fix CVE-2022-2126

(cherry picked from commit 913057a1532dea2e2b2a7d185ef45fd64056523c)
2022-06-29 19:26:49 +08:00 · 2022-06-29 19:26:49 +08:00 · e631ac7e55
commit e631ac7e55
parent c7a07b374f
5 changed files with 2042 additions and 1 deletions
--- a/backport-CVE-2022-2126.patch
+++ b/backport-CVE-2022-2126.patch
@ -0,0 +1,51 @@
+From 156d3911952d73b03d7420dc3540215247db0fe8 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 18 Jun 2022 14:09:08 +0100
+Subject: [PATCH] patch 8.2.5123: using invalid index when looking for spell
+ suggestions
+
+Problem:    Using invalid index when looking for spell suggestions.
+Solution:   Do not decrement the index when it is zero.
+---
+ src/spellsuggest.c         |  3 ++-
+ src/testdir/test_spell.vim | 10 ++++++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/spellsuggest.c b/src/spellsuggest.c
+index 2b7d13b..379d9ba 100644
+--- a/src/spellsuggest.c
+++ b/src/spellsuggest.c
+@@ -1944,7 +1944,8 @@ suggest_trie_walk(
+ 			    sp->ts_isdiff = (newscore != 0)
+ 						       ? DIFF_YES : DIFF_NONE;
+ 			}
+-			else if (sp->ts_isdiff == DIFF_INSERT)
+			else if (sp->ts_isdiff == DIFF_INSERT
+							    && sp->ts_fidx > 0)
+ 			    // When inserting trail bytes don't advance in the
+ 			    // bad word.
+ 			    --sp->ts_fidx;
+diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
+index c09137a..b6117aa 100644
+--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
+@@ -70,6 +70,16 @@ func Test_z_equal_on_invalid_utf8_word()
+   bwipe!
+ endfunc
+ 
+func Test_z_equal_on_single_character()
+  " this was decrementing the index below zero
+  new
+  norm a0\Ê
+  norm zW
+  norm z=
+
+  bwipe!
+endfunc
+
+ " Test spellbadword() with argument
+ func Test_spellbadword()
+   set spell
+-- 
+1.8.3.1
+
--- a/backport-patch-8.2.1354-test-59-is-old-style.patch
+++ b/backport-patch-8.2.1354-test-59-is-old-style.patch
--- a/backport-patch-8.2.3484-crash-when-going-through-spell-sugges.patch
+++ b/backport-patch-8.2.3484-crash-when-going-through-spell-sugges.patch
@ -0,0 +1,72 @@
+From e275ba4fc994474155fbafe8b87a6d3b477456ba Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 6 Oct 2021 13:41:07 +0100
+Subject: [PATCH] patch 8.2.3484: crash when going through spell suggestions
+
+Problem:    Crash when going through spell suggestions.
+Solution:   Limit the text length for finding suggestions to the original
+length.  Do not update buffers when exiting. (closes #8965)
+---
+ src/spellsuggest.c              |  5 +++++
+ src/testdir/test_spell_utf8.vim | 16 ++++++++++++++++
+ src/ui.c                        |  3 ++-
+ 3 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/src/spellsuggest.c b/src/spellsuggest.c
+index 0171a5b..0f833f5 100644
+--- a/src/spellsuggest.c
+++ b/src/spellsuggest.c
+@@ -1169,6 +1169,11 @@ suggest_try_change(suginfo_T *su)
+     p = su->su_badptr + su->su_badlen;
+     (void)spell_casefold(p, (int)STRLEN(p), fword + n, MAXWLEN - n);
+ 
+    // Make sure the resulting text is not longer than the original text.
+    n = (int)STRLEN(su->su_badptr);
+    if (n < MAXWLEN)
+	fword[n] = NUL;
+
+     for (lpi = 0; lpi < curwin->w_s->b_langp.ga_len; ++lpi)
+     {
+ 	lp = LANGP_ENTRY(curwin->w_s->b_langp, lpi);
+diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim
+index 1f561e4..79dc3e4 100644
+--- a/src/testdir/test_spell_utf8.vim
+++ b/src/testdir/test_spell_utf8.vim
+@@ -765,4 +765,20 @@ func Test_spellfile_value()
+   set spellfile=Xdir/Xtest.utf-8.add,Xtest_other.add
+ endfunc
+ 
+func Test_no_crash_with_weird_text()
+  new
+  let lines =<< trim END
+      r<sfile>
+      
+
+
+      
+  END
+  call setline(1, lines)
+  exe "%norm \<C-v>ez=>\<C-v>wzG"
+
+  bwipe!
+endfunc
+
+
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/ui.c b/src/ui.c
+index 7ec1e56..8d6f681 100644
+--- a/src/ui.c
+++ b/src/ui.c
+@@ -868,7 +868,8 @@ clip_lose_selection(Clipboard_T *cbd)
+ 					    || get_real_state() == SELECTMODE)
+ 		&& (cbd == &clip_star ?
+ 				clip_isautosel_star() : clip_isautosel_plus())
+-		&& HL_ATTR(HLF_V) != HL_ATTR(HLF_VNC))
+		&& HL_ATTR(HLF_V) != HL_ATTR(HLF_VNC)
+		&& !exiting)
+ 	{
+ 	    update_curbuf(INVERTED_ALL);
+ 	    setcursor();
+-- 
+1.8.3.1
+
--- a/backport-patch-8.2.5007-spell-suggestion-may-use-uninitialize.patch
+++ b/backport-patch-8.2.5007-spell-suggestion-may-use-uninitialize.patch
@ -0,0 +1,95 @@
+From 6d24b4ff69913270ce1e5267dd6bd8454f75e2b9 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 23 May 2022 12:01:50 +0100
+Subject: [PATCH] patch 8.2.5007: spell suggestion may use uninitialized memory
+
+Problem:    Spell suggestion may use uninitialized memory. (Zdenek Dohnal)
+Solution:   Avoid going over the end of the word.
+---
+ src/spellsuggest.c              |  3 ++-
+ src/testdir/test_spell_utf8.vim | 23 ++++++++++++++++++++---
+ 2 files changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/src/spellsuggest.c b/src/spellsuggest.c
+index 0f833f5..2b7d13b 100644
+--- a/src/spellsuggest.c
+++ b/src/spellsuggest.c
+@@ -1924,7 +1924,8 @@ suggest_trie_walk(
+ #endif
+ 		    ++depth;
+ 		    sp = &stack[depth];
+-		    ++sp->ts_fidx;
+		    if (fword[sp->ts_fidx] != NUL)
+			++sp->ts_fidx;
+ 		    tword[sp->ts_twordlen++] = c;
+ 		    sp->ts_arridx = idxs[arridx];
+ 		    if (newscore == SCORE_SUBST)
+diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim
+index 79dc3e4..491a406 100644
+--- a/src/testdir/test_spell_utf8.vim
+++ b/src/testdir/test_spell_utf8.vim
+@@ -629,7 +629,7 @@ func Test_spell_affix()
+         \ ["bar", "barbork", "end", "fooa1", "fooa\u00E9", "nouend", "prebar", "prebarbork", "start"],
+         \ [
+         \   ["bad", ["bar", "end", "fooa1"]],
+-        \   ["foo", ["fooa1", "fooa\u00E9", "bar"]],
+        \   ["foo", ["fooa1", "bar", "end"]],
+         \   ["fooa2", ["fooa1", "fooa\u00E9", "bar"]],
+         \   ["prabar", ["prebar", "bar", "bar bar"]],
+         \   ["probarbirk", ["prebarbork"]],
+@@ -647,7 +647,7 @@ func Test_spell_affix()
+         \ ["bar", "barbork", "end", "lead", "meea1", "meea\u00E9", "prebar", "prebarbork"],
+         \ [
+         \   ["bad", ["bar", "end", "lead"]],
+-        \   ["mee", ["meea1", "meea\u00E9", "bar"]],
+        \   ["mee", ["meea1", "bar", "end"]],
+         \   ["meea2", ["meea1", "meea\u00E9", "lead"]],
+         \   ["prabar", ["prebar", "bar", "leadbar"]],
+         \   ["probarbirk", ["prebarbork"]],
+@@ -664,7 +664,7 @@ func Test_spell_affix()
+         \ ["bar", "barmeat", "lead", "meea1", "meea\u00E9", "meezero", "prebar", "prebarmeat", "tail"],
+         \ [
+         \   ["bad", ["bar", "lead", "tail"]],
+-        \   ["mee", ["meea1", "meea\u00E9", "bar"]],
+        \   ["mee", ["meea1", "bar", "lead"]],
+         \   ["meea2", ["meea1", "meea\u00E9", "lead"]],
+         \   ["prabar", ["prebar", "bar", "leadbar"]],
+         \   ["probarmaat", ["prebarmeat"]],
+@@ -758,11 +758,15 @@ func Test_spell_sal_and_addition()
+   set spl=Xtest_ca.utf-8.spl
+   call assert_equal("elequint", FirstSpellWord())
+   call assert_equal("elekwint", SecondSpellWord())
+
+  set spellfile=
+  set spl&
+ endfunc
+ 
+ func Test_spellfile_value()
+   set spellfile=Xdir/Xtest.utf-8.add
+   set spellfile=Xdir/Xtest.utf-8.add,Xtest_other.add
+  set spellfile=
+ endfunc
+ 
+ func Test_no_crash_with_weird_text()
+@@ -780,5 +784,18 @@ func Test_no_crash_with_weird_text()
+   bwipe!
+ endfunc
+ 
+" This was going over the end of the word
+func Test_word_index()
+  new
+  norm R0
+  spellgood! ﬂ0
+  sil norm z=
+
+  bwipe!
+  " clear the word list
+  set enc=utf-8
+  call delete('Xtmpfile')
+endfunc
+
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+1.8.3.1
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        45
+Release:        46
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -125,6 +125,10 @@ Patch6088:      backport-CVE-2022-1771.patch
 Patch6089:      backport-CVE-2022-2124.patch
 Patch6090:      backport-CVE-2022-2175.patch
 Patch6091:      backport-patch-8.2.5149-cannot-build-without-the-eval-feature.patch
+Patch6092:      backport-patch-8.2.1354-test-59-is-old-style.patch
+Patch6093:      backport-patch-8.2.3484-crash-when-going-through-spell-sugges.patch
+Patch6094:      backport-patch-8.2.5007-spell-suggestion-may-use-uninitialize.patch
+Patch6095:      backport-CVE-2022-2126.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -513,6 +517,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Wed Jun 29 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-46
+- Type:CVE
+- ID:CVE-2022-2126
+- SUG:NA
+- DESC:fix CVE-2022-2126
+
 * Tue Jun 28 2022 renhongxun <renhongxun@h-partners.com> - 2:8.2-45
 - Type:CVE
 - ID:CVE-2022-2175