rpms/vim
6
0
Fork 0
Code Issues Pull Requests Releases Activity

CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim

Browse Source 
Resolves: CVE-2022-0943
This commit is contained in:
Zdenek Dohnal 2022-03-28 21:13:04 +02:00
parent 27c905a9a9
commit 13ff67f4d3
2 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch Normal file
View File

@ -0,0 +1,39 @@
diff -up vim82/src/spellsuggest.c.cve0943 vim82/src/spellsuggest.c
--- vim82/src/spellsuggest.c.cve0943 2022-03-28 20:48:07.079197805 +0200
+++ vim82/src/spellsuggest.c 2022-03-28 20:48:07.101197522 +0200
@@ -501,6 +501,10 @@ spell_suggest(int count)
curwin->w_cursor.col = VIsual.col;
++badlen;
end_visual_mode();
+ // make sure we don't include the NUL at the end of the line
+ line = ml_get_curline();
+ if (badlen > STRLEN(line) - curwin->w_cursor.col)
+ badlen = STRLEN(line) - curwin->w_cursor.col;
}
// Find the start of the badly spelled word.
else if (spell_move_to(curwin, FORWARD, TRUE, TRUE, NULL) == 0
diff -up vim82/src/testdir/test_spell.vim.cve0943 vim82/src/testdir/test_spell.vim
--- vim82/src/testdir/test_spell.vim.cve0943 2022-03-28 20:48:07.102197509 +0200
+++ vim82/src/testdir/test_spell.vim 2022-03-28 20:49:05.038452974 +0200
@@ -441,6 +441,21 @@ func Test_spellsuggest_expr_errors()
delfunc MySuggest3
endfunc
+func Test_spellsuggest_visual_end_of_line()
+ let enc_save = &encoding
+ set encoding=iso8859
+
+ " This was reading beyond the end of the line.
+ norm R00000000000
+ sil norm 0
+ sil! norm i00000)
+ sil! norm i00000)
+ call feedkeys("\<CR>")
+ norm z=
+
+ let &encoding = enc_save
+endfunc
+
func Test_spellinfo()
new
let runtime = substitute($VIMRUNTIME, '\\', '/', 'g')

5
vim.spec
View File

@ -116,7 +116,10 @@ Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch
Patch3042: 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch Patch3042: 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch
# CVE-2022-0714 vim: buffer overflow [rhel-9] # CVE-2022-0714 vim: buffer overflow [rhel-9]
Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch
# CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
# CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim
Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
# gcc is no longer in buildroot by default # gcc is no longer in buildroot by default
BuildRequires: gcc BuildRequires: gcc
@ -348,6 +351,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
%patch3042 -p1 -b .cve0629 %patch3042 -p1 -b .cve0629
%patch3043 -p1 -b .cve0714 %patch3043 -p1 -b .cve0714
%patch3044 -p1 -b .cve0554 %patch3044 -p1 -b .cve0554
%patch3045 -p1 -b .cve0943
%build %build
cd src cd src
@ -907,6 +911,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
%changelog %changelog
* Mon Mar 28 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16 * Mon Mar 28 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16
- CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior - CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
- CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim
* Thu Feb 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-15 * Thu Feb 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-15
- CVE-2022-0714 vim: buffer overflow [rhel-9] - CVE-2022-0714 vim: buffer overflow [rhel-9]