_latin.vim | 8 ++++++++
+ 3 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/src/regexp.c b/src/regexp.c
+index 112f753..2e94e5a 100644
+--- a/src/regexp.c
+++ b/src/regexp.c
+@@ -1092,7 +1092,7 @@ typedef struct {
+     // The current match-position is stord in these variables:
+     linenr_T	lnum;		// line number, relative to first line
+     char_u	*line;		// start of current line
+-    char_u	*input;		// current input, points into "regline"
+    char_u	*input;		// current input, points into "line"
+ 
+     int	need_clear_subexpr;	// subexpressions still need to be cleared
+ #ifdef FEAT_SYN_HL
+diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
+index bc4a4b6..433523e 100644
+--- a/src/regexp_nfa.c
+++ b/src/regexp_nfa.c
+@@ -6623,8 +6623,16 @@ nfa_regmatch(
+ 	    case NFA_MARK_GT:
+ 	    case NFA_MARK_LT:
+ 	      {
+                size_t	col = rex.input - rex.line;
+ 		pos_T	*pos = getmark_buf(rex.reg_buf, t->state->val, FALSE);
+ 
+		// Line may have been freed, get it again.
+		if (REG_MULTI)
+		{
+		    rex.line = reg_getline(rex.lnum);
+		    rex.input = rex.line + col;
+		}
+
+ 		// Compare the mark position to the match position.
+ 		result = (pos != NULL		     // mark doesn't exist
+ 			&& pos->lnum > 0    // mark isn't set in reg_buf
+diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim
+index 7a4d98f..3168edc 100644
+--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
+@@ -141,3 +141,11 @@ func Test_pattern_compile_speed()
+   call assert_inrange(0.01, 10.0, reltimefloat(reltime(start)))
+   set spc=
+ endfunc
+
+func Test_using_mark_position()
+  " this was using freed memory
+  new
+  norm O0
+  call assert_fails("s/\\%')", 'E486:')
+  bwipe!
+endfunc
+-- 
+2.23.0
--- a/backport-find-test-fails.patch
+++ b/backport-find-test-fails.patch
@ -0,0 +1,34 @@
+From e015d99abb4276f47ce97bad1ad5ff0c658b1c8a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 17 Nov 2021 19:01:53 +0000
+Subject: [PATCH] patch 8.2.3613: :find test fails
+
+Problem:    :find test fails.
+Solution:   Put length check inside if block.
+
+Reference:https://github.com/vim/vim/commit/e015d99abb4276f47ce97bad1ad5ff0c658b1c8a
+---
+ src/findfile.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/findfile.c b/src/findfile.c
+index 7a4dfe5..b9a0e47 100644
+--- a/src/findfile.c
+++ b/src/findfile.c
+@@ -1727,11 +1727,11 @@ find_file_in_path_option(
+     proc->pr_WindowPtr = (APTR)-1L;
+ # endif
+ 
+-    if (len == 0)
+-	return NULL;
+-
+     if (first == TRUE)
+     {
+	if (len == 0)
+	    return NULL;
+
+ 	// copy file name into NameBuff, expanding environment variables
+ 	save_char = ptr[len];
+ 	ptr[len] = NUL;
+-- 
+2.23.0
--- a/backport-no-early-check-if-find-and-sfind-have-an-argument.patch
+++ b/backport-no-early-check-if-find-and-sfind-have-an-argument.patch
@ -0,0 +1,70 @@
+From 2d10cd478047df8ba144d4b0fcc46480993af57f Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 19 Mar 2020 14:37:30 +0100
+Subject: [PATCH] patch 8.2.0407: no early check if :find and :sfind have an
+ argument
+
+Problem:    No early check if :find and :sfind have an argument.
+Solution:   Add EX_NEEDARG.
+
+Reference:https://github.com/vim/vim/commit/2d10cd478047df8ba144d4b0fcc46480993af57f
+---
+ src/ex_cmds.h                      | 4 ++--
+ src/testdir/test_find_complete.vim | 8 ++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/ex_cmds.h b/src/ex_cmds.h
+index 983378c..28ea6ee 100644
+--- a/src/ex_cmds.h
+++ b/src/ex_cmds.h
+@@ -572,7 +572,7 @@ EXCMD(CMD_filter,	"filter",	ex_wrongmodifier,
+ 	EX_BANG|EX_NEEDARG|EX_EXTRA|EX_NOTRLCOM,
+ 	ADDR_NONE),
+ EXCMD(CMD_find,		"find",		ex_find,
+-	EX_RANGE|EX_BANG|EX_FILE1|EX_CMDARG|EX_ARGOPT|EX_TRLBAR,
+	EX_RANGE|EX_BANG|EX_FILE1|EX_CMDARG|EX_ARGOPT|EX_TRLBAR|EX_NEEDARG,
+ 	ADDR_OTHER),
+ EXCMD(CMD_finally,	"finally",	ex_finally,
+ 	EX_TRLBAR|EX_SBOXOK|EX_CMDWIN,
+@@ -1319,7 +1319,7 @@ EXCMD(CMD_setlocal,	"setlocal",	ex_set,
+ 	EX_TRLBAR|EX_EXTRA|EX_CMDWIN|EX_SBOXOK,
+ 	ADDR_NONE),
+ EXCMD(CMD_sfind,	"sfind",	ex_splitview,
+-	EX_BANG|EX_FILE1|EX_RANGE|EX_CMDARG|EX_ARGOPT|EX_TRLBAR,
+	EX_BANG|EX_FILE1|EX_RANGE|EX_CMDARG|EX_ARGOPT|EX_TRLBAR|EX_NEEDARG,
+ 	ADDR_OTHER),
+ EXCMD(CMD_sfirst,	"sfirst",	ex_rewind,
+ 	EX_EXTRA|EX_BANG|EX_CMDARG|EX_ARGOPT|EX_TRLBAR,
+diff --git a/src/testdir/test_find_complete.vim b/src/testdir/test_find_complete.vim
+index 679bf3c..32ca967 100644
+--- a/src/testdir/test_find_complete.vim
+++ b/src/testdir/test_find_complete.vim
+@@ -15,22 +15,22 @@ func Test_find_complete()
+ 
+   new
+   set path=
+-  call assert_fails('call feedkeys(":find\t\n", "xt")', 'E345:')
+  call assert_fails('call feedkeys(":find \t\n", "xt")', 'E471:')
+   close
+ 
+   new
+   set path=.
+-  call assert_fails('call feedkeys(":find\t\n", "xt")', 'E32:')
+  call assert_fails('call feedkeys(":find \t\n", "xt")', 'E471:')
+   close
+ 
+   new
+   set path=.,,
+-  call assert_fails('call feedkeys(":find\t\n", "xt")', 'E32:')
+  call assert_fails('call feedkeys(":find \t\n", "xt")', 'E471:')
+   close
+ 
+   new
+   set path=./**
+-  call assert_fails('call feedkeys(":find\t\n", "xt")', 'E32:')
+  call assert_fails('call feedkeys(":find \t\n", "xt")', 'E471:')
+   close
+ 
+   " We shouldn't find any file till this point
+-- 
+2.23.0
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        14
+Release:        15
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -45,6 +45,10 @@ Patch6007:      backport-CVE-2021-3875.patch
 Patch6008:      backport-CVE-2021-3903.patch
 Patch6009:      backport-CVE-2021-3927.patch
 Patch6010:      backport-CVE-2021-3928.patch
+Patch6011:      backport-CVE-2021-3973.patch
+Patch6012:      backport-CVE-2021-3974.patch
+Patch6013:      backport-find-test-fails.patch
+Patch6014:      backport-no-early-check-if-find-and-sfind-have-an-argument.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -433,49 +437,55 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
-* Sat Nov 13 2021 shixuantong<shixuantong@huawei> - 2:8.2-14
+* Wed Dec 01 2021 ExtinctFire<shenyining_00@126.com> - 2:8.2-15
+- Type:CVE
+- ID:CVE-2021-3973 CVE-2021-3974
+- SUG:NA
+- DESC:fix CVE-2021-3973 CVE-2021-3974
+
+* Sat Nov 13 2021 shixuantong<shixuantong@huawei.com> - 2:8.2-14
 - Type:CVE
 - ID:CVE-2021-3927 CVE-2021-3927
 - SUG:NA
 - DESC:fix CVE-2021-3927 CVE-2021-3928

-* Sat Oct 30 2021 shixuantong<shixuantong@huawei> - 2:8.2-13
+* Sat Oct 30 2021 shixuantong<shixuantong@huawei.com> - 2:8.2-13
 - Type:CVE
 - ID:CVE-2021-3903
 - SUG:NA
 - DESC:fix CVE-2021-3903

-* Sat Oct 23 2021 shixuantong<shixuantong@huawei> - 2:8.2-12
+* Sat Oct 23 2021 shixuantong<shixuantong@huawei.com> - 2:8.2-12
 - Type:CVE
 - ID:CVE-2021-3872 CVE-2021-3875
 - SUG:NA
 - DESC:fix CVE-2021-3872 CVE-2021-3875

-* Sun Sep 26 2021 shixuantong<shixuantong@huawei> - 2:8.2-11
+* Sun Sep 26 2021 shixuantong<shixuantong@huawei.com> - 2:8.2-11
 - Type:CVE
 - ID:CVE-2021-3778 CVE-2021-3796
 - SUG:NA
 - DESC:fix CVE-2021-3778 CVE-2021-3796

-* Sat Sep 11 2021 shixuantong<shixuantong@huawei> - 2:8.2-10
+* Sat Sep 11 2021 shixuantong<shixuantong@huawei.com> - 2:8.2-10
 - Type:CVE
 - ID:NA
 - SUG:NA
 - DESC:fix CVE-2021-3770

-* Tue Aug 10 2021 shixuantong<shixuantong@huawei> - 2:8.2-9
+* Tue Aug 10 2021 shixuantong<shixuantong@huawei.com> - 2:8.2-9
 - Type:bugfix
 - ID:NA
 - SUG:NA
 - DESC:fix signal stack size is wrong with latest glibc 2.34

-* Sat Aug 07 2021 shixuantong<shixuantong@huawei> - 2:8.2-8
+* Sat Aug 07 2021 shixuantong<shixuantong@huawei.com> - 2:8.2-8
 - Type:bugfix
 - ID:NA
 - SUG:NA
 - DESC:fix configure does not recognize gcc 10.0 and later

-* Sat Jun 12 2021 shixuantong<shixuantong@huawei> - 2:8.2-7
+* Sat Jun 12 2021 shixuantong<shixuantong@huawei.com> - 2:8.2-7
 - Type:bugfix
 - ID:NA
 - SUG:NA