packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-3324

Browse Source 
(cherry picked from commit 0b734ebbd8ac0db4d43e847168913a78e636f7d5)
This commit is contained in:
dongyuzhen 2022-10-17 17:42:29 +08:00 committed by openeuler-sync-bot
parent 7866537ba3
commit bc2e577146
2 changed files with 78 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
backport-CVE-2022-3324.patch Normal file
View File

@ -0,0 +1,70 @@
From 8279af514ca7e5fd3c31cf13b0864163d1a0bfeb Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 26 Sep 2022 23:08:22 +0100
Subject: [PATCH] patch 9.0.0598: using negative array index with negative
width window
Problem: Using negative array index with negative width window.
Solution: Make sure the window width does not become negative.
---
src/testdir/test_cmdline.vim | 22 ++++++++++++++++++++++
src/window.c | 5 ++++-
2 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index c442d7f..0c8b3dd 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -962,4 +962,26 @@ func Test_cmdwin_freed_buffer_ptr()
bwipe!
endfunc
+" This was resulting in a window with negative width.
+" The test doesn't reproduce the illegal memory access though...
+func Test_cmdwin_split_often()
+ let lines = &lines
+ let columns = &columns
+ set t_WS=
+
+ try
+ set encoding=iso8859
+ set ruler
+ winsize 0 0
+ noremap 0 H
+ sil norm 0000000q:
+ catch /E36:/
+ endtry
+
+ bwipe!
+ set encoding=utf8
+ let &lines = lines
+ let &columns = columns
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/window.c b/src/window.c
index e0df540..42e2742 100644
--- a/src/window.c
+++ b/src/window.c
@@ -2045,6 +2045,8 @@ win_equal_rec(
if (hnc) // add next_curwin size
{
next_curwin_size -= p_wiw - (m - n);
+ if (next_curwin_size < 0)
+ next_curwin_size = 0;
new_size += next_curwin_size;
room -= new_size - next_curwin_size;
}
@@ -6180,7 +6182,8 @@ scroll_to_fraction(win_T *wp, int prev_height)
void
win_new_width(win_T *wp, int width)
{
- wp->w_width = width;
+ // Should we give an error if width < 0?
+ wp->w_width = width < 0 ? 0 : width;
wp->w_lines_valid = 0;
changed_line_abv_curs_win(wp);
invalidate_botline_win(wp);
--
2.27.0

9
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim Name: vim
Epoch: 2 Epoch: 2
Version: 8.2 Version: 8.2
Release: 70 Release: 71
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT License: Vim and MIT
URL: http://www.vim.org URL: http://www.vim.org
@ -192,6 +192,7 @@ Patch6150: backport-CVE-2022-3352.patch
Patch6151: backport-CVE-2022-3296.patch Patch6151: backport-CVE-2022-3296.patch
Patch6152: backport-CVE-2022-3297.patch Patch6152: backport-CVE-2022-3297.patch
Patch6153: backport-9.0.0581-adding-a-character-for-incsearch-fails-at-end-of-line.patch Patch6153: backport-9.0.0581-adding-a-character-for-incsearch-fails-at-end-of-line.patch
Patch6154: backport-CVE-2022-3324.patch
BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc
BuildRequires: perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file BuildRequires: perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file
@ -581,6 +582,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
%{_mandir}/man1/evim.* %{_mandir}/man1/evim.*
%changelog %changelog
* Mon Oct 17 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-71
- Type:CVE
- ID:CVE-2022-3324
- SUG:NA
- DESC:fix CVE-2022-3324
* Fri Oct 14 2022 wangjiang <wangjiang37@h-partners.com> - 2:8.2-70 * Fri Oct 14 2022 wangjiang <wangjiang37@h-partners.com> - 2:8.2-70
- Type:CVE - Type:CVE
- ID:CVE-2022-3297 - ID:CVE-2022-3297