!25 fix CVE-2021-3770

From: @tong_1001
Reviewed-by: @xiezhipeng1
Signed-off-by: @xiezhipeng1

backport-CVE-2021-3770.patch

@@ -0,0 +1,206 @@
+From b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 4 Sep 2021 18:47:28 +0200
+Subject: [PATCH] patch 8.2.3402: invalid memory access when using :retab with
+ large value
+
+Problem:    Invalid memory access when using :retab with large value.
+Solution:   Check the number is positive.
+---
+ src/indent.c               | 34 +++++++++++++++++++++-------------
+ src/option.c               | 12 ++++++------
+ src/optionstr.c            |  4 ++--
+ src/testdir/test_retab.vim |  3 +++
+ src/version.c              |  2 ++
+ 5 files changed, 34 insertions(+), 21 deletions(-)
+
+diff --git a/src/indent.c b/src/indent.c
+index 32f1e12..7e196c2 100644
+--- a/src/indent.c
++++ b/src/indent.c
+@@ -18,18 +18,19 @@
+ /*
+  * Set the integer values corresponding to the string setting of 'vartabstop'.
+  * "array" will be set, caller must free it if needed.
++ * Return FAIL for an error.
+  */
+     int
+ tabstop_set(char_u *var, int **array)
+ {
+-    int valcount = 1;
+-    int t;
+-    char_u *cp;
++    int	    valcount = 1;
++    int	    t;
++    char_u  *cp;
+ 
+     if (var[0] == NUL || (var[0] == '0' && var[1] == NUL))
+     {
+ 	*array = NULL;
+-	return TRUE;
++	return OK;
+     }
+ 
+     for (cp = var; *cp != NUL; ++cp)
+@@ -43,8 +44,8 @@ tabstop_set(char_u *var, int **array)
+ 		if (cp != end)
+ 		    emsg(_(e_positive));
+ 		else
+-		    emsg(_(e_invarg));
+-		return FALSE;
++		    semsg(_(e_invarg2), cp);
++		return FAIL;
+ 	    }
+ 	}
+ 
+@@ -55,26 +56,33 @@ tabstop_set(char_u *var, int **array)
+ 	    ++valcount;
+ 	    continue;
+ 	}
+-	emsg(_(e_invarg));
+-	return FALSE;
++	semsg(_(e_invarg2), var);
++	return FAIL;
+     }
+ 
+     *array = ALLOC_MULT(int, valcount + 1);
+     if (*array == NULL)
+-	return FALSE;
++	return FAIL;
+     (*array)[0] = valcount;
+ 
+     t = 1;
+     for (cp = var; *cp != NUL;)
+     {
+-	(*array)[t++] = atoi((char *)cp);
+-	while (*cp  != NUL && *cp != ',')
++	int n = atoi((char *)cp);
++
++	if (n < 0 || n > 9999)
++	{
++	    semsg(_(e_invarg2), cp);
++	    return FAIL;
++	}
++	(*array)[t++] = n;
++	while (*cp != NUL && *cp != ',')
+ 	    ++cp;
+ 	if (*cp != NUL)
+ 	    ++cp;
+     }
+ 
+-    return TRUE;
++    return OK;
+ }
+ 
+ /*
+@@ -1556,7 +1564,7 @@ ex_retab(exarg_T *eap)
+ 
+ #ifdef FEAT_VARTABS
+     new_ts_str = eap->arg;
+-    if (!tabstop_set(eap->arg, &new_vts_array))
++    if (tabstop_set(eap->arg, &new_vts_array) == FAIL)
+ 	return;
+     while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',')
+ 	++(eap->arg);
+diff --git a/src/option.c b/src/option.c
+index 5c99c69..e9598d6 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -2292,9 +2292,9 @@ didset_options2(void)
+ #endif
+ #ifdef FEAT_VARTABS
+     vim_free(curbuf->b_p_vsts_array);
+-    tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
++    (void)tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
+     vim_free(curbuf->b_p_vts_array);
+-    tabstop_set(curbuf->b_p_vts,  &curbuf->b_p_vts_array);
++    (void)tabstop_set(curbuf->b_p_vts,  &curbuf->b_p_vts_array);
+ #endif
+ }
+ 
+@@ -5756,7 +5756,7 @@ buf_copy_options(buf_T *buf, int flags)
+ 	    buf->b_p_vsts = vim_strsave(p_vsts);
+ 	    COPY_OPT_SCTX(buf, BV_VSTS);
+ 	    if (p_vsts && p_vsts != empty_option)
+-		tabstop_set(p_vsts, &buf->b_p_vsts_array);
++		(void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
+ 	    else
+ 		buf->b_p_vsts_array = 0;
+ 	    buf->b_p_vsts_nopaste = p_vsts_nopaste
+@@ -5914,7 +5914,7 @@ buf_copy_options(buf_T *buf, int flags)
+ 		buf->b_p_isk = save_p_isk;
+ #ifdef FEAT_VARTABS
+ 		if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
+-		    tabstop_set(p_vts, &buf->b_p_vts_array);
++		    (void)tabstop_set(p_vts, &buf->b_p_vts_array);
+ 		else
+ 		    buf->b_p_vts_array = NULL;
+ #endif
+@@ -5929,7 +5929,7 @@ buf_copy_options(buf_T *buf, int flags)
+ 		buf->b_p_vts = vim_strsave(p_vts);
+ 		COPY_OPT_SCTX(buf, BV_VTS);
+ 		if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
+-		    tabstop_set(p_vts, &buf->b_p_vts_array);
++		    (void)tabstop_set(p_vts, &buf->b_p_vts_array);
+ 		else
+ 		    buf->b_p_vts_array = NULL;
+ #endif
+@@ -6634,7 +6634,7 @@ paste_option_changed(void)
+ 	    if (buf->b_p_vsts_array)
+ 		vim_free(buf->b_p_vsts_array);
+ 	    if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
+-		tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
++		(void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
+ 	    else
+ 		buf->b_p_vsts_array = 0;
+ #endif
+diff --git a/src/optionstr.c b/src/optionstr.c
+index 98e90a4..383babe 100644
+--- a/src/optionstr.c
++++ b/src/optionstr.c
+@@ -2166,7 +2166,7 @@ did_set_string_option(
+ 	    if (errmsg == NULL)
+ 	    {
+ 		int *oldarray = curbuf->b_p_vsts_array;
+-		if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)))
++		if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)) == OK)
+ 		{
+ 		    if (oldarray)
+ 			vim_free(oldarray);
+@@ -2205,7 +2205,7 @@ did_set_string_option(
+ 	    {
+ 		int *oldarray = curbuf->b_p_vts_array;
+ 
+-		if (tabstop_set(*varp, &(curbuf->b_p_vts_array)))
++		if (tabstop_set(*varp, &(curbuf->b_p_vts_array)) == OK)
+ 		{
+ 		    vim_free(oldarray);
+ #ifdef FEAT_FOLDING
+diff --git a/src/testdir/test_retab.vim b/src/testdir/test_retab.vim
+index f11a32b..e7b8946 100644
+--- a/src/testdir/test_retab.vim
++++ b/src/testdir/test_retab.vim
+@@ -74,4 +74,7 @@ endfunc
+ func Test_retab_error()
+   call assert_fails('retab -1',  'E487:')
+   call assert_fails('retab! -1', 'E487:')
++  call assert_fails('ret -1000', 'E487:')
++  call assert_fails('ret 10000', 'E475:')
++  call assert_fails('ret 80000000000000000000', 'E475:')
+ endfunc
+diff --git a/src/version.c b/src/version.c
+index 3ef6259..8912f62 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -743,6 +743,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
+ /**/
++    3402,
++/**/
+     0
+ };
+ 
+-- 
+1.8.3.1
+

backport-memory-leak-for-retab-with-invalid-argument.patch

@@ -0,0 +1,66 @@
+From 2ddb89f8a94425cda1e5491efc80c1ccccb6e08e Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 4 Sep 2021 21:20:41 +0200
+Subject: [PATCH] patch 8.2.3403: memory leak for :retab with invalid argument
+
+Problem:    Memory leak for :retab with invalid argument.
+Solution:   Free the memory.  Make error messages consistent.
+---
+ src/indent.c  | 13 +++++++++++--
+ src/version.c |  2 ++
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/indent.c b/src/indent.c
+index 7e196c2..7d04373 100644
+--- a/src/indent.c
++++ b/src/indent.c
+@@ -70,9 +70,12 @@ tabstop_set(char_u *var, int **array)
+     {
+ 	int n = atoi((char *)cp);
+ 
++	// Catch negative values, overflow and ridiculous big values.
+ 	if (n < 0 || n > 9999)
+ 	{
+ 	    semsg(_(e_invarg2), cp);
++	    vim_free(*array);
++	    *array = NULL;
+ 	    return FAIL;
+ 	}
+ 	(*array)[t++] = n;
+@@ -1580,12 +1583,18 @@ ex_retab(exarg_T *eap)
+     else
+ 	new_ts_str = vim_strnsave(new_ts_str, eap->arg - new_ts_str);
+ #else
+-    new_ts = getdigits(&(eap->arg));
+-    if (new_ts < 0)
++    ptr = eap->arg;
++    new_ts = getdigits(&ptr);
++    if (new_ts < 0 && *eap->arg == '-')
+     {
+ 	emsg(_(e_positive));
+ 	return;
+     }
++    if (new_ts < 0 || new_ts > 9999)
++    {
++	semsg(_(e_invarg2), eap->arg);
++	return;
++    }
+     if (new_ts == 0)
+ 	new_ts = curbuf->b_p_ts;
+ #endif
+diff --git a/src/version.c b/src/version.c
+index 8912f62..f8e4561 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -743,6 +743,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
+ /**/
++    3403,
++/**/
+     3402,
+ /**/
+     0
+-- 
+1.8.3.1
+

vim.spec

@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        9
+Release:        10
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -36,6 +36,8 @@ Patch0013:	Fix-vim-lua5.4.0-defines+luaL_typeerror-twice.patch
 Patch0014:	backport-Fix-build-failuers-with-perl-5.32.patch
 Patch6000:      backport-Configure-does-not-recognize-gcc-10.0-and-later.patch
 Patch6001:      backport-8.2.2550-signal-stack-size-is-wrong-with-lates.patch
+Patch6002:      backport-CVE-2021-3770.patch
+Patch6003:      backport-memory-leak-for-retab-with-invalid-argument.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -424,6 +426,12 @@ popd
 %{_mandir}/man1/evim.*
 
 %changelog
+* Sat Sep 11 2021 shixuantong<shixuantong@huawei> - 2:8.2-10
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2021-3770
+
 * Tue Aug 10 2021 shixuantong<shixuantong@huawei> - 2:8.2-9
 - Type:bugfix
 - ID:NA