From 34033283f8cf634f627e1075110e2ede1fbfbe62 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Wed, 9 Feb 2022 16:14:10 +0100 Subject: [PATCH] CVE-2022-0408 vim: Stack-based Buffer Overflow in spellsuggest.c Resolves: CVE-2022-0408 --- ...tack-corruption-when-looking-for-spe.patch | 75 +++++++++++++++++++ vim.spec | 4 + 2 files changed, 79 insertions(+) create mode 100644 0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch diff --git a/0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch b/0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch new file mode 100644 index 0000000..201e5e2 --- /dev/null +++ b/0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch @@ -0,0 +1,75 @@ +diff --git a/src/spellsuggest.c b/src/spellsuggest.c +index 3de9ff2..5462583 100644 +--- a/src/spellsuggest.c ++++ b/src/spellsuggest.c +@@ -1200,7 +1200,7 @@ suggest_try_change(suginfo_T *su) + + // Check the maximum score, if we go over it we won't try this change. + #define TRY_DEEPER(su, stack, depth, add) \ +- (stack[depth].ts_score + (add) < su->su_maxscore) ++ (depth < MAXWLEN - 1 && stack[depth].ts_score + (add) < su->su_maxscore) + + /* + * Try finding suggestions by adding/removing/swapping letters. +@@ -1272,6 +1272,9 @@ suggest_trie_walk( + char_u changename[MAXWLEN][80]; + #endif + int breakcheckcount = 1000; ++#ifdef FEAT_RELTIME ++ proftime_T time_limit; ++#endif + int compound_ok; + + // Go through the whole case-fold tree, try changes at each node. +@@ -1316,6 +1319,11 @@ suggest_trie_walk( + sp->ts_state = STATE_START; + } + } ++#ifdef FEAT_RELTIME ++ // The loop may take an indefinite amount of time. Break out after five ++ // sectonds. TODO: add an option for the time limit. ++ profile_setlimit(5000, &time_limit); ++#endif + + // Loop to find all suggestions. At each round we either: + // - For the current state try one operation, advance "ts_curi", +@@ -1350,7 +1358,8 @@ suggest_trie_walk( + + // At end of a prefix or at start of prefixtree: check for + // following word. +- if (byts[arridx] == 0 || n == (int)STATE_NOPREFIX) ++ if (depth < MAXWLEN - 1 ++ && (byts[arridx] == 0 || n == (int)STATE_NOPREFIX)) + { + // Set su->su_badflags to the caps type at this position. + // Use the caps type until here for the prefix itself. +@@ -2644,6 +2653,10 @@ suggest_trie_walk( + { + ui_breakcheck(); + breakcheckcount = 1000; ++#ifdef FEAT_RELTIME ++ if (profile_passed_limit(&time_limit)) ++ got_int = TRUE; ++#endif + } + } + } +diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim +index a3a9621..35035a2 100644 +--- a/src/testdir/test_spell.vim ++++ b/src/testdir/test_spell.vim +@@ -768,6 +768,14 @@ func Test_spell_long_word() + set nospell + endfunc + ++func Test_spellsuggest_too_deep() ++ " This was incrementing "depth" over MAXWLEN. ++ new ++ norm s000G00ý000000000000 ++ sil norm ..vzG................vvzG0 v z= ++ bwipe! ++endfunc ++ + func LoadAffAndDic(aff_contents, dic_contents) + set enc=latin1 + set spellfile= diff --git a/vim.spec b/vim.spec index 0143df8..0b86ee4 100644 --- a/vim.spec +++ b/vim.spec @@ -102,6 +102,8 @@ Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch Patch3035: 0001-patch-8.2.4217-illegal-memory-access-when-undo-makes.patch # CVE-2022-0417 vim: heap-based-buffer-overflow in ex_retab() of src/indent.c Patch3036: 0001-patch-8.2.4245-retab-0-may-cause-illegal-memory-acce.patch +# CVE-2022-0408 vim: Stack-based Buffer Overflow in spellsuggest.c +Patch3037: 0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -325,6 +327,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3034 -p1 -b .cve0361 %patch3035 -p1 -b .cve0368 %patch3036 -p1 -b .cve0417 +%patch3037 -p1 -b .cve0408 %build cd src @@ -885,6 +888,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags * Wed Feb 09 2022 Zdenek Dohnal - 2:8.2.2637-12 - CVE-2022-0368 vim: Out-of-bounds Read in vim - CVE-2022-0417 vim: heap-based-buffer-overflow in ex_retab() of src/indent.c +- CVE-2022-0408 vim: Stack-based Buffer Overflow in spellsuggest.c * Tue Feb 08 2022 Zdenek Dohnal - 2:8.2.2637-12 - CVE-2022-0319 vim: heap-based out-of-bounds read