diff --git a/0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch b/0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch new file mode 100644 index 0000000..33db8e5 --- /dev/null +++ b/0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch @@ -0,0 +1,49 @@ +From 85b6747abc15a7a81086db31289cf1b8b17e6cb1 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 25 Jan 2022 11:55:02 +0000 +Subject: [PATCH] patch 8.2.4214: illegal memory access with large 'tabstop' in + Ex mode + +Problem: Illegal memory access with large 'tabstop' in Ex mode. +Solution: Allocate enough memory. +--- + src/ex_getln.c | 2 +- + src/testdir/test_ex_mode.vim | 10 ++++++++++ + src/version.c | 2 ++ + 3 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/ex_getln.c b/src/ex_getln.c +index 5dc43d845..097b97eeb 100644 +--- a/src/ex_getln.c ++++ b/src/ex_getln.c +@@ -1513,7 +1513,7 @@ init_ccline(int firstc, int indent) + ccline.cmdindent = (firstc > 0 ? indent : 0); + + // alloc initial ccline.cmdbuff +- alloc_cmdbuff(exmode_active ? 250 : indent + 1); ++ alloc_cmdbuff(indent + 50); + if (ccline.cmdbuff == NULL) + return FAIL; + ccline.cmdlen = ccline.cmdpos = 0; +diff --git a/src/testdir/test_ex_mode.vim b/src/testdir/test_ex_mode.vim +index 7031115fc..2642a16d2 100644 +--- a/src/testdir/test_ex_mode.vim ++++ b/src/testdir/test_ex_mode.vim +@@ -241,4 +241,14 @@ func Test_ex_mode_count_overflow() + call delete('Xexmodescript') + endfunc + ++func Test_ex_mode_large_indent() ++ new ++ set ts=500 ai ++ call setline(1, "\t") ++ exe "normal gQi\." ++ set ts=8 noai ++ bwipe! ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.34.1 + diff --git a/vim.spec b/vim.spec index 0cac2cb..f12f988 100644 --- a/vim.spec +++ b/vim.spec @@ -92,6 +92,8 @@ Patch3029: 0001-patch-8.2.3949-using-freed-memory-with-V.patch Patch3030: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch # CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c Patch3031: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch +# CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c +Patch3032: 0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -310,6 +312,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3029 -p1 -b .cve4192 %patch3030 -p1 -b .cve0261 %patch3031 -p1 -b .cve0318 +%patch3032 -p1 -b .cve0359 %build cd src @@ -870,6 +873,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags * Thu Jan 27 2022 Zdenek Dohnal - 2:8.2.2637-11 - CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c - CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c +- CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c * Thu Jan 13 2022 Zdenek Dohnal - 2:8.2.2637-10 - CVE-2021-4193 vim: vulnerable to Out-of-bounds Read