CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
Resolves: CVE-2022-0392
This commit is contained in:
parent
9084c65312
commit
33c9a2555d
@ -0,0 +1,45 @@
|
|||||||
|
From 806d037671e133bd28a7864248763f643967973a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Bram Moolenaar <Bram@vim.org>
|
||||||
|
Date: Tue, 25 Jan 2022 20:45:16 +0000
|
||||||
|
Subject: [PATCH] patch 8.2.4218: illegal memory access with bracketed paste in
|
||||||
|
Ex mode
|
||||||
|
|
||||||
|
Problem: Illegal memory access with bracketed paste in Ex mode.
|
||||||
|
Solution: Reserve space for the trailing NUL.
|
||||||
|
---
|
||||||
|
src/edit.c | 3 ++-
|
||||||
|
src/testdir/test_paste.vim | 3 +++
|
||||||
|
src/version.c | 2 ++
|
||||||
|
3 files changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/edit.c b/src/edit.c
|
||||||
|
index ee3caf0da..2b5301100 100644
|
||||||
|
--- a/src/edit.c
|
||||||
|
+++ b/src/edit.c
|
||||||
|
@@ -4452,7 +4452,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
|
||||||
|
break;
|
||||||
|
|
||||||
|
case PASTE_EX:
|
||||||
|
- if (gap != NULL && ga_grow(gap, idx) == OK)
|
||||||
|
+ // add one for the NUL that is going to be appended
|
||||||
|
+ if (gap != NULL && ga_grow(gap, idx + 1) == OK)
|
||||||
|
{
|
||||||
|
mch_memmove((char *)gap->ga_data + gap->ga_len,
|
||||||
|
buf, (size_t)idx);
|
||||||
|
diff --git a/src/testdir/test_paste.vim b/src/testdir/test_paste.vim
|
||||||
|
index c94fe7c35..5b8d8a0e3 100644
|
||||||
|
--- a/src/testdir/test_paste.vim
|
||||||
|
+++ b/src/testdir/test_paste.vim
|
||||||
|
@@ -90,6 +90,9 @@ func Test_paste_ex_mode()
|
||||||
|
unlet! foo
|
||||||
|
call feedkeys("Qlet foo=\"\<Esc>[200~foo\<CR>bar\<Esc>[201~\"\<CR>vi\<CR>", 'xt')
|
||||||
|
call assert_equal("foo\rbar", foo)
|
||||||
|
+
|
||||||
|
+ " pasting more than 40 bytes
|
||||||
|
+ exe "norm Q\<PasteStart>0000000000000000000000000000000000000000000000000000000000000000000000\<C-C>"
|
||||||
|
endfunc
|
||||||
|
|
||||||
|
func Test_paste_onechar()
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
4
vim.spec
4
vim.spec
@ -108,6 +108,8 @@ Patch3037: 0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch
|
|||||||
Patch3038: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
|
Patch3038: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
|
||||||
# CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c
|
# CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c
|
||||||
Patch3039: 0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch
|
Patch3039: 0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch
|
||||||
|
# CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
|
||||||
|
Patch3040: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch
|
||||||
|
|
||||||
# gcc is no longer in buildroot by default
|
# gcc is no longer in buildroot by default
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -334,6 +336,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
|||||||
%patch3037 -p1 -b .cve0408
|
%patch3037 -p1 -b .cve0408
|
||||||
%patch3038 -p1 -b .cve0413
|
%patch3038 -p1 -b .cve0413
|
||||||
%patch3039 -p1 -b .cve0443
|
%patch3039 -p1 -b .cve0443
|
||||||
|
%patch3040 -p1 -b .cve0392
|
||||||
|
|
||||||
%build
|
%build
|
||||||
cd src
|
cd src
|
||||||
@ -894,6 +897,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
|||||||
* Thu Feb 10 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
|
* Thu Feb 10 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
|
||||||
- CVE-2022-0413 vim: use after free in src/ex_cmds.c
|
- CVE-2022-0413 vim: use after free in src/ex_cmds.c
|
||||||
- CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c
|
- CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c
|
||||||
|
- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
|
||||||
|
|
||||||
* Wed Feb 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
|
* Wed Feb 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
|
||||||
- CVE-2022-0368 vim: Out-of-bounds Read in vim
|
- CVE-2022-0368 vim: Out-of-bounds Read in vim
|
||||||
|
Loading…
Reference in New Issue
Block a user