fix CVE-2022-2125,CVE-2022-2206

(cherry picked from commit c5521ca91dc920b634ca8e780a02627fd5f31520)
2022-07-05 09:24:29 +08:00 · 2022-07-05 09:24:29 +08:00 · b30deda29f
commit b30deda29f
parent 80bebd4d42
5 changed files with 396 additions and 1 deletions
--- a/backport-CVE-2022-2125.patch
+++ b/backport-CVE-2022-2125.patch
@ -0,0 +1,48 @@
+From 0e8e938d497260dd57be67b4966cb27a5f72376f Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 18 Jun 2022 12:51:11 +0100
+Subject: [PATCH] patch 8.2.5122: lisp indenting my run over the end of the
+ line
+
+Problem:    Lisp indenting my run over the end of the line.
+Solution:   Check for NUL earlier.
+---
+ src/indent.c                |  2 ++
+ src/testdir/test_indent.vim | 10 ++++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/indent.c b/src/indent.c
+index 4677d29..2d07e2e 100644
+--- a/src/indent.c
+++ b/src/indent.c
+@@ -1920,6 +1920,8 @@ get_lisp_indent(void)
+ 			    }
+ 			}
+ 		    }
+		    if (*that == NUL)
+			break;
+ 		}
+ 		if (*that == '(' || *that == '[')
+ 		    ++parencount;
+diff --git a/src/testdir/test_indent.vim b/src/testdir/test_indent.vim
+index 91e801a..f3b8b6b 100644
+--- a/src/testdir/test_indent.vim
+++ b/src/testdir/test_indent.vim
+@@ -98,4 +98,14 @@ func Test_copyindent()
+   close!
+ endfunc
+ 
+func Test_lisp_indent_quoted()
+  " This was going past the end of the line
+  new
+  setlocal lisp autoindent
+  call setline(1, ['"[', '='])
+  normal Gvk=
+
+  bwipe!
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+1.8.3.1
+
--- a/backport-CVE-2022-2206.patch
+++ b/backport-CVE-2022-2206.patch
@ -0,0 +1,32 @@
+From e178af5a586ea023622d460779fdcabbbfac0908 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 25 Jun 2022 19:54:09 +0100
+Subject: [PATCH] patch 8.2.5160: accessing invalid memory after changing
+ terminal size
+
+Problem:    Accessing invalid memory after changing terminal size.
+Solution:   Adjust cmdline_row and msg_row to the value of Rows.
+---
+ src/term.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/term.c b/src/term.c
+index 77cfa7d..307e3bf 100644
+--- a/src/term.c
+++ b/src/term.c
+@@ -3223,6 +3223,12 @@ check_shellsize(void)
+     if (Rows < min_rows())	// need room for one window and command line
+ 	Rows = min_rows();
+     limit_screen_size();
+
+    // make sure these values are not invalid
+    if (cmdline_row >= Rows)
+	cmdline_row = Rows - 1;
+    if (msg_row >= Rows)
+	msg_row = Rows - 1;
+ }
+ 
+ /*
+-- 
+1.8.3.1
+
--- a/backport-patch-8.2.0358-insufficient-testing-for-indent.c.patch
+++ b/backport-patch-8.2.0358-insufficient-testing-for-indent.c.patch
@ -0,0 +1,275 @@
+From bd7206e02c957f0619e68e1628e2a3e91dd41e06 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 6 Mar 2020 20:36:04 +0100
+Subject: [PATCH] patch 8.2.0358: insufficient testing for indent.c
+
+Problem:    Insufficient testing for indent.c.
+Solution:   Add indent tests. (Yegappan Lakshmanan, closes #5736)
+---
+ src/testdir/Make_all.mak         |   2 +
+ src/testdir/test_expand_func.vim |  14 ++++++
+ src/testdir/test_indent.vim      | 101 +++++++++++++++++++++++++++++++++++++++
+ src/testdir/test_lispwords.vim   |   3 ++
+ src/testdir/test_smartindent.vim |  23 +++++++++
+ src/testdir/test_vartabs.vim     |  39 +++++++++++++++
+ 6 files changed, 182 insertions(+)
+ create mode 100644 src/testdir/test_indent.vim
+
+diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak
+index 2a3c4ab..4ecb606 100644
+--- a/src/testdir/Make_all.mak
+++ b/src/testdir/Make_all.mak
+@@ -150,6 +150,7 @@ NEW_TESTS = \
+ 	test_iminsert \
+ 	test_increment \
+ 	test_increment_dbcs \
+	test_indent \
+ 	test_ins_complete \
+ 	test_interrupt \
+ 	test_job_fails \
+@@ -361,6 +362,7 @@ NEW_TESTS_RES = \
+ 	test_iminsert.res \
+ 	test_increment.res \
+ 	test_increment_dbcs.res \
+	test_indent.res \
+ 	test_ins_complete.res \
+ 	test_interrupt.res \
+ 	test_job_fails.res \
+diff --git a/src/testdir/test_expand_func.vim b/src/testdir/test_expand_func.vim
+index f9c5b5f..c408dea 100644
+--- a/src/testdir/test_expand_func.vim
+++ b/src/testdir/test_expand_func.vim
+@@ -73,3 +73,17 @@ func Test_expand()
+   " Don't add any line above this, otherwise <slnum> will change.
+   quit
+ endfunc
+
+" Test for 'wildignore' with expand()
+func Test_expand_wildignore()
+  set wildignore=*.vim
+  call assert_equal('', expand('test_expand_func.vim'))
+  call assert_equal('', expand('test_expand_func.vim', 0))
+  call assert_equal([], expand('test_expand_func.vim', 0, 1))
+  call assert_equal('test_expand_func.vim', expand('test_expand_func.vim', 1))
+  call assert_equal(['test_expand_func.vim'],
+        \ expand('test_expand_func.vim', 1, 1))
+  set wildignore&
+endfunc
+
+" vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/testdir/test_indent.vim b/src/testdir/test_indent.vim
+new file mode 100644
+index 0000000..91e801a
+--- /dev/null
+++ b/src/testdir/test_indent.vim
+@@ -0,0 +1,101 @@
+" Test for various indent options
+
+func Test_preserveindent()
+  new
+  " Test for autoindent copying indent from the previous line
+  setlocal autoindent
+  call setline(1, [repeat(' ', 16) .. 'line1'])
+  call feedkeys("A\nline2", 'xt')
+  call assert_equal("\t\tline2", getline(2))
+  setlocal autoindent&
+
+  " Test for using CTRL-T with and without 'preserveindent'
+  set shiftwidth=4
+  call cursor(1, 1)
+  call setline(1, "    \t    ")
+  call feedkeys("Al\<C-T>", 'xt')
+  call assert_equal("\t\tl", getline(1))
+  set preserveindent
+  call setline(1, "    \t    ")
+  call feedkeys("Al\<C-T>", 'xt')
+  call assert_equal("    \t    \tl", getline(1))
+  set pi& sw&
+
+  " Test for using CTRL-T with 'expandtab' and 'preserveindent'
+  call cursor(1, 1)
+  call setline(1, "\t    \t")
+  set shiftwidth=4 expandtab preserveindent
+  call feedkeys("Al\<C-T>", 'xt')
+  call assert_equal("\t    \t    l", getline(1))
+  set sw& et& pi&
+
+  close!
+endfunc
+
+" Test for indent()
+func Test_indent_func()
+  call assert_equal(-1, indent(-1))
+  new
+  call setline(1, "\tabc")
+  call assert_equal(8, indent(1))
+  call setline(1, "    abc")
+  call assert_equal(4, indent(1))
+  call setline(1, "    \t    abc")
+  call assert_equal(12, indent(1))
+  close!
+endfunc
+
+" Test for reindenting a line using the '=' operator
+func Test_reindent()
+  new
+  call setline(1, 'abc')
+  set nomodifiable
+  call assert_fails('normal ==', 'E21:')
+  set modifiable
+
+  call setline(1, ['foo', 'bar'])
+  call feedkeys('ggVG=', 'xt')
+  call assert_equal(['foo', 'bar'], getline(1, 2))
+  close!
+endfunc
+
+" Test for shifting a line with a preprocessor directive ('#')
+func Test_preproc_indent()
+  new
+  set sw=4
+  call setline(1, '#define FOO 1')
+  normal >>
+  call assert_equal('    #define FOO 1', getline(1))
+
+  " with 'smartindent'
+  call setline(1, '#define FOO 1')
+  set smartindent
+  normal >>
+  call assert_equal('#define FOO 1', getline(1))
+  set smartindent&
+
+  " with 'cindent'
+  set cindent
+  normal >>
+  call assert_equal('#define FOO 1', getline(1))
+  set cindent&
+
+  close!
+endfunc
+
+" Test for 'copyindent'
+func Test_copyindent()
+  new
+  set shiftwidth=4 autoindent expandtab copyindent
+  call setline(1, "    \t    abc")
+  call feedkeys("ol", 'xt')
+  call assert_equal("    \t    l", getline(2))
+  set noexpandtab
+  call setline(1, "    \t    abc")
+  call feedkeys("ol", 'xt')
+  call assert_equal("    \t    l", getline(2))
+  set sw& ai& et& ci&
+  close!
+endfunc
+
+" vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/testdir/test_lispwords.vim b/src/testdir/test_lispwords.vim
+index aa5a738..ff710b2 100644
+--- a/src/testdir/test_lispwords.vim
+++ b/src/testdir/test_lispwords.vim
+@@ -45,6 +45,7 @@ func Test_lisp_indent()
+ 	      \ ])
+   call assert_equal(7, lispindent(2))
+   call assert_equal(5, 6->lispindent())
+  call assert_equal(-1, lispindent(-1))
+ 
+   set lisp
+   set lispwords&
+@@ -83,3 +84,5 @@ func Test_lisp_indent()
+   let &cpoptions=save_copt
+   set nolisp
+ endfunc
+
+" vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/testdir/test_smartindent.vim b/src/testdir/test_smartindent.vim
+index e89ad19..dc0f99e 100644
+--- a/src/testdir/test_smartindent.vim
+++ b/src/testdir/test_smartindent.vim
+@@ -38,4 +38,27 @@ func Test_smartindent_has_no_effect()
+   bwipe!
+ endfunc
+ 
+" Test for inserting '{' and '} with smartindent
+func Test_smartindent_braces()
+  new
+  set smartindent shiftwidth=4
+  call setline(1, ['    if (a)', "\tif (b)", "\t    return 1"])
+  normal 2ggO{
+  normal 3ggA {
+  normal 4ggo}
+  normal o}
+  normal 4ggO#define FOO 1
+  call assert_equal([
+        \ '    if (a)',
+        \ '    {',
+        \ "\tif (b) {",
+        \ '#define FOO 1',
+        \ "\t    return 1",
+        \ "\t}",
+        \ '    }'
+        \ ], getline(1, '$'))
+  set si& sw& ai&
+  close!
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/testdir/test_vartabs.vim b/src/testdir/test_vartabs.vim
+index c2919d8..0ac6ad2 100644
+--- a/src/testdir/test_vartabs.vim
+++ b/src/testdir/test_vartabs.vim
+@@ -91,6 +91,18 @@ func Test_vartabs()
+   let expect = "l\<tab>  l\<tab>l     l\<tab>    l\<tab>  l"
+   call assert_equal(expect, getline(1))
+ 
+  " Test for 'retab' with vts
+  set ts=8 sts=0 vts=5,3,6,2 vsts=
+  exe "norm! S                l"
+  .retab!
+  call assert_equal("\t\t\t\tl", getline(1))
+
+  " Test for 'retab' with same vlaues as vts
+  set ts=8 sts=0 vts=5,3,6,2 vsts=
+  exe "norm! S                l"
+  .retab! 5,3,6,2
+  call assert_equal("\t\t\t\tl", getline(1))
+
+   " Check that global and local values are set.
+   set ts=4 vts=6 sts=8 vsts=10
+   call assert_equal(&ts, 4)
+@@ -390,5 +402,32 @@ func Test_vartabstop_latin1()
+   let &encoding = save_encoding
+ endfunc
+ 
+func s:SaveCol(l)
+  call add(a:l, [col('.'), virtcol('.')])
+  return ''
+endfunc
+
+" Test for 'varsofttabstop'
+func Test_varsofttabstop()
+  new
+  inoremap <expr> <F2>  s:SaveCol(g:cols)
+
+  set backspace=indent,eol,start
+  set varsofttabstop=6,2,5,3
+  let g:cols = []
+  call feedkeys("a\t\<F2>\t\<F2>\t\<F2>\t\<F2> ", 'xt')
+  call assert_equal("\t\t ", getline(1))
+  call assert_equal([[7, 7], [2, 9], [7, 14], [3, 17]], g:cols)
+
+  let g:cols = []
+  call feedkeys("a\<bs>\<F2>\<bs>\<F2>\<bs>\<F2>\<bs>\<F2>\<bs>\<F2>", 'xt')
+  call assert_equal('', getline(1))
+  call assert_equal([[3, 17], [7, 14], [2, 9], [7, 7], [1, 1]], g:cols)
+
+  set varsofttabstop&
+  set backspace&
+  iunmap <F2>
+  close!
+endfunc
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+1.8.3.1
+
--- a/backport-patch-8.2.5161-might-still-access-invalid-memory.patch
+++ b/backport-patch-8.2.5161-might-still-access-invalid-memory.patch
@ -0,0 +1,30 @@
+From 0fbc9260a75dfc4d86f20e7c0eb76878f513a212 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 26 Jun 2022 11:17:10 +0100
+Subject: [PATCH] patch 8.2.5161: might still access invalid memory
+
+Problem:    Might still access invalid memory.
+Solution:   Add extra check for negative value.
+---
+ src/message.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/message.c b/src/message.c
+index 0b690bb..eae6e61 100644
+--- a/src/message.c
+++ b/src/message.c
+@@ -876,8 +876,10 @@ msg_may_trunc(int force, char_u *s)
+     int		n;
+     int		room;
+ 
+    // If something unexpected happened "room" may be negative, check for that
+    // just in case.
+     room = (int)(Rows - cmdline_row - 1) * Columns + sc_col - 1;
+-    if ((force || (shortmess(SHM_TRUNC) && !exmode_active))
+    if (room > 0 && (force || (shortmess(SHM_TRUNC) && !exmode_active))
+ 	    && (n = (int)STRLEN(s) - room) > 0)
+     {
+ 	if (has_mbyte)
+-- 
+1.8.3.1
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        46
+Release:        47
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -129,6 +129,10 @@ Patch6092:      backport-patch-8.2.1354-test-59-is-old-style.patch
 Patch6093:      backport-patch-8.2.3484-crash-when-going-through-spell-sugges.patch
 Patch6094:      backport-patch-8.2.5007-spell-suggestion-may-use-uninitialize.patch
 Patch6095:      backport-CVE-2022-2126.patch
+Patch6096:      backport-patch-8.2.0358-insufficient-testing-for-indent.c.patch
+Patch6097:      backport-CVE-2022-2125.patch
+Patch6098:      backport-CVE-2022-2206.patch
+Patch6099:      backport-patch-8.2.5161-might-still-access-invalid-memory.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -517,6 +521,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Tue Jul 05 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-47
+- Type:CVE
+- ID:CVE-2022-2125,CVE-2022-2206
+- SUG:NA
+- DESC:fix CVE-2022-2125,CVE-2022-2206
+
 * Wed Jun 29 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-46
 - Type:CVE
 - ID:CVE-2022-2126