packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-2598 CVE-2022-2571

Browse Source 
(cherry picked from commit 987cbee818b1d65aa3e20a4b6abd517027c0771a)
This commit is contained in:
shixuantong 2022-08-02 14:18:35 +08:00 committed by openeuler-sync-bot
parent b827054d80
commit ccd72e5d8b
3 changed files with 122 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
backport-CVE-2022-2571.patch Normal file
View File

@ -0,0 +1,47 @@
From a6f9e300161f4cb54713da22f65b261595e8e614 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 28 Jul 2022 21:51:37 +0100
Subject: [PATCH] patch 9.0.0102: reading past end of line with insert
mode
completion
Problem: Reading past end of line with insert mode completion.
Solution: Check text length.
---
src/insexpand.c | 2 +-
src/testdir/test_ins_complete.vim | 9 +++++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/insexpand.c b/src/insexpand.c
index 88dbac6..a23d2d6 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -2998,7 +2998,7 @@ ins_compl_get_exp(pos_T *ini)
{
char_u *tmp_ptr = ptr;
- if (compl_cont_status & CONT_ADDING)
+ if (compl_cont_status & CONT_ADDING && compl_length <= (int)STRLEN(tmp_ptr))
{
tmp_ptr += compl_length;
// Skip if already inside a word.
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 5e7353c..39ece18 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -418,3 +418,12 @@ func Test_infercase_very_long_line()
bwipe!
set noic noinfercase
endfunc
+
+func Test_ins_complete_end_of_line()
+ " this was reading past the end of the line
+ new
+ norm 8o€ý 
+ sil! norm o
+
+ bwipe!
+endfunc
--
2.27.0

66
backport-CVE-2022-2598.patch Normal file
View File

@ -0,0 +1,66 @@
From 4e677b9c40ccbc5f090971b31dc2fe07bf05541d Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 28 Jul 2022 18:44:27 +0100
Subject: [PATCH] patch 9.0.0101: invalid memory access in diff mode with
"dp"
and undo
Problem: Invalid memory access in diff mode with "dp" and undo.
Solution: Make sure the line number does not go below one.
---
src/diff.c | 9 ++++++---
src/testdir/test_diffmode.vim | 14 ++++++++++++++
2 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/src/diff.c b/src/diff.c
index 2801c67..5328000 100644
--- a/src/diff.c
+++ b/src/diff.c
@@ -452,7 +452,10 @@ diff_mark_adjust_tp(
for (i = 0; i < DB_COUNT; ++i)
if (tp->tp_diffbuf[i] != NULL && i != idx)
{
- dp->df_lnum[i] -= off;
+ if (dp->df_lnum[i] > off)
+ dp->df_lnum[i] -= off;
+ else
+ dp->df_lnum[i] = 1;
dp->df_count[i] += n;
}
}
@@ -2781,8 +2784,8 @@ ex_diffgetput(exarg_T *eap)
{
// remember deleting the last line of the buffer
buf_empty = curbuf->b_ml.ml_line_count == 1;
- ml_delete(lnum, FALSE);
- --added;
+ if (ml_delete(lnum, FALSE) == OK)
+ --added;
}
for (i = 0; i < dp->df_count[idx_from] - start_skip - end_skip; ++i)
{
diff --git a/src/testdir/test_diffmode.vim b/src/testdir/test_diffmode.vim
index a75d0e5..d3b8f6c 100644
--- a/src/testdir/test_diffmode.vim
+++ b/src/testdir/test_diffmode.vim
@@ -852,3 +852,17 @@ func Test_diff_manipulations()
set nodiff
%bwipe!
endfunc
+
+" This was causing the line number in the diff block to go below one.
+" FIXME: somehow this causes a valgrind error when run directly but not when
+" run as a test.
+func Test_diff_put_and_undo()
+ set diff
+ next 0
+ split 00
+ sil! norm o0gguudpo0ggJuudp
+
+ bwipe!
+ bwipe!
+ set nodiff
+endfunc
--
2.27.0

10
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim Name: vim
Epoch: 2 Epoch: 2
Version: 8.2 Version: 8.2
Release: 56 Release: 57
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT License: Vim and MIT
URL: http://www.vim.org URL: http://www.vim.org
@ -160,6 +160,8 @@ Patch6123: backport-CVE-2022-2343.patch
Patch6124: backport-patch-9.0.0054-compiler-warning-for-size_t-to-int-conversion.patch Patch6124: backport-patch-9.0.0054-compiler-warning-for-size_t-to-int-conversion.patch
Patch6125: backport-CVE-2022-2522.patch Patch6125: backport-CVE-2022-2522.patch
Patch6126: backport-patch-8.2.0310-autocmd-test-fails-on-a-slow-system.patch Patch6126: backport-patch-8.2.0310-autocmd-test-fails-on-a-slow-system.patch
Patch6127: backport-CVE-2022-2598.patch
Patch6128: backport-CVE-2022-2571.patch
Patch9000: bugfix-rm-modify-info-version.patch Patch9000: bugfix-rm-modify-info-version.patch
@ -548,6 +550,12 @@ popd
%{_mandir}/man1/evim.* %{_mandir}/man1/evim.*
%changelog %changelog
* Tue Aug 02 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-57
- Type:CVE
- ID:CVE-2022-2598 CVE-2022-2571
- SUG:NA
- DESC:fix CVE-2022-2598 CVE-2022-2571
* Mon Aug 01 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-56 * Mon Aug 01 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-56
- Type:CVE - Type:CVE
- ID:CVE-2022-2522 - ID:CVE-2022-2522