CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c

Resolves: CVE-2022-0359
2022-01-27 18:41:20 +01:00 · 2022-01-27 18:41:20 +01:00 · 319be2ae2d
commit 319be2ae2d
parent b3a7cde64b
2 changed files with 53 additions and 0 deletions
--- a/0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch
+++ b/0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch
@ -0,0 +1,49 @@
+From 85b6747abc15a7a81086db31289cf1b8b17e6cb1 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 25 Jan 2022 11:55:02 +0000
+Subject: [PATCH] patch 8.2.4214: illegal memory access with large 'tabstop' in
+ Ex mode
+
+Problem:    Illegal memory access with large 'tabstop' in Ex mode.
+Solution:   Allocate enough memory.
+---
+ src/ex_getln.c               |  2 +-
+ src/testdir/test_ex_mode.vim | 10 ++++++++++
+ src/version.c                |  2 ++
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 5dc43d845..097b97eeb 100644
+--- a/src/ex_getln.c
+++ b/src/ex_getln.c
+@@ -1513,7 +1513,7 @@ init_ccline(int firstc, int indent)
+     ccline.cmdindent = (firstc > 0 ? indent : 0);
+ 
+     // alloc initial ccline.cmdbuff
+-    alloc_cmdbuff(exmode_active ? 250 : indent + 1);
+    alloc_cmdbuff(indent + 50);
+     if (ccline.cmdbuff == NULL)
+ 	return FAIL;
+     ccline.cmdlen = ccline.cmdpos = 0;
+diff --git a/src/testdir/test_ex_mode.vim b/src/testdir/test_ex_mode.vim
+index 7031115fc..2642a16d2 100644
+--- a/src/testdir/test_ex_mode.vim
+++ b/src/testdir/test_ex_mode.vim
+@@ -241,4 +241,14 @@ func Test_ex_mode_count_overflow()
+   call delete('Xexmodescript')
+ endfunc
+ 
+func Test_ex_mode_large_indent()
+  new
+  set ts=500 ai
+  call setline(1, "\t")
+  exe "normal gQi\<CR>."
+  set ts=8 noai
+  bwipe!
+endfunc
+
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.34.1
+
--- a/vim.spec
+++ b/vim.spec
@ -92,6 +92,8 @@ Patch3029: 0001-patch-8.2.3949-using-freed-memory-with-V.patch
 Patch3030: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch
 # CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
 Patch3031: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch
+# CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c
+Patch3032: 0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch

 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -310,6 +312,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3029 -p1 -b .cve4192
 %patch3030 -p1 -b .cve0261
 %patch3031 -p1 -b .cve0318
+%patch3032 -p1 -b .cve0359

 %build
 cd src
@ -870,6 +873,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 * Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-11
 - CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
 - CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
+- CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c

 * Thu Jan 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-10
 - CVE-2021-4193 vim: vulnerable to Out-of-bounds Read