fix CVE-2022-2980

2022-08-27 17:10:03 +08:00 · 2022-08-27 17:10:03 +08:00 · ca47921246
commit ca47921246
parent 9fa6049d0e
2 changed files with 179 additions and 1 deletions
--- a/backport-CVE-2022-2980.patch
+++ b/backport-CVE-2022-2980.patch
@ -0,0 +1,171 @@
+From 80525751c5ce9ed82c41d83faf9ef38667bf61b1 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 24 Aug 2022 19:27:45 +0100
+Subject: [PATCH] patch 9.0.0259: crash with mouse click when not initialized
+
+Problem:    Crash with mouse click when not initialized.
+Solution:   Check TabPageIdxs[] is not NULL.
+---
+ src/mouse.c                  | 107 ++++++++++++++++++-----------------
+ src/testdir/test_tabline.vim |  14 +++++
+ 2 files changed, 69 insertions(+), 52 deletions(-)
+
+diff --git a/src/mouse.c b/src/mouse.c
+index c94f322..4fdbdbd 100644
+--- a/src/mouse.c
+++ b/src/mouse.c
+@@ -448,74 +448,77 @@ do_mouse(
+ 
+     start_visual.lnum = 0;
+ 
+-    // Check for clicking in the tab page line.
+-    if (mouse_row == 0 && firstwin->w_winrow > 0)
+    if (TabPageIdxs != NULL)  // only when initialized
+     {
+-	if (is_drag)
+	// Check for clicking in the tab page line.
+	if (mouse_row == 0 && firstwin->w_winrow > 0)
+ 	{
+-	    if (in_tab_line)
+	    if (is_drag)
+ 	    {
+-		c1 = TabPageIdxs[mouse_col];
+-		tabpage_move(c1 <= 0 ? 9999 : c1 < tabpage_index(curtab)
+-								? c1 - 1 : c1);
+		if (in_tab_line)
+		{
+		    c1 = TabPageIdxs[mouse_col];
+		    tabpage_move(c1 <= 0 ? 9999 : c1 < tabpage_index(curtab)
+								    ? c1 - 1 : c1);
+		}
+		return FALSE;
+ 	    }
+-	    return FALSE;
+-	}
+ 
+-	// click in a tab selects that tab page
+-	if (is_click
+	    // click in a tab selects that tab page
+	    if (is_click
+ # ifdef FEAT_CMDWIN
+-		&& cmdwin_type == 0
+		    && cmdwin_type == 0
+ # endif
+-		&& mouse_col < Columns)
+-	{
+-	    in_tab_line = TRUE;
+-	    c1 = TabPageIdxs[mouse_col];
+-	    if (c1 >= 0)
+		    && mouse_col < Columns)
+ 	    {
+-		if ((mod_mask & MOD_MASK_MULTI_CLICK) == MOD_MASK_2CLICK)
+-		{
+-		    // double click opens new page
+-		    end_visual_mode();
+-		    tabpage_new();
+-		    tabpage_move(c1 == 0 ? 9999 : c1 - 1);
+-		}
+-		else
+		in_tab_line = TRUE;
+		c1 = TabPageIdxs[mouse_col];
+		if (c1 >= 0)
+ 		{
+-		    // Go to specified tab page, or next one if not clicking
+-		    // on a label.
+-		    goto_tabpage(c1);
+-
+-		    // It's like clicking on the status line of a window.
+-		    if (curwin != old_curwin)
+		    if ((mod_mask & MOD_MASK_MULTI_CLICK) == MOD_MASK_2CLICK)
+		    {
+			// double click opens new page
+ 			end_visual_mode();
+-		}
+-	    }
+-	    else
+-	    {
+-		tabpage_T	*tp;
+			tabpage_new();
+			tabpage_move(c1 == 0 ? 9999 : c1 - 1);
+		    }
+		    else
+		    {
+			// Go to specified tab page, or next one if not clicking
+			// on a label.
+			goto_tabpage(c1);
+ 
+-		// Close the current or specified tab page.
+-		if (c1 == -999)
+-		    tp = curtab;
+			// It's like clicking on the status line of a window.
+			if (curwin != old_curwin)
+			    end_visual_mode();
+		    }
+		}
+ 		else
+-		    tp = find_tabpage(-c1);
+-		if (tp == curtab)
+ 		{
+-		    if (first_tabpage->tp_next != NULL)
+-			tabpage_close(FALSE);
+		    tabpage_T	*tp;
+
+		    // Close the current or specified tab page.
+		    if (c1 == -999)
+			tp = curtab;
+		    else
+			tp = find_tabpage(-c1);
+		    if (tp == curtab)
+		    {
+			if (first_tabpage->tp_next != NULL)
+			    tabpage_close(FALSE);
+		    }
+		    else if (tp != NULL)
+			tabpage_close_other(tp, FALSE);
+ 		}
+-		else if (tp != NULL)
+-		    tabpage_close_other(tp, FALSE);
+ 	    }
+	    return TRUE;
+	}
+	else if (is_drag && in_tab_line)
+	{
+	    c1 = TabPageIdxs[mouse_col];
+	    tabpage_move(c1 <= 0 ? 9999 : c1 - 1);
+	    return FALSE;
+ 	}
+-	return TRUE;
+-    }
+-    else if (is_drag && in_tab_line)
+-    {
+-	c1 = TabPageIdxs[mouse_col];
+-	tabpage_move(c1 <= 0 ? 9999 : c1 - 1);
+-	return FALSE;
+     }
+ 
+     // When 'mousemodel' is "popup" or "popup_setpos", translate mouse events:
+diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim
+index 383d239..d615429 100644
+--- a/src/testdir/test_tabline.vim
+++ b/src/testdir/test_tabline.vim
+@@ -70,3 +70,17 @@ func Test_redrawtabline()
+   let &showtabline = showtabline_save
+   au! Bufadd
+ endfunc
+
+func Test_mouse_click_in_tab()
+  " This used to crash because TabPageIdxs[] was not initialized
+  let lines =<< trim END
+      tabnew
+      set mouse=a
+      exe "norm \<LeftMouse>"
+  END
+  call writefile(lines, 'Xclickscript')
+  call RunVim([], [], "-e -s -S Xclickscript -c qa")
+
+  call delete('Xclickscript')
+endfunc
+
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        60
+Release:        61
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -166,6 +166,7 @@ Patch6129:      backport-CVE-2022-1725.patch
 Patch6130:      backport-CVE-2022-2845.patch 
 Patch6131:      backport-CVE-2022-2923.patch
 Patch6132:      backport-CVE-2022-2946.patch
+Patch6133:      backport-CVE-2022-2980.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -554,6 +555,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Sat Aug 27 2022 licihua <licihua@huawei.com> - 2:8.2-61
+- Type:CVE
+- ID:CVE-2022-2980
+- SUG:NA
+- DESC:fix CVE-2022-2980
+
 * Mon Aug 22 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-60
 - Type:CVE
 - ID:CVE-2022-2923 CVE-2022-2946