fix CVE-2022-2980

2022-08-27 17:10:03 +08:00 · 2022-08-27 17:10:03 +08:00 · ca47921246
commit ca47921246
parent 9fa6049d0e
2 changed files with 179 additions and 1 deletions
--- a/backport-CVE-2022-2980.patch
+++ b/backport-CVE-2022-2980.patch
@ -0,0 +1,171 @@
 From 80525751c5ce9ed82c41d83faf9ef38667bf61b1 Mon Sep 17 00:00:00 2001
 From: Bram Moolenaar <Bram@vim.org>
 Date: Wed, 24 Aug 2022 19:27:45 +0100
 Subject: [PATCH] patch 9.0.0259: crash with mouse click when not initialized
 Problem:    Crash with mouse click when not initialized.
 Solution:   Check TabPageIdxs[] is not NULL.
 ---
 src/mouse.c                  | 107 ++++++++++++++++++-----------------
 src/testdir/test_tabline.vim |  14 +++++
 2 files changed, 69 insertions(+), 52 deletions(-)
 diff --git a/src/mouse.c b/src/mouse.c
 index c94f322..4fdbdbd 100644
 --- a/src/mouse.c
 +++ b/src/mouse.c
@@ -448,74 +448,77 @@ do_mouse(
     start_visual.lnum = 0;
 -    // Check for clicking in the tab page line.
 -    if (mouse_row == 0 && firstwin->w_winrow > 0)
 +    if (TabPageIdxs != NULL)  // only when initialized
     {
 -	if (is_drag)
 +	// Check for clicking in the tab page line.
 +	if (mouse_row == 0 && firstwin->w_winrow > 0)
 	{
 -	    if (in_tab_line)
 +	    if (is_drag)
 	    {
 -		c1 = TabPageIdxs[mouse_col];
 -		tabpage_move(c1 <= 0 ? 9999 : c1 < tabpage_index(curtab)
 -								? c1 - 1 : c1);
 +		if (in_tab_line)
 +		{
 +		    c1 = TabPageIdxs[mouse_col];
 +		    tabpage_move(c1 <= 0 ? 9999 : c1 < tabpage_index(curtab)
 +								    ? c1 - 1 : c1);
 +		}
 +		return FALSE;
 	    }
 -	    return FALSE;
 -	}
 -	// click in a tab selects that tab page
 -	if (is_click
 +	    // click in a tab selects that tab page
 +	    if (is_click
 # ifdef FEAT_CMDWIN
 -		&& cmdwin_type == 0
 +		    && cmdwin_type == 0
 # endif
 -		&& mouse_col < Columns)
 -	{
 -	    in_tab_line = TRUE;
 -	    c1 = TabPageIdxs[mouse_col];
 -	    if (c1 >= 0)
 +		    && mouse_col < Columns)
 	    {
 -		if ((mod_mask & MOD_MASK_MULTI_CLICK) == MOD_MASK_2CLICK)
 -		{
 -		    // double click opens new page
 -		    end_visual_mode();
 -		    tabpage_new();
 -		    tabpage_move(c1 == 0 ? 9999 : c1 - 1);
 -		}
 -		else
 +		in_tab_line = TRUE;
 +		c1 = TabPageIdxs[mouse_col];
 +		if (c1 >= 0)
 		{
 -		    // Go to specified tab page, or next one if not clicking
 -		    // on a label.
 -		    goto_tabpage(c1);
 -
 -		    // It's like clicking on the status line of a window.
 -		    if (curwin != old_curwin)
 +		    if ((mod_mask & MOD_MASK_MULTI_CLICK) == MOD_MASK_2CLICK)
 +		    {
 +			// double click opens new page
 			end_visual_mode();
 -		}
 -	    }
 -	    else
 -	    {
 -		tabpage_T	*tp;
 +			tabpage_new();
 +			tabpage_move(c1 == 0 ? 9999 : c1 - 1);
 +		    }
 +		    else
 +		    {
 +			// Go to specified tab page, or next one if not clicking
 +			// on a label.
 +			goto_tabpage(c1);
 -		// Close the current or specified tab page.
 -		if (c1 == -999)
 -		    tp = curtab;
 +			// It's like clicking on the status line of a window.
 +			if (curwin != old_curwin)
 +			    end_visual_mode();
 +		    }
 +		}
 		else
 -		    tp = find_tabpage(-c1);
 -		if (tp == curtab)
 		{
 -		    if (first_tabpage->tp_next != NULL)
 -			tabpage_close(FALSE);
 +		    tabpage_T	*tp;
 +
 +		    // Close the current or specified tab page.
 +		    if (c1 == -999)
 +			tp = curtab;
 +		    else
 +			tp = find_tabpage(-c1);
 +		    if (tp == curtab)
 +		    {
 +			if (first_tabpage->tp_next != NULL)
 +			    tabpage_close(FALSE);
 +		    }
 +		    else if (tp != NULL)
 +			tabpage_close_other(tp, FALSE);
 		}
 -		else if (tp != NULL)
 -		    tabpage_close_other(tp, FALSE);
 	    }
 +	    return TRUE;
 +	}
 +	else if (is_drag && in_tab_line)
 +	{
 +	    c1 = TabPageIdxs[mouse_col];
 +	    tabpage_move(c1 <= 0 ? 9999 : c1 - 1);
 +	    return FALSE;
 	}
 -	return TRUE;
 -    }
 -    else if (is_drag && in_tab_line)
 -    {
 -	c1 = TabPageIdxs[mouse_col];
 -	tabpage_move(c1 <= 0 ? 9999 : c1 - 1);
 -	return FALSE;
     }
     // When 'mousemodel' is "popup" or "popup_setpos", translate mouse events:
 diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim
 index 383d239..d615429 100644
 --- a/src/testdir/test_tabline.vim
 +++ b/src/testdir/test_tabline.vim
@@ -70,3 +70,17 @@ func Test_redrawtabline()
   let &showtabline = showtabline_save
   au! Bufadd
 endfunc
 +
 +func Test_mouse_click_in_tab()
 +  " This used to crash because TabPageIdxs[] was not initialized
 +  let lines =<< trim END
 +      tabnew
 +      set mouse=a
 +      exe "norm \<LeftMouse>"
 +  END
 +  call writefile(lines, 'Xclickscript')
 +  call RunVim([], [], "-e -s -S Xclickscript -c qa")
 +
 +  call delete('Xclickscript')
 +endfunc
 +
 -- 
 2.27.0
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        60
+Release:        61
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -166,6 +166,7 @@ Patch6129:      backport-CVE-2022-1725.patch
 Patch6130:      backport-CVE-2022-2845.patch 
 Patch6131:      backport-CVE-2022-2923.patch
 Patch6132:      backport-CVE-2022-2946.patch
 Patch6133:      backport-CVE-2022-2980.patch
 Patch9000:      bugfix-rm-modify-info-version.patch
@ -554,6 +555,12 @@ popd
 %{_mandir}/man1/evim.*
 %changelog
 * Sat Aug 27 2022 licihua <licihua@huawei.com> - 2:8.2-61
 - Type:CVE
 - ID:CVE-2022-2980
 - SUG:NA
 - DESC:fix CVE-2022-2980
 * Mon Aug 22 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-60
 - Type:CVE
 - ID:CVE-2022-2923 CVE-2022-2946