RHEL-44652 vim-9.1.083-1.el10: RHEL SAST Automation: address 4 High impact true positive(s)
Resolves: RHEL-44652
This commit is contained in:
parent
91bb413f10
commit
2882c25ede
@ -0,0 +1,61 @@
|
||||
From 39a94d20487794aeb722c21e84f8816e217f0cfe Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Dohnal <zdohnal@redhat.com>
|
||||
Date: Wed, 4 Dec 2024 20:16:17 +0100
|
||||
Subject: [PATCH] patch 9.1.0903: potential overflow in spell_soundfold_wsal()
|
||||
|
||||
Problem: potential overflow in spell_soundfold_wsal()
|
||||
Solution: Protect wres from buffer overflow, by checking the
|
||||
length (Zdenek Dohnal)
|
||||
|
||||
Error: OVERRUN (CWE-119):
|
||||
vim91/src/spell.c:3819: cond_const: Checking "reslen < 254" implies that
|
||||
"reslen" is 254 on the false branch.
|
||||
vim91/src/spell.c:3833: incr: Incrementing "reslen". The value of "reslen"
|
||||
is now 255.
|
||||
vim91/src/spell.c:3792: overrun-local: Overrunning array "wres" of 254
|
||||
4-byte elements at element index 254 (byte offset 1019) using index
|
||||
"reslen - 1" (which evaluates to 254).
|
||||
3789| {
|
||||
3790| // rule with '<' is used
|
||||
3791|-> if (reslen > 0 && ws != NULL && *ws != NUL
|
||||
3792| && (wres[reslen - 1] == c
|
||||
3793| || wres[reslen - 1] == *ws))
|
||||
|
||||
Error: OVERRUN (CWE-119):
|
||||
vim91/src/spell.c:3819: cond_const: Checking "reslen < 254" implies that
|
||||
"reslen" is 254 on the false branch.
|
||||
vim91/src/spell.c:3833: overrun-local: Overrunning array "wres" of 254
|
||||
4-byte elements at element index 254 (byte offset 1019) using index
|
||||
"reslen++" (which evaluates to 254).
|
||||
3831| {
|
||||
3832| if (c != NUL)
|
||||
3833|-> wres[reslen++] = c;
|
||||
3834| mch_memmove(word, word + i + 1,
|
||||
3835| sizeof(int) * (wordlen -
|
||||
(i + 1) + 1));
|
||||
|
||||
related: #16163
|
||||
|
||||
Signed-off-by: Zdenek Dohnal <zdohnal@redhat.com>
|
||||
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
||||
---
|
||||
src/spell.c | 2 +-
|
||||
src/version.c | 2 ++
|
||||
2 files changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/spell.c b/src/spell.c
|
||||
index 5a7720f7f..2581a5ede 100644
|
||||
--- a/src/spell.c
|
||||
+++ b/src/spell.c
|
||||
@@ -3829,7 +3829,7 @@ spell_soundfold_wsal(slang_T *slang, char_u *inword, char_u *res)
|
||||
c = *ws;
|
||||
if (strstr((char *)s, "^^") != NULL)
|
||||
{
|
||||
- if (c != NUL)
|
||||
+ if (c != NUL && reslen < MAXWLEN)
|
||||
wres[reslen++] = c;
|
||||
mch_memmove(word, word + i + 1,
|
||||
sizeof(int) * (wordlen - (i + 1) + 1));
|
||||
--
|
||||
2.47.1
|
||||
|
@ -0,0 +1,48 @@
|
||||
From 215c82d061d750d8a26ef52f529a9e3ca4e0f82a Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Dohnal <zdohnal@redhat.com>
|
||||
Date: Wed, 4 Dec 2024 20:19:40 +0100
|
||||
Subject: [PATCH] patch 9.1.0904: Vim9: copy-paste error in
|
||||
class_defining_member()
|
||||
|
||||
Problem: Vim9: copy-paste error in class_defining_member()
|
||||
Solution: use variable type VAR_CLASS instead (Zdenek Dohnal)
|
||||
|
||||
Found issue by OpenScanHub:
|
||||
Error: COPY_PASTE_ERROR (CWE-398):
|
||||
vim91/src/vim9class.c:3308: original: "VAR_OBJECT" looks like the
|
||||
original copy.
|
||||
vim91/src/vim9class.c:3316: copy_paste_error: "VAR_OBJECT" looks like a
|
||||
copy-paste error.
|
||||
vim91/src/vim9class.c:3316: remediation: Should it say "VAR_CLASS"
|
||||
instead?
|
||||
3314| {
|
||||
3315| cl_tmp = super;
|
||||
3316|-> vartype = VAR_OBJECT;
|
||||
3317| }
|
||||
3318| }
|
||||
|
||||
closes: #16163
|
||||
|
||||
Signed-off-by: Zdenek Dohnal <zdohnal@redhat.com>
|
||||
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
||||
---
|
||||
src/version.c | 2 ++
|
||||
src/vim9class.c | 2 +-
|
||||
2 files changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/vim9class.c b/src/vim9class.c
|
||||
index d0ddcb820..e85cf827f 100644
|
||||
--- a/src/vim9class.c
|
||||
+++ b/src/vim9class.c
|
||||
@@ -3313,7 +3313,7 @@ class_defining_member(class_T *cl, char_u *name, size_t len, ocmember_T **p_m)
|
||||
if (( m = class_member_lookup(super, name, len, NULL)) != NULL)
|
||||
{
|
||||
cl_tmp = super;
|
||||
- vartype = VAR_OBJECT;
|
||||
+ vartype = VAR_CLASS;
|
||||
}
|
||||
}
|
||||
if (cl_tmp == NULL)
|
||||
--
|
||||
2.47.1
|
||||
|
14
vim.spec
14
vim.spec
@ -51,7 +51,7 @@ Summary: The VIM editor
|
||||
URL: http://www.vim.org/
|
||||
Name: vim
|
||||
Version: %{baseversion}.%{patchlevel}
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Epoch: 2
|
||||
# swift.vim contains Apache 2.0 with runtime library exception:
|
||||
# which is taken as Apache-2.0 WITH Swift-exception - reported to legal as https://gitlab.com/fedora/legal/fedora-license-data/-/issues/188
|
||||
@ -99,6 +99,13 @@ Patch3003: vim-python3-tests.patch
|
||||
Patch3004: vim-crypto-warning.patch
|
||||
# don't ever set mouse (Fedora downstream patch)
|
||||
Patch3005: vim-8.0-copy-paste.patch
|
||||
# RHEL-44652 vim-9.1.083-1.el10: RHEL SAST Automation: address 4 High impact true positive(s)
|
||||
# 2 patches: 0001-src-spell.c-Protect-wres-from-possible-buffer-overfl.patch
|
||||
# 0003-src-vim9class.c-Fix-typo.patch
|
||||
# upstreamed as: https://github.com/vim/vim/commit/215c82d06
|
||||
# https://github.com/vim/vim/commit/39a94d204
|
||||
Patch3006: 0001-patch-9.1.0903-potential-overflow-in-spell_soundfold.patch
|
||||
Patch3007: 0001-patch-9.1.0904-Vim9-copy-paste-error-in-class_defini.patch
|
||||
|
||||
|
||||
# uses autoconf in spec file
|
||||
@ -422,6 +429,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
||||
%patch -P 3003 -p1 -b .python-tests
|
||||
%patch -P 3004 -p1 -b .fips-warning
|
||||
%patch -P 3005 -p1 -b .copypaste
|
||||
%patch -P 3006 -p1 -b .buffer-overflow
|
||||
%patch -P 3007 -p1 -b .typo
|
||||
|
||||
%build
|
||||
cd src
|
||||
@ -1057,6 +1066,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Dec 05 2024 Zdenek Dohnal <zdohnal@redhat.com> - 2:9.1.083-4
|
||||
- RHEL-44652 vim-9.1.083-1.el10: RHEL SAST Automation: address 4 High impact true positive(s)
|
||||
|
||||
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2:9.1.083-3
|
||||
- Bump release for October 2024 mass rebuild:
|
||||
Resolves: RHEL-64018
|
||||
|
Loading…
Reference in New Issue
Block a user