rpms
/
vim
7
0
Fork 0
Code Issues Pull Requests Releases Activity

2016202 - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-9.0] 

Resolves: CVE-2021-3872
This commit is contained in:
Zdenek Dohnal 2021-10-26 12:30:06 +02:00
parent 6477489e4a
commit 3d44a275df
2 changed files with 79 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch Normal file
View File

@ -0,0 +1,72 @@
From 826bfe4bbd7594188e3d74d2539d9707b1c6a14b Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 8 Oct 2021 18:39:28 +0100
Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very
long
Problem: Illegal memory access if buffer name is very long.
Solution: Make sure not to go over the end of the buffer.
---
src/drawscreen.c | 10 +++++-----
src/testdir/test_statusline.vim | 10 ++++++++++
src/version.c | 2 ++
3 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/src/drawscreen.c b/src/drawscreen.c
index 82e53753b..e38ca9586 100644
--- a/src/drawscreen.c
+++ b/src/drawscreen.c
@@ -464,13 +464,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
*(p + len++) = ' ';
if (bt_help(wp->w_buffer))
{
- STRCPY(p + len, _("[Help]"));
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
len += (int)STRLEN(p + len);
}
#ifdef FEAT_QUICKFIX
if (wp->w_p_pvw)
{
- STRCPY(p + len, _("[Preview]"));
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
len += (int)STRLEN(p + len);
}
#endif
@@ -480,12 +480,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
#endif
)
{
- STRCPY(p + len, "[+]");
- len += 3;
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
+ len += (int)STRLEN(p + len);
}
if (wp->w_buffer->b_p_ro)
{
- STRCPY(p + len, _("[RO]"));
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
len += (int)STRLEN(p + len);
}
diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim
index f3eea2e71..a952de69b 100644
--- a/src/testdir/test_statusline.vim
+++ b/src/testdir/test_statusline.vim
@@ -522,4 +522,14 @@ func Test_statusline_mbyte_fillchar()
%bw!
endfunc
+" Used to write beyond allocated memory. This assumes MAXPATHL is 4096 bytes.
+func Test_statusline_verylong_filename()
+ let fname = repeat('x', 4090)
+ exe "new " .. fname
+ set buftype=help
+ set previewwindow
+ redraw
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.31.1

8
vim.spec
View File

@ -27,7 +27,7 @@ Summary: The VIM editor
URL: http://www.vim.org/
Name: vim
Version: %{baseversion}.%{patchlevel}
Release: 7%{?dist}
Release: 8%{?dist}
License: Vim and MIT
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
Source1: virc
@ -78,6 +78,8 @@ Patch3022: 0001-patch-8.2.3409-reading-beyond-end-of-line-with-inval.patch
Patch3023: 0001-patch-8.2.3428-using-freed-memory-when-replacing.patch
# 2015517 - [s390x] Vim needs to be compiled with -D_REENTRANT
Patch3024: 0001-patch-8.2.3406-on-some-systems-tests-fail-without-_R.patch
# 2016202 - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-9.0]
Patch3025: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
# gcc is no longer in buildroot by default
BuildRequires: gcc
@ -289,6 +291,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
%patch3022 -p1 -b .cve-utf-ptrchar
%patch3023 -p1 -b .cve-nv-replace
%patch3024 -p1 -b .reentrant
%patch3025 -p1 -b .cve-win-redr
%build
cd src
@ -846,6 +849,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
%endif
%changelog
* Tue Oct 26 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-8
- 2016202 - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-9.0]
* Tue Oct 19 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-7
- 2015517 - [s390x] Vim needs to be compiled with -D_REENTRANT