CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c

Resolves: CVE-2022-0392
This commit is contained in:
Zdenek Dohnal 2022-02-10 11:30:02 +01:00
parent 9084c65312
commit 33c9a2555d
2 changed files with 49 additions and 0 deletions

View File

@ -0,0 +1,45 @@
From 806d037671e133bd28a7864248763f643967973a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 25 Jan 2022 20:45:16 +0000
Subject: [PATCH] patch 8.2.4218: illegal memory access with bracketed paste in
Ex mode
Problem: Illegal memory access with bracketed paste in Ex mode.
Solution: Reserve space for the trailing NUL.
---
src/edit.c | 3 ++-
src/testdir/test_paste.vim | 3 +++
src/version.c | 2 ++
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/edit.c b/src/edit.c
index ee3caf0da..2b5301100 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -4452,7 +4452,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
break;
case PASTE_EX:
- if (gap != NULL && ga_grow(gap, idx) == OK)
+ // add one for the NUL that is going to be appended
+ if (gap != NULL && ga_grow(gap, idx + 1) == OK)
{
mch_memmove((char *)gap->ga_data + gap->ga_len,
buf, (size_t)idx);
diff --git a/src/testdir/test_paste.vim b/src/testdir/test_paste.vim
index c94fe7c35..5b8d8a0e3 100644
--- a/src/testdir/test_paste.vim
+++ b/src/testdir/test_paste.vim
@@ -90,6 +90,9 @@ func Test_paste_ex_mode()
unlet! foo
call feedkeys("Qlet foo=\"\<Esc>[200~foo\<CR>bar\<Esc>[201~\"\<CR>vi\<CR>", 'xt')
call assert_equal("foo\rbar", foo)
+
+ " pasting more than 40 bytes
+ exe "norm Q\<PasteStart>0000000000000000000000000000000000000000000000000000000000000000000000\<C-C>"
endfunc
func Test_paste_onechar()
--
2.34.1

View File

@ -108,6 +108,8 @@ Patch3037: 0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch
Patch3038: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch Patch3038: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
# CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c # CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c
Patch3039: 0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch Patch3039: 0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch
# CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
Patch3040: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch
# gcc is no longer in buildroot by default # gcc is no longer in buildroot by default
BuildRequires: gcc BuildRequires: gcc
@ -334,6 +336,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
%patch3037 -p1 -b .cve0408 %patch3037 -p1 -b .cve0408
%patch3038 -p1 -b .cve0413 %patch3038 -p1 -b .cve0413
%patch3039 -p1 -b .cve0443 %patch3039 -p1 -b .cve0443
%patch3040 -p1 -b .cve0392
%build %build
cd src cd src
@ -894,6 +897,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
* Thu Feb 10 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12 * Thu Feb 10 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
- CVE-2022-0413 vim: use after free in src/ex_cmds.c - CVE-2022-0413 vim: use after free in src/ex_cmds.c
- CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c - CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c
- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
* Wed Feb 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12 * Wed Feb 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
- CVE-2022-0368 vim: Out-of-bounds Read in vim - CVE-2022-0368 vim: Out-of-bounds Read in vim