packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!208 fix CVE-2022-1154

Browse Source 
From: @tong_1001 
Reviewed-by: @overweight 
Signed-off-by: @overweight
This commit is contained in:
openeuler-ci-bot 2022-05-16 11:45:48 +00:00 committed by Gitee
commit bf79f393e2
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 67 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
backport-CVE-2022-1154.patch Normal file
View File

@ -0,0 +1,59 @@
From b55986c52d4cd88a22d0b0b0e8a79547ba13e1d5 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 29 Mar 2022 13:24:58 +0100
Subject: [PATCH] patch 8.2.4646: using buffer line after it has been freed
Problem: Using buffer line after it has been freed in old regexp engine.
Solution: After getting mark get the line again.
---
src/regexp_bt.c | 9 +++++++++
src/testdir/test_regexp_latin.vim | 7 +++++++
2 files changed, 16 insertions(+)
diff --git a/src/regexp_bt.c b/src/regexp_bt.c
index e017ba5..ff92576 100644
--- a/src/regexp_bt.c
+++ b/src/regexp_bt.c
@@ -3188,8 +3188,17 @@ regmatch(
int mark = OPERAND(scan)[0];
int cmp = OPERAND(scan)[1];
pos_T *pos;
+ size_t col = REG_MULTI ? rex.input - rex.line : 0;
pos = getmark_buf(rex.reg_buf, mark, FALSE);
+
+ // Line may have been freed, get it again.
+ if (REG_MULTI)
+ {
+ rex.line = reg_getline(rex.lnum);
+ rex.input = rex.line + col;
+ }
+
if (pos == NULL // mark doesn't exist
|| pos->lnum <= 0 // mark isn't set in reg_buf
|| (pos->lnum == rex.lnum + rex.reg_firstlnum
diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim
index 5b1db5a..a242d91 100644
--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
@@ -152,10 +152,17 @@ endfunc
func Test_using_mark_position()
" this was using freed memory
+ " new engine
new
norm O0
call assert_fails("s/\\%')", 'E486:')
bwipe!
+
+ " old engine
+ new
+ norm O0
+ call assert_fails("s/\\%#=1\\%')", 'E486:')
+ bwipe!
endfunc
func Test_using_invalid_visual_position()
--
1.8.3.1

9
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim
Epoch: 2
Version: 8.2
Release: 32
Release: 33
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT
URL: http://www.vim.org
@ -94,6 +94,7 @@ Patch6057: backport-CVE-2022-0943.patch
Patch6058: backport-CVE-2021-4069.patch
Patch6059: backport-CVE-2022-0629.patch
Patch6060: backport-CVE-2022-1616.patch
Patch6061: backport-CVE-2022-1154.patch
Patch9000: bugfix-rm-modify-info-version.patch
@ -482,6 +483,12 @@ popd
%{_mandir}/man1/evim.*
%changelog
* Mon May 16 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-33
- Type:CVE
- ID:CVE-2022-1154
- SUG:NA
- DESC:fix CVE-2022-1154
* Mon May 09 2022 shangyibin <shangyibin1@h-partners.com> - 2:8.2-32
- Type:CVE
- ID:CVE-2022-1616