fix CVE-2022-2289

(cherry picked from commit 7b505f110e8a408b28bc0c5d6b936d74ff388e92)
2022-07-15 11:47:09 +08:00 · 2022-07-15 11:47:09 +08:00 · d238c58b0a
commit d238c58b0a
parent cc2418b22a
2 changed files with 73 additions and 1 deletions
--- a/backport-CVE-2022-2289.patch
+++ b/backport-CVE-2022-2289.patch
@ -0,0 +1,65 @@
+From c5274dd12224421f2430b30c53b881b9403d649e Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 2 Jul 2022 15:10:00 +0100
+Subject: [PATCH] patch 9.0.0026: accessing freed memory with diff put
+
+Problem:    Accessing freed memory with diff put.
+Solution:   Bail out when diff pointer is no longer valid.
+---
+ src/diff.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/src/diff.c b/src/diff.c
+index 8569a9f..d79dfee 100644
+--- a/src/diff.c
+++ b/src/diff.c
+@@ -2560,6 +2560,20 @@ nv_diffgetput(int put, long count)
+     ex_diffgetput(&ea);
+ }
+ 
+/*
+ * Return TRUE if "diff" appears in the list of diff blocks of the current tab.
+ */
+    static int
+valid_diff(diff_T *diff)
+{
+    diff_T	*dp;
+
+    for (dp = curtab->tp_first_diff; dp != NULL; dp = dp->df_next)
+	if (dp == diff)
+	    return TRUE;
+    return FALSE;
+}
+
+ /*
+  * ":diffget"
+  * ":diffput"
+@@ -2817,9 +2831,9 @@ ex_diffgetput(exarg_T *eap)
+ 		}
+ 	    }
+ 
+-	    // Adjust marks.  This will change the following entries!
+ 	    if (added != 0)
+ 	    {
+		// Adjust marks.  This will change the following entries!
+ 		mark_adjust(lnum, lnum + count - 1, (long)MAXLNUM, (long)added);
+ 		if (curwin->w_cursor.lnum >= lnum)
+ 		{
+@@ -2841,7 +2855,13 @@ ex_diffgetput(exarg_T *eap)
+ #endif
+ 		vim_free(dfree);
+ 	    }
+-	    else
+
+	    // mark_adjust() may have made "dp" invalid.  We don't know where
+	    // to continue then, bail out.
+	    if (added != 0 && !valid_diff(dp))
+		break;
+
+	    if (dfree == NULL)
+ 		// mark_adjust() may have changed the count in a wrong way
+ 		dp->df_count[idx_to] = new_count;
+ 
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        52
+Release:        53
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -154,6 +154,7 @@ Patch6117:      backport-CVE-2022-2286.patch
 Patch6118:      backport-CVE-2022-2287.patch
 Patch6119:      backport-patch-9.0.0022-spell-test-fails.patch
 Patch6120: 	backport-CVE-2022-2210.patch
+Patch6121:      backport-CVE-2022-2289.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -542,6 +543,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Fri Jul 15 2022 shangyibin <shangyibin1@h-partners.com> - 2:8.2-53
+- Type:CVE
+- ID:CVE-2022-2289
+- SUG:NA
+- DESC:fix CVE-2022-2289
+
 * Wed Jul 13 2022 yanglongkang <yanglongkang@h-partners.com> - 2:8.2-52
 - Type:CVE
 - ID:CVE-2022-2210