CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior

Resolves: CVE-2022-0554
2022-03-28 19:01:13 +02:00 · 2022-03-28 19:01:13 +02:00 · 27c905a9a9
commit 27c905a9a9
parent 4704df36f2
2 changed files with 116 additions and 1 deletions
--- a/0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
+++ b/0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
@ -0,0 +1,110 @@
+From e3537aec2f8d6470010547af28dcbd83d41461b8 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 8 Feb 2022 15:05:20 +0000
+Subject: [PATCH] patch 8.2.4327: may end up with no current buffer
+
+Problem:    May end up with no current buffer.
+Solution:   When deleting the current buffer to not pick a quickfix buffer as
+            the new current buffer.
+---
+ src/buffer.c                  | 26 ++++++++++++++++++++++----
+ src/testdir/test_quickfix.vim | 25 +++++++++++++++++++++++++
+ src/version.c                 |  2 ++
+ 3 files changed, 49 insertions(+), 4 deletions(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 81bdb31ca..b3e2bc3f9 100644
+--- a/src/buffer.c
+++ b/src/buffer.c
+@@ -1430,8 +1430,14 @@ do_buffer_ext(
+ 		buf = buflist_findnr(curwin->w_jumplist[jumpidx].fmark.fnum);
+ 		if (buf != NULL)
+ 		{
+-		    if (buf == curbuf || !buf->b_p_bl)
+-			buf = NULL;	// skip current and unlisted bufs
+		    // Skip current and unlisted bufs.  Also skip a quickfix
+		    // buffer, it might be deleted soon.
+		    if (buf == curbuf || !buf->b_p_bl
+#if defined(FEAT_QUICKFIX)
+			    || bt_quickfix(buf)
+#endif
+			    )
+			buf = NULL;
+ 		    else if (buf->b_ml.ml_mfp == NULL)
+ 		    {
+ 			// skip unloaded buf, but may keep it for later
+@@ -1467,7 +1473,11 @@ do_buffer_ext(
+ 		    continue;
+ 		}
+ 		// in non-help buffer, try to skip help buffers, and vv
+-		if (buf->b_help == curbuf->b_help && buf->b_p_bl)
+		if (buf->b_help == curbuf->b_help && buf->b_p_bl
+#if defined(FEAT_QUICKFIX)
+			    && !bt_quickfix(buf)
+#endif
+			   )
+ 		{
+ 		    if (buf->b_ml.ml_mfp != NULL)   // found loaded buffer
+ 			break;
+@@ -1485,7 +1495,11 @@ do_buffer_ext(
+ 	if (buf == NULL)	// No loaded buffer, find listed one
+ 	{
+ 	    FOR_ALL_BUFFERS(buf)
+-		if (buf->b_p_bl && buf != curbuf)
+		if (buf->b_p_bl && buf != curbuf
+#if defined(FEAT_QUICKFIX)
+			    && !bt_quickfix(buf)
+#endif
+		       )
+ 		    break;
+ 	}
+ 	if (buf == NULL)	// Still no buffer, just take one
+@@ -1494,6 +1508,10 @@ do_buffer_ext(
+ 		buf = curbuf->b_next;
+ 	    else
+ 		buf = curbuf->b_prev;
+#if defined(FEAT_QUICKFIX)
+	    if (bt_quickfix(buf))
+		buf = NULL;
+#endif
+ 	}
+     }
+ 
+diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
+index 07fdb9644..adb0ea4fd 100644
+--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
+@@ -5851,5 +5851,30 @@ func Test_lopen_bwipe()
+   delfunc R
+ endfunc
+ 
+" Another sequence of commands that caused all buffers to be wiped out
+func Test_lopen_bwipe_all()
+  let lines =<< trim END
+    func R()
+      silent! tab lopen
+      e foo
+      silent! lfile
+    endfunc
+    cal R()
+    exe "norm \<C-W>\<C-V>0"
+    cal R()
+    bwipe
+
+    call writefile(['done'], 'Xresult')
+    qall!
+  END
+  call writefile(lines, 'Xscript')
+  if RunVim([], [], '-u NONE -n -X -Z -e -m -s -S Xscript')
+    call assert_equal(['done'], readfile('Xresult'))
+  endif
+
+  call delete('Xscript')
+  call delete('Xresult')
+endfunc
+
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.35.1
+
--- a/vim.spec
+++ b/vim.spec
@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@ -116,6 +116,7 @@ Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch
 Patch3042: 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch
 # CVE-2022-0714 vim: buffer overflow [rhel-9]
 Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch
+Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch

 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -346,6 +347,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3041 -p1 -b .cve0572
 %patch3042 -p1 -b .cve0629
 %patch3043 -p1 -b .cve0714
+%patch3044 -p1 -b .cve0554

 %build
 cd src
@ -903,6 +905,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif

 %changelog
+* Mon Mar 28 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16
+- CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
+
 * Thu Feb 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-15
 - CVE-2022-0714 vim: buffer overflow [rhel-9]