packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!116 fix CVE-2022-0213 CVE-2022-0261 fix CVE-2022-0318

Browse Source 
Merge pull request !116 from 郭昭睿/openEuler-22.03-LTS-Next
This commit is contained in:
openeuler-ci-bot 2022-01-30 01:38:37 +00:00 committed by Gitee
commit b3fcde8940
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
4 changed files with 244 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
backport-CVE-2022-0213.patch Normal file
View File

@ -0,0 +1,62 @@
From de05bb25733c3319e18dca44e9b59c6ee389eb26 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 13 Jan 2022 13:08:14 +0000
Subject: [PATCH] patch 8.2.4074: going over the end of NameBuff
Problem: Going over the end of NameBuff.
Solution: Check length when appending a space.
---
src/drawscreen.c | 9 +++++----
src/testdir/test_edit.vim | 15 +++++++++++++++
src/version.c | 2 ++
3 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/src/drawscreen.c b/src/drawscreen.c
index 9acb705..7425ad4 100644
--- a/src/drawscreen.c
+++ b/src/drawscreen.c
@@ -437,12 +437,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
p = NameBuff;
len = (int)STRLEN(p);
- if (bt_help(wp->w_buffer)
+ if ((bt_help(wp->w_buffer)
#ifdef FEAT_QUICKFIX
- || wp->w_p_pvw
+ || wp->w_p_pvw
#endif
- || bufIsChanged(wp->w_buffer)
- || wp->w_buffer->b_p_ro)
+ || bufIsChanged(wp->w_buffer)
+ || wp->w_buffer->b_p_ro)
+ && len < MAXPATHL - 1)
*(p + len++) = ' ';
if (bt_help(wp->w_buffer))
{
diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
index c3b1af5..48e6ff2 100644
--- a/src/testdir/test_edit.vim
+++ b/src/testdir/test_edit.vim
@@ -1532,3 +1532,18 @@ func Test_edit_put_CTRL_E()
set encoding=utf-8
endfunc
+" Weird long file name was going over the end of NameBuff
+func Test_edit_overlong_file_name()
+ CheckUnix
+
+ file 0000000000000000000000000000
+ file %%%%%%%%%%%%%%%%%%%%%%%%%%
+ file %%%%%%
+ set readonly
+ set ls=2
+
+ redraw!
+ set noreadonly ls&
+ bwipe!
+endfunc
+
--
2.23.0

109
backport-CVE-2022-0261.patch Normal file
View File

@ -0,0 +1,109 @@
From 9f8c304c8a390ade133bac29963dc8e56ab14cbc Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 17 Jan 2022 17:30:21 +0000
Subject: [PATCH] patch 8.2.4120: block insert goes over the end of the line
Problem: Block insert goes over the end of the line.
Solution: Handle invalid byte better. Fix inserting the wrong text.
---
src/ops.c | 40 ++++++++++++++++++++++++-------------
src/testdir/test_visual.vim | 10 ++++++++++
2 files changed, 36 insertions(+), 14 deletions(-)
diff --git a/src/ops.c b/src/ops.c
index d3e1e47..13e6bdb 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -535,22 +535,27 @@ block_insert(
if (b_insert)
{
off = (*mb_head_off)(oldp, oldp + offset + spaces);
+ spaces -= off;
+ count -= off;
}
else
{
- off = (*mb_off_next)(oldp, oldp + offset);
- offset += off;
+ // spaces fill the gap, the character that's at the edge moves
+ // right
+ off = (*mb_head_off)(oldp, oldp + offset);
+ offset -= off;
}
- spaces -= off;
- count -= off;
}
- newp = alloc(STRLEN(oldp) + s_len + count + 1);
+ // Make sure the allocated size matches what is actually copied below.
+ newp = alloc(STRLEN(oldp) + spaces + s_len
+ + (spaces > 0 && !bdp->is_short ? ts_val - spaces : 0)
+ + count + 1);
if (newp == NULL)
continue;
// copy up to shifted part
- mch_memmove(newp, oldp, (size_t)(offset));
+ mch_memmove(newp, oldp, (size_t)offset);
oldp += offset;
// insert pre-padding
@@ -560,14 +565,21 @@ block_insert(
mch_memmove(newp + offset + spaces, s, (size_t)s_len);
offset += s_len;
- if (spaces && !bdp->is_short)
+ if (spaces > 0 && !bdp->is_short)
{
- // insert post-padding
- vim_memset(newp + offset + spaces, ' ', (size_t)(ts_val - spaces));
- // We're splitting a TAB, don't copy it.
- oldp++;
- // We allowed for that TAB, remember this now
- count++;
+ if (*oldp == TAB)
+ {
+ // insert post-padding
+ vim_memset(newp + offset + spaces, ' ',
+ (size_t)(ts_val - spaces));
+ // we're splitting a TAB, don't copy it
+ oldp++;
+ // We allowed for that TAB, remember this now
+ count++;
+ }
+ else
+ // Not a TAB, no extra spaces
+ count = spaces;
}
if (spaces > 0)
@@ -1609,7 +1621,7 @@ op_insert(oparg_T *oap, long count1)
oap->start_vcol = t;
}
else if (oap->op_type == OP_APPEND
- && oap->end.col + oap->end.coladd
+ && oap->start.col + oap->start.coladd
>= curbuf->b_op_start_orig.col
+ curbuf->b_op_start_orig.coladd)
{
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index 0705fdb..84a8981 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -903,3 +903,13 @@ func Test_visual_block_ctrl_w_f()
endfunc
" vim: shiftwidth=2 sts=2 expandtab
+
+func Test_visual_block_append_invalid_char()
+ " this was going over the end of the line
+ new
+ call setline(1, [' let xxx', 'xxxxxˆ', 'xxxxxxxxxxx'])
+ exe "normal 0\<C-V>jjA-\<Esc>"
+ call assert_equal([' - let xxx', 'xxxxx -ˆ', 'xxxxxxxx-xxx'], getline(1, 3))
+ bwipe!
+endfunc
+
--
2.27.0

63
backport-CVE-2022-0318.patch Normal file
View File

@ -0,0 +1,63 @@
From 57df9e8a9f9ae1aafdde9b86b10ad907627a87dc Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 20 Jan 2022 12:10:48 +0000
Subject: [PATCH] patch 8.2.4151: reading beyond the end of a line
Problem: Reading beyond the end of a line.
Solution: For block insert only use the offset for correcting the length.
---
src/ops.c | 20 ++------------------
src/testdir/test_visual.vim | 9 +++++++++
2 files changed, 11 insertions(+), 18 deletions(-)
diff --git a/src/ops.c b/src/ops.c
index 13e6bdb..2122ff3 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -528,24 +528,8 @@ block_insert(
}
if (has_mbyte && spaces > 0)
- {
- int off;
-
- // Avoid starting halfway a multi-byte character.
- if (b_insert)
- {
- off = (*mb_head_off)(oldp, oldp + offset + spaces);
- spaces -= off;
- count -= off;
- }
- else
- {
- // spaces fill the gap, the character that's at the edge moves
- // right
- off = (*mb_head_off)(oldp, oldp + offset);
- offset -= off;
- }
- }
+ // avoid copying part of a multi-byte character
+ offset -= (*mb_head_off)(oldp, oldp + offset);
// Make sure the allocated size matches what is actually copied below.
newp = alloc(STRLEN(oldp) + spaces + s_len
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index 84a8981..3ed927a 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -913,3 +913,12 @@ func Test_visual_block_append_invalid_char()
bwipe!
endfunc
+func Test_visual_block_insert_round_off()
+ new
+ " The number of characters are tuned to fill a 4096 byte allocated block,
+ " so that valgrind reports going over the end.
+ call setline(1, ['xxxxx', repeat('0', 1350), "\t", repeat('x', 60)])
+ exe "normal gg0\<C-V>GI" .. repeat('0', 1320) .. "\<Esc>"
+ bwipe!
+endfunc
+
--
2.27.0

11
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim
Epoch: 2
Version: 8.2
Release: 19
Release: 20
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT
URL: http://www.vim.org
@ -69,6 +69,9 @@ Patch6032: backport-CVE-2021-4166.patch
Patch6033: backport-fix-arglist-test-fails.patch
Patch6034: backport-CVE-2021-4192.patch
Patch6035: backport-CVE-2021-4193.patch
Patch6036: backport-CVE-2022-0213.patch
Patch6037: backport-CVE-2022-0261.patch
Patch6038: backport-CVE-2022-0318.patch
Patch9000: bugfix-rm-modify-info-version.patch
@ -457,6 +460,12 @@ popd
%{_mandir}/man1/evim.*
%changelog
* Sat Jan 29 2022 guozhaorui<guozhaorui1@h-partners.com> - 2:8.2-20
- Type:CVE
- ID:CVE-2022-0213 CVE-2022-0261 CVE-2022-0318
- SUG:NA
- DESC:CVE-2022-0213 CVE-2022-0261 CVE-2022-0318
* Mon Jan 17 2022 yuanxin<yuanxin24@huawei.com> - 2:8.2-19
- Type:CVE
- ID:CVE-2021-4166 CVE-2021-4192 CVE-2021-4193