RHEL-40602 CVE-2021-3903 vim heap-based buffer overflow vulnerability

Resolves: RHEL-40602
This commit is contained in:
Zdenek Dohnal 2024-08-05 16:39:07 +02:00
parent 8365096b6f
commit 2bba9e8166
2 changed files with 89 additions and 1 deletions

View File

@ -0,0 +1,82 @@
From 777e7c21b7627be80961848ac560cb0a9978ff43 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 25 Oct 2021 17:07:04 +0100
Subject: [PATCH] patch 8.2.3564: invalid memory access when scrolling without
valid screen
Problem: Invalid memory access when scrolling without a valid screen.
Solution: Do not set VALID_BOTLINE in w_valid.
---
src/move.c | 1 -
src/testdir/test_normal.vim | 22 +++++++++++++++++++---
src/version.c | 2 ++
3 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/src/move.c b/src/move.c
index 8fe00bb67..64b12963c 100644
--- a/src/move.c
+++ b/src/move.c
@@ -199,7 +199,6 @@ update_topline(void)
check_cursor_lnum();
curwin->w_topline = curwin->w_cursor.lnum;
curwin->w_botline = curwin->w_topline;
- curwin->w_valid |= VALID_BOTLINE|VALID_BOTLINE_AP;
curwin->w_scbind_pos = 1;
return;
}
diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim
index f8dbf8aed..f994f970a 100644
--- a/src/testdir/test_normal.vim
+++ b/src/testdir/test_normal.vim
@@ -34,14 +34,14 @@ func CountSpaces(type, ...)
else
silent exe "normal! `[v`]y"
endif
- let g:a=strlen(substitute(@@, '[^ ]', '', 'g'))
+ let g:a = strlen(substitute(@@, '[^ ]', '', 'g'))
let &selection = sel_save
let @@ = reg_save
endfunc
func OpfuncDummy(type, ...)
" for testing operatorfunc
- let g:opt=&linebreak
+ let g:opt = &linebreak
if a:0 " Invoked from Visual mode, use gv command.
silent exe "normal! gvy"
@@ -52,7 +52,7 @@ func OpfuncDummy(type, ...)
endif
" Create a new dummy window
new
- let g:bufnr=bufnr('%')
+ let g:bufnr = bufnr('%')
endfunc
func Test_normal00_optrans()
@@ -987,6 +987,22 @@ func Test_vert_scroll_cmds()
close!
endfunc
+func Test_scroll_in_ex_mode()
+ " This was using invalid memory because w_botline was invalid.
+ let lines =<< trim END
+ diffsplit
+ norm os00(
+ call writefile(['done'], 'Xdone')
+ qa!
+ END
+ call writefile(lines, 'Xscript')
+ call assert_equal(1, RunVim([], [], '--clean -X -Z -e -s -S Xscript'))
+ call assert_equal(['done'], readfile('Xdone'))
+
+ call delete('Xscript')
+ call delete('Xdone')
+endfunc
+
" Test for the 'sidescroll' option
func Test_sidescroll_opt()
new
--
2.45.2

View File

@ -27,7 +27,7 @@ Summary: The VIM editor
URL: http://www.vim.org/
Name: vim
Version: %{baseversion}.%{patchlevel}
Release: 20%{?dist}
Release: 21%{?dist}
License: Vim and MIT
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
Source1: virc
@ -136,6 +136,8 @@ Patch3051: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
Patch3052: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
# CVE-2022-47024 vim: no check if the return value of XChangeGC() is NULL
Patch3053:0001-patch-9.0.0339-no-check-if-the-return-value-of-XChan.patch
# RHEL-40602 CVE-2021-3903 vim: heap-based buffer overflow vulnerability
Patch3054: 0001-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
# gcc is no longer in buildroot by default
BuildRequires: gcc
@ -376,6 +378,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
%patch3051 -p1 -b .cve1897
%patch3052 -p1 -b .cve1927
%patch3053 -p1 -b .cve47024
%patch -P 3054 -p1 -b .cve2021-3903
%build
cd src
@ -933,6 +936,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
%endif
%changelog
* Mon Aug 05 2024 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-21
- RHEL-40602 CVE-2021-3903 vim: heap-based buffer overflow vulnerability
* Thu Feb 09 2023 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-20
- CVE-2022-47024 vim: no check if the return value of XChangeGC() is NULL