CVE-2022-0408 vim: Stack-based Buffer Overflow in spellsuggest.c
Resolves: CVE-2022-0408
This commit is contained in:
parent
76e4c51c35
commit
34033283f8
|
@ -0,0 +1,75 @@
|
|||
diff --git a/src/spellsuggest.c b/src/spellsuggest.c
|
||||
index 3de9ff2..5462583 100644
|
||||
--- a/src/spellsuggest.c
|
||||
+++ b/src/spellsuggest.c
|
||||
@@ -1200,7 +1200,7 @@ suggest_try_change(suginfo_T *su)
|
||||
|
||||
// Check the maximum score, if we go over it we won't try this change.
|
||||
#define TRY_DEEPER(su, stack, depth, add) \
|
||||
- (stack[depth].ts_score + (add) < su->su_maxscore)
|
||||
+ (depth < MAXWLEN - 1 && stack[depth].ts_score + (add) < su->su_maxscore)
|
||||
|
||||
/*
|
||||
* Try finding suggestions by adding/removing/swapping letters.
|
||||
@@ -1272,6 +1272,9 @@ suggest_trie_walk(
|
||||
char_u changename[MAXWLEN][80];
|
||||
#endif
|
||||
int breakcheckcount = 1000;
|
||||
+#ifdef FEAT_RELTIME
|
||||
+ proftime_T time_limit;
|
||||
+#endif
|
||||
int compound_ok;
|
||||
|
||||
// Go through the whole case-fold tree, try changes at each node.
|
||||
@@ -1316,6 +1319,11 @@ suggest_trie_walk(
|
||||
sp->ts_state = STATE_START;
|
||||
}
|
||||
}
|
||||
+#ifdef FEAT_RELTIME
|
||||
+ // The loop may take an indefinite amount of time. Break out after five
|
||||
+ // sectonds. TODO: add an option for the time limit.
|
||||
+ profile_setlimit(5000, &time_limit);
|
||||
+#endif
|
||||
|
||||
// Loop to find all suggestions. At each round we either:
|
||||
// - For the current state try one operation, advance "ts_curi",
|
||||
@@ -1350,7 +1358,8 @@ suggest_trie_walk(
|
||||
|
||||
// At end of a prefix or at start of prefixtree: check for
|
||||
// following word.
|
||||
- if (byts[arridx] == 0 || n == (int)STATE_NOPREFIX)
|
||||
+ if (depth < MAXWLEN - 1
|
||||
+ && (byts[arridx] == 0 || n == (int)STATE_NOPREFIX))
|
||||
{
|
||||
// Set su->su_badflags to the caps type at this position.
|
||||
// Use the caps type until here for the prefix itself.
|
||||
@@ -2644,6 +2653,10 @@ suggest_trie_walk(
|
||||
{
|
||||
ui_breakcheck();
|
||||
breakcheckcount = 1000;
|
||||
+#ifdef FEAT_RELTIME
|
||||
+ if (profile_passed_limit(&time_limit))
|
||||
+ got_int = TRUE;
|
||||
+#endif
|
||||
}
|
||||
}
|
||||
}
|
||||
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
|
||||
index a3a9621..35035a2 100644
|
||||
--- a/src/testdir/test_spell.vim
|
||||
+++ b/src/testdir/test_spell.vim
|
||||
@@ -768,6 +768,14 @@ func Test_spell_long_word()
|
||||
set nospell
|
||||
endfunc
|
||||
|
||||
+func Test_spellsuggest_too_deep()
|
||||
+ " This was incrementing "depth" over MAXWLEN.
|
||||
+ new
|
||||
+ norm s000G00ý000000000000
|
||||
+ sil norm ..vzG................vvzG0 v z=
|
||||
+ bwipe!
|
||||
+endfunc
|
||||
+
|
||||
func LoadAffAndDic(aff_contents, dic_contents)
|
||||
set enc=latin1
|
||||
set spellfile=
|
4
vim.spec
4
vim.spec
|
@ -102,6 +102,8 @@ Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch
|
|||
Patch3035: 0001-patch-8.2.4217-illegal-memory-access-when-undo-makes.patch
|
||||
# CVE-2022-0417 vim: heap-based-buffer-overflow in ex_retab() of src/indent.c
|
||||
Patch3036: 0001-patch-8.2.4245-retab-0-may-cause-illegal-memory-acce.patch
|
||||
# CVE-2022-0408 vim: Stack-based Buffer Overflow in spellsuggest.c
|
||||
Patch3037: 0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch
|
||||
|
||||
# gcc is no longer in buildroot by default
|
||||
BuildRequires: gcc
|
||||
|
@ -325,6 +327,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
|||
%patch3034 -p1 -b .cve0361
|
||||
%patch3035 -p1 -b .cve0368
|
||||
%patch3036 -p1 -b .cve0417
|
||||
%patch3037 -p1 -b .cve0408
|
||||
|
||||
%build
|
||||
cd src
|
||||
|
@ -885,6 +888,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
|||
* Wed Feb 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
|
||||
- CVE-2022-0368 vim: Out-of-bounds Read in vim
|
||||
- CVE-2022-0417 vim: heap-based-buffer-overflow in ex_retab() of src/indent.c
|
||||
- CVE-2022-0408 vim: Stack-based Buffer Overflow in spellsuggest.c
|
||||
|
||||
* Tue Feb 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
|
||||
- CVE-2022-0319 vim: heap-based out-of-bounds read
|
||||
|
|
Loading…
Reference in New Issue