rpms
/
vim
7
0
Fork 0
Code Issues Pull Requests Releases Activity

CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c 

Resolves: CVE-2022-0359
This commit is contained in:
Zdenek Dohnal 2022-01-27 18:41:20 +01:00
parent b3a7cde64b
commit 319be2ae2d
2 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch Normal file
View File

@ -0,0 +1,49 @@
From 85b6747abc15a7a81086db31289cf1b8b17e6cb1 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 25 Jan 2022 11:55:02 +0000
Subject: [PATCH] patch 8.2.4214: illegal memory access with large 'tabstop' in
Ex mode
Problem: Illegal memory access with large 'tabstop' in Ex mode.
Solution: Allocate enough memory.
---
src/ex_getln.c | 2 +-
src/testdir/test_ex_mode.vim | 10 ++++++++++
src/version.c | 2 ++
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/ex_getln.c b/src/ex_getln.c
index 5dc43d845..097b97eeb 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -1513,7 +1513,7 @@ init_ccline(int firstc, int indent)
ccline.cmdindent = (firstc > 0 ? indent : 0);
// alloc initial ccline.cmdbuff
- alloc_cmdbuff(exmode_active ? 250 : indent + 1);
+ alloc_cmdbuff(indent + 50);
if (ccline.cmdbuff == NULL)
return FAIL;
ccline.cmdlen = ccline.cmdpos = 0;
diff --git a/src/testdir/test_ex_mode.vim b/src/testdir/test_ex_mode.vim
index 7031115fc..2642a16d2 100644
--- a/src/testdir/test_ex_mode.vim
+++ b/src/testdir/test_ex_mode.vim
@@ -241,4 +241,14 @@ func Test_ex_mode_count_overflow()
call delete('Xexmodescript')
endfunc
+func Test_ex_mode_large_indent()
+ new
+ set ts=500 ai
+ call setline(1, "\t")
+ exe "normal gQi\<CR>."
+ set ts=8 noai
+ bwipe!
+endfunc
+
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.34.1

4
vim.spec
View File

@ -92,6 +92,8 @@ Patch3029: 0001-patch-8.2.3949-using-freed-memory-with-V.patch
Patch3030: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch
# CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
Patch3031: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch
# CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c
Patch3032: 0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch
# gcc is no longer in buildroot by default
BuildRequires: gcc
@ -310,6 +312,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
%patch3029 -p1 -b .cve4192
%patch3030 -p1 -b .cve0261
%patch3031 -p1 -b .cve0318
%patch3032 -p1 -b .cve0359
%build
cd src
@ -870,6 +873,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-11
- CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
- CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
- CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c
* Thu Jan 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-10
- CVE-2021-4193 vim: vulnerable to Out-of-bounds Read