diff --git a/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch b/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch new file mode 100644 index 00000000..95afeff9 --- /dev/null +++ b/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch @@ -0,0 +1,45 @@ +From 806d037671e133bd28a7864248763f643967973a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 25 Jan 2022 20:45:16 +0000 +Subject: [PATCH] patch 8.2.4218: illegal memory access with bracketed paste in + Ex mode + +Problem: Illegal memory access with bracketed paste in Ex mode. +Solution: Reserve space for the trailing NUL. +--- + src/edit.c | 3 ++- + src/testdir/test_paste.vim | 3 +++ + src/version.c | 2 ++ + 3 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/edit.c b/src/edit.c +index ee3caf0da..2b5301100 100644 +--- a/src/edit.c ++++ b/src/edit.c +@@ -4452,7 +4452,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + break; + + case PASTE_EX: +- if (gap != NULL && ga_grow(gap, idx) == OK) ++ // add one for the NUL that is going to be appended ++ if (gap != NULL && ga_grow(gap, idx + 1) == OK) + { + mch_memmove((char *)gap->ga_data + gap->ga_len, + buf, (size_t)idx); +diff --git a/src/testdir/test_paste.vim b/src/testdir/test_paste.vim +index c94fe7c35..5b8d8a0e3 100644 +--- a/src/testdir/test_paste.vim ++++ b/src/testdir/test_paste.vim +@@ -90,6 +90,9 @@ func Test_paste_ex_mode() + unlet! foo + call feedkeys("Qlet foo=\"\[200~foo\bar\[201~\"\vi\", 'xt') + call assert_equal("foo\rbar", foo) ++ ++ " pasting more than 40 bytes ++ exe "norm Q\0000000000000000000000000000000000000000000000000000000000000000000000\" + endfunc + + func Test_paste_onechar() +-- +2.34.1 + diff --git a/vim.spec b/vim.spec index b7e98d64..f2b03736 100644 --- a/vim.spec +++ b/vim.spec @@ -108,6 +108,8 @@ Patch3037: 0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch Patch3038: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch # CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c Patch3039: 0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch +# CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c +Patch3040: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -334,6 +336,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3037 -p1 -b .cve0408 %patch3038 -p1 -b .cve0413 %patch3039 -p1 -b .cve0443 +%patch3040 -p1 -b .cve0392 %build cd src @@ -894,6 +897,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags * Thu Feb 10 2022 Zdenek Dohnal - 2:8.2.2637-12 - CVE-2022-0413 vim: use after free in src/ex_cmds.c - CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c +- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c * Wed Feb 09 2022 Zdenek Dohnal - 2:8.2.2637-12 - CVE-2022-0368 vim: Out-of-bounds Read in vim