CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c

Resolves: CVE-2022-0392
2022-02-10 11:30:02 +01:00 · 2022-02-10 11:30:02 +01:00 · 33c9a2555d
commit 33c9a2555d
parent 9084c65312
2 changed files with 49 additions and 0 deletions
--- a/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch
+++ b/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch
@ -0,0 +1,45 @@
+From 806d037671e133bd28a7864248763f643967973a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 25 Jan 2022 20:45:16 +0000
+Subject: [PATCH] patch 8.2.4218: illegal memory access with bracketed paste in
+ Ex mode
+
+Problem:    Illegal memory access with bracketed paste in Ex mode.
+Solution:   Reserve space for the trailing NUL.
+---
+ src/edit.c                 | 3 ++-
+ src/testdir/test_paste.vim | 3 +++
+ src/version.c              | 2 ++
+ 3 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/edit.c b/src/edit.c
+index ee3caf0da..2b5301100 100644
+--- a/src/edit.c
+++ b/src/edit.c
+@@ -4452,7 +4452,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+ 		    break;
+ 
+ 		case PASTE_EX:
+-		    if (gap != NULL && ga_grow(gap, idx) == OK)
+		    // add one for the NUL that is going to be appended
+		    if (gap != NULL && ga_grow(gap, idx + 1) == OK)
+ 		    {
+ 			mch_memmove((char *)gap->ga_data + gap->ga_len,
+ 							     buf, (size_t)idx);
+diff --git a/src/testdir/test_paste.vim b/src/testdir/test_paste.vim
+index c94fe7c35..5b8d8a0e3 100644
+--- a/src/testdir/test_paste.vim
+++ b/src/testdir/test_paste.vim
+@@ -90,6 +90,9 @@ func Test_paste_ex_mode()
+   unlet! foo
+   call feedkeys("Qlet foo=\"\<Esc>[200~foo\<CR>bar\<Esc>[201~\"\<CR>vi\<CR>", 'xt')
+   call assert_equal("foo\rbar", foo)
+
+  " pasting more than 40 bytes
+  exe "norm Q\<PasteStart>0000000000000000000000000000000000000000000000000000000000000000000000\<C-C>"
+ endfunc
+ 
+ func Test_paste_onechar()
+-- 
+2.34.1
+
--- a/vim.spec
+++ b/vim.spec
@ -108,6 +108,8 @@ Patch3037: 0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch
 Patch3038: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
 # CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c
 Patch3039: 0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch
+# CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
+Patch3040: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch

 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -334,6 +336,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3037 -p1 -b .cve0408
 %patch3038 -p1 -b .cve0413
 %patch3039 -p1 -b .cve0443
+%patch3040 -p1 -b .cve0392

 %build
 cd src
@ -894,6 +897,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 * Thu Feb 10 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
 - CVE-2022-0413 vim: use after free in src/ex_cmds.c
 - CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c
+- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c

 * Wed Feb 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
 - CVE-2022-0368 vim: Out-of-bounds Read in vim