rpms/vim
5
0
Fork 0
Code Issues Pull Requests Releases Activity

CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior

Browse Source 
Resolves: CVE-2022-0554
This commit is contained in:
Zdenek Dohnal 2022-03-28 19:01:13 +02:00
parent 4704df36f2
commit 27c905a9a9
2 changed files with 116 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch Normal file
View File

@ -0,0 +1,110 @@
From e3537aec2f8d6470010547af28dcbd83d41461b8 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 8 Feb 2022 15:05:20 +0000
Subject: [PATCH] patch 8.2.4327: may end up with no current buffer
Problem: May end up with no current buffer.
Solution: When deleting the current buffer to not pick a quickfix buffer as
the new current buffer.
---
src/buffer.c | 26 ++++++++++++++++++++++----
src/testdir/test_quickfix.vim | 25 +++++++++++++++++++++++++
src/version.c | 2 ++
3 files changed, 49 insertions(+), 4 deletions(-)
diff --git a/src/buffer.c b/src/buffer.c
index 81bdb31ca..b3e2bc3f9 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -1430,8 +1430,14 @@ do_buffer_ext(
buf = buflist_findnr(curwin->w_jumplist[jumpidx].fmark.fnum);
if (buf != NULL)
{
- if (buf == curbuf || !buf->b_p_bl)
- buf = NULL; // skip current and unlisted bufs
+ // Skip current and unlisted bufs. Also skip a quickfix
+ // buffer, it might be deleted soon.
+ if (buf == curbuf || !buf->b_p_bl
+#if defined(FEAT_QUICKFIX)
+ || bt_quickfix(buf)
+#endif
+ )
+ buf = NULL;
else if (buf->b_ml.ml_mfp == NULL)
{
// skip unloaded buf, but may keep it for later
@@ -1467,7 +1473,11 @@ do_buffer_ext(
continue;
}
// in non-help buffer, try to skip help buffers, and vv
- if (buf->b_help == curbuf->b_help && buf->b_p_bl)
+ if (buf->b_help == curbuf->b_help && buf->b_p_bl
+#if defined(FEAT_QUICKFIX)
+ && !bt_quickfix(buf)
+#endif
+ )
{
if (buf->b_ml.ml_mfp != NULL) // found loaded buffer
break;
@@ -1485,7 +1495,11 @@ do_buffer_ext(
if (buf == NULL) // No loaded buffer, find listed one
{
FOR_ALL_BUFFERS(buf)
- if (buf->b_p_bl && buf != curbuf)
+ if (buf->b_p_bl && buf != curbuf
+#if defined(FEAT_QUICKFIX)
+ && !bt_quickfix(buf)
+#endif
+ )
break;
}
if (buf == NULL) // Still no buffer, just take one
@@ -1494,6 +1508,10 @@ do_buffer_ext(
buf = curbuf->b_next;
else
buf = curbuf->b_prev;
+#if defined(FEAT_QUICKFIX)
+ if (bt_quickfix(buf))
+ buf = NULL;
+#endif
}
}
diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
index 07fdb9644..adb0ea4fd 100644
--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
@@ -5851,5 +5851,30 @@ func Test_lopen_bwipe()
delfunc R
endfunc
+" Another sequence of commands that caused all buffers to be wiped out
+func Test_lopen_bwipe_all()
+ let lines =<< trim END
+ func R()
+ silent! tab lopen
+ e foo
+ silent! lfile
+ endfunc
+ cal R()
+ exe "norm \<C-W>\<C-V>0"
+ cal R()
+ bwipe
+
+ call writefile(['done'], 'Xresult')
+ qall!
+ END
+ call writefile(lines, 'Xscript')
+ if RunVim([], [], '-u NONE -n -X -Z -e -m -s -S Xscript')
+ call assert_equal(['done'], readfile('Xresult'))
+ endif
+
+ call delete('Xscript')
+ call delete('Xresult')
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.35.1

7
vim.spec
View File

@ -27,7 +27,7 @@ Summary: The VIM editor
URL: http://www.vim.org/ URL: http://www.vim.org/
Name: vim Name: vim
Version: %{baseversion}.%{patchlevel} Version: %{baseversion}.%{patchlevel}
Release: 15%{?dist} Release: 16%{?dist}
License: Vim and MIT License: Vim and MIT
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
Source1: virc Source1: virc
@ -116,6 +116,7 @@ Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch
Patch3042: 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch Patch3042: 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch
# CVE-2022-0714 vim: buffer overflow [rhel-9] # CVE-2022-0714 vim: buffer overflow [rhel-9]
Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch
Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
# gcc is no longer in buildroot by default # gcc is no longer in buildroot by default
BuildRequires: gcc BuildRequires: gcc
@ -346,6 +347,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
%patch3041 -p1 -b .cve0572 %patch3041 -p1 -b .cve0572
%patch3042 -p1 -b .cve0629 %patch3042 -p1 -b .cve0629
%patch3043 -p1 -b .cve0714 %patch3043 -p1 -b .cve0714
%patch3044 -p1 -b .cve0554
%build %build
cd src cd src
@ -903,6 +905,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
%endif %endif
%changelog %changelog
* Mon Mar 28 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16
- CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
* Thu Feb 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-15 * Thu Feb 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-15
- CVE-2022-0714 vim: buffer overflow [rhel-9] - CVE-2022-0714 vim: buffer overflow [rhel-9]