rpms/vim
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import vim-8.2.2637-16.el9_0.2

Browse Source
This commit is contained in:
CentOS Sources 2022-06-28 04:28:26 -04:00 committed by Stepan Oksanichenko
parent 3c146e6bad
commit 467a7fb1ee
7 changed files with 356 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
SOURCES/0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch Normal file
View File

@ -0,0 +1,110 @@
From e3537aec2f8d6470010547af28dcbd83d41461b8 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 8 Feb 2022 15:05:20 +0000
Subject: [PATCH] patch 8.2.4327: may end up with no current buffer
Problem: May end up with no current buffer.
Solution: When deleting the current buffer to not pick a quickfix buffer as
the new current buffer.
---
src/buffer.c | 26 ++++++++++++++++++++++----
src/testdir/test_quickfix.vim | 25 +++++++++++++++++++++++++
src/version.c | 2 ++
3 files changed, 49 insertions(+), 4 deletions(-)
diff --git a/src/buffer.c b/src/buffer.c
index 81bdb31ca..b3e2bc3f9 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -1430,8 +1430,14 @@ do_buffer_ext(
buf = buflist_findnr(curwin->w_jumplist[jumpidx].fmark.fnum);
if (buf != NULL)
{
- if (buf == curbuf || !buf->b_p_bl)
- buf = NULL; // skip current and unlisted bufs
+ // Skip current and unlisted bufs. Also skip a quickfix
+ // buffer, it might be deleted soon.
+ if (buf == curbuf || !buf->b_p_bl
+#if defined(FEAT_QUICKFIX)
+ || bt_quickfix(buf)
+#endif
+ )
+ buf = NULL;
else if (buf->b_ml.ml_mfp == NULL)
{
// skip unloaded buf, but may keep it for later
@@ -1467,7 +1473,11 @@ do_buffer_ext(
continue;
}
// in non-help buffer, try to skip help buffers, and vv
- if (buf->b_help == curbuf->b_help && buf->b_p_bl)
+ if (buf->b_help == curbuf->b_help && buf->b_p_bl
+#if defined(FEAT_QUICKFIX)
+ && !bt_quickfix(buf)
+#endif
+ )
{
if (buf->b_ml.ml_mfp != NULL) // found loaded buffer
break;
@@ -1485,7 +1495,11 @@ do_buffer_ext(
if (buf == NULL) // No loaded buffer, find listed one
{
FOR_ALL_BUFFERS(buf)
- if (buf->b_p_bl && buf != curbuf)
+ if (buf->b_p_bl && buf != curbuf
+#if defined(FEAT_QUICKFIX)
+ && !bt_quickfix(buf)
+#endif
+ )
break;
}
if (buf == NULL) // Still no buffer, just take one
@@ -1494,6 +1508,10 @@ do_buffer_ext(
buf = curbuf->b_next;
else
buf = curbuf->b_prev;
+#if defined(FEAT_QUICKFIX)
+ if (bt_quickfix(buf))
+ buf = NULL;
+#endif
}
}
diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
index 07fdb9644..adb0ea4fd 100644
--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
@@ -5851,5 +5851,30 @@ func Test_lopen_bwipe()
delfunc R
endfunc
+" Another sequence of commands that caused all buffers to be wiped out
+func Test_lopen_bwipe_all()
+ let lines =<< trim END
+ func R()
+ silent! tab lopen
+ e foo
+ silent! lfile
+ endfunc
+ cal R()
+ exe "norm \<C-W>\<C-V>0"
+ cal R()
+ bwipe
+
+ call writefile(['done'], 'Xresult')
+ qall!
+ END
+ call writefile(lines, 'Xscript')
+ if RunVim([], [], '-u NONE -n -X -Z -e -m -s -S Xscript')
+ call assert_equal(['done'], readfile('Xresult'))
+ endif
+
+ call delete('Xscript')
+ call delete('Xresult')
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.35.1

39
SOURCES/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch Normal file
View File

@ -0,0 +1,39 @@
diff -up vim82/src/spellsuggest.c.cve0943 vim82/src/spellsuggest.c
--- vim82/src/spellsuggest.c.cve0943 2022-03-28 20:48:07.079197805 +0200
+++ vim82/src/spellsuggest.c 2022-03-28 20:48:07.101197522 +0200
@@ -501,6 +501,10 @@ spell_suggest(int count)
curwin->w_cursor.col = VIsual.col;
++badlen;
end_visual_mode();
+ // make sure we don't include the NUL at the end of the line
+ line = ml_get_curline();
+ if (badlen > STRLEN(line) - curwin->w_cursor.col)
+ badlen = STRLEN(line) - curwin->w_cursor.col;
}
// Find the start of the badly spelled word.
else if (spell_move_to(curwin, FORWARD, TRUE, TRUE, NULL) == 0
diff -up vim82/src/testdir/test_spell.vim.cve0943 vim82/src/testdir/test_spell.vim
--- vim82/src/testdir/test_spell.vim.cve0943 2022-03-28 20:48:07.102197509 +0200
+++ vim82/src/testdir/test_spell.vim 2022-03-28 20:49:05.038452974 +0200
@@ -441,6 +441,21 @@ func Test_spellsuggest_expr_errors()
delfunc MySuggest3
endfunc
+func Test_spellsuggest_visual_end_of_line()
+ let enc_save = &encoding
+ set encoding=iso8859
+
+ " This was reading beyond the end of the line.
+ norm R00000000000
+ sil norm 0
+ sil! norm i00000)
+ sil! norm i00000)
+ call feedkeys("\<CR>")
+ norm z=
+
+ let &encoding = enc_save
+endfunc
+
func Test_spellinfo()
new
let runtime = substitute($VIMRUNTIME, '\\', '/', 'g')

44
SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch Normal file
View File

@ -0,0 +1,44 @@
diff -up vim82/src/regexp_bt.c.cve1154 vim82/src/regexp_bt.c
--- vim82/src/regexp_bt.c.cve1154 2022-04-25 15:22:28.367621755 +0200
+++ vim82/src/regexp_bt.c 2022-04-25 15:25:13.726340728 +0200
@@ -3188,8 +3188,17 @@ regmatch(
int mark = OPERAND(scan)[0];
int cmp = OPERAND(scan)[1];
pos_T *pos;
+ size_t col = REG_MULTI ? rex.input - rex.line : 0;
pos = getmark_buf(rex.reg_buf, mark, FALSE);
+
+ // Line may have been freed, get it again.
+ if (REG_MULTI)
+ {
+ rex.line = reg_getline(rex.lnum);
+ rex.input = rex.line + col;
+ }
+
if (pos == NULL // mark doesn't exist
|| pos->lnum <= 0 // mark isn't set in reg_buf
|| (pos->lnum == rex.lnum + rex.reg_firstlnum
diff -up vim82/src/testdir/test_regexp_latin.vim.cve1154 vim82/src/testdir/test_regexp_latin.vim
--- vim82/src/testdir/test_regexp_latin.vim.cve1154 2022-04-25 15:22:28.368621752 +0200
+++ vim82/src/testdir/test_regexp_latin.vim 2022-04-25 15:26:57.515227712 +0200
@@ -954,4 +954,19 @@ func Test_using_visual_position()
bwipe!
endfunc
+func Test_using_mark_position()
+ " this was using freed memory
+ " new engine
+ new
+ norm O0
+ call assert_fails("s/\\%')", 'E486:')
+ bwipe!
+
+ " old engine
+ new
+ norm O0
+ call assert_fails("s/\\%#=1\\%')", 'E486:')
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab

51
SOURCES/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch Normal file
View File

@ -0,0 +1,51 @@
diff -up vim82/src/errors.h.cve1420 vim82/src/errors.h
--- vim82/src/errors.h.cve1420 2022-04-25 16:01:03.559985019 +0200
+++ vim82/src/errors.h 2022-04-25 16:01:58.113332024 +0200
@@ -383,3 +383,7 @@ EXTERN char e_cannot_use_default_values_
INIT(= N_("E1172: Cannot use default values in a lambda"));
EXTERN char e_resulting_text_too_long[]
INIT(= N_("E1240: Resulting text too long"));
+#ifdef FEAT_EVAL
+EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
+ INIT(= N_("E1275: String or function required for ->(expr)"));
+#endif
diff -up vim82/src/eval.c.cve1420 vim82/src/eval.c
--- vim82/src/eval.c.cve1420 2022-04-25 16:01:03.560985007 +0200
+++ vim82/src/eval.c 2022-04-25 16:14:11.746600369 +0200
@@ -3718,13 +3718,20 @@ eval_lambda(
if (**arg != ')')
{
emsg(_(e_missing_close));
- ret = FAIL;
+ return FAIL;
+ }
+ if (rettv->v_type != VAR_STRING && rettv->v_type != VAR_FUNC
+ && rettv->v_type != VAR_PARTIAL)
+ {
+ emsg(_(e_string_or_function_required_for_arrow_parens_expr));
+ return FAIL;
}
++*arg;
}
if (ret != OK)
return FAIL;
- else if (**arg != '(')
+
+ if (**arg != '(')
{
if (verbose)
{
diff -up vim82/src/testdir/test_lambda.vim.cve1420 vim82/src/testdir/test_lambda.vim
--- vim82/src/testdir/test_lambda.vim.cve1420 2022-04-25 16:01:03.560985007 +0200
+++ vim82/src/testdir/test_lambda.vim 2022-04-25 16:17:01.694886566 +0200
@@ -64,6 +64,10 @@ function Test_lambda_fails()
call assert_fails('echo {a, a -> a + a}(1, 2)', 'E853:')
call assert_fails('echo {a, b -> a + b)}(1, 2)', 'E451:')
echo assert_fails('echo 10->{a -> a + 2}', 'E107:')
+ call assert_fails('eval 0->(3)()', "E1275:")
+ call assert_fails('eval 0->([3])()', "E1275:")
+ call assert_fails('eval 0->({"a": 3})()', "E1275:")
+ call assert_fails('eval 0->(xxx)()', "E121:")
endfunc
func Test_not_lamda()

50
SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch Normal file
View File

@ -0,0 +1,50 @@
diff -up vim82/src/errors.h.cve1621 vim82/src/errors.h
--- vim82/src/errors.h.cve1621 2022-05-24 13:36:23.883370040 +0200
+++ vim82/src/errors.h 2022-05-24 13:36:47.665487703 +0200
@@ -387,3 +387,7 @@ EXTERN char e_resulting_text_too_long[]
EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
INIT(= N_("E1275: String or function required for ->(expr)"));
#endif
+#ifdef FEAT_SPELL
+EXTERN char e_illegal_character_in_word[]
+ INIT(= N_("E1280: Illegal character in word"));
+#endif
diff -up vim82/src/mbyte.c.cve1621 vim82/src/mbyte.c
--- vim82/src/mbyte.c.cve1621 2021-03-22 10:02:42.000000000 +0100
+++ vim82/src/mbyte.c 2022-05-24 13:36:23.884370045 +0200
@@ -4181,7 +4181,7 @@ theend:
convert_setup(&vimconv, NULL, NULL);
}
-#if defined(FEAT_GUI_GTK) || defined(PROTO)
+#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO)
/*
* Return TRUE if string "s" is a valid utf-8 string.
* When "end" is NULL stop at the first NUL.
diff -up vim82/src/spellfile.c.cve1621 vim82/src/spellfile.c
--- vim82/src/spellfile.c.cve1621 2021-03-22 10:02:42.000000000 +0100
+++ vim82/src/spellfile.c 2022-05-24 13:36:23.885370049 +0200
@@ -4391,6 +4391,10 @@ store_word(
int res = OK;
char_u *p;
+ // Avoid adding illegal bytes to the word tree.
+ if (enc_utf8 && !utf_valid_string(word, NULL))
+ return FAIL;
+
(void)spell_casefold(word, len, foldword, MAXWLEN);
for (p = pfxlist; res == OK; ++p)
{
@@ -6191,6 +6195,12 @@ spell_add_word(
int i;
char_u *spf;
+ if (enc_utf8 && !utf_valid_string(word, NULL))
+ {
+ emsg(_(e_illegal_character_in_word));
+ return;
+ }
+
if (idx == 0) // use internal wordlist
{
if (int_wordlist == NULL)

33
SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch Normal file
View File

@ -0,0 +1,33 @@
From 53a70289c2712808e6d4e88927e03cac01b470dd Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 9 May 2022 13:15:07 +0100
Subject: [PATCH] patch 8.2.4925: trailing backslash may cause reading past end
of line
Problem: Trailing backslash may cause reading past end of line.
Solution: Check for NUL after backslash.
---
src/testdir/test_textobjects.vim | 10 +++++++++-
src/textobject.c | 4 ++++
src/version.c | 2 ++
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/src/textobject.c b/src/textobject.c
index e4a7db38e..edaa64c51 100644
--- a/src/textobject.c
+++ b/src/textobject.c
@@ -1664,7 +1664,11 @@ find_next_quote(
if (c == NUL)
return -1;
else if (escape != NULL && vim_strchr(escape, c))
+ {
++col;
+ if (line[col] == NUL)
+ return -1;
+ }
else if (c == quotechar)
break;
if (has_mbyte)
--
2.36.1

30
SPECS/vim.spec
View File

@ -27,7 +27,7 @@ Summary: The VIM editor
URL: http://www.vim.org/
Name: vim
Version: %{baseversion}.%{patchlevel}
Release: 15%{?dist}
Release: 16%{?dist}.2
License: Vim and MIT
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
Source1: virc
@ -116,6 +116,18 @@ Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch
Patch3042: 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch
# CVE-2022-0714 vim: buffer overflow [rhel-9]
Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch
# CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
# CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim
Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
# CVE-2022-1154 vim: use after free in utf_ptr2char
Patch3046: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
# CVE-2022-1420 vim: Out-of-range Pointer Offset
Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
# CVE-2022-1621 vim: heap buffer overflow
Patch3048: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
# CVE-2022-1629 vim: buffer over-read
Patch3049: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
# gcc is no longer in buildroot by default
BuildRequires: gcc
@ -346,6 +358,12 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
%patch3041 -p1 -b .cve0572
%patch3042 -p1 -b .cve0629
%patch3043 -p1 -b .cve0714
%patch3044 -p1 -b .cve0554
%patch3045 -p1 -b .cve0943
%patch3046 -p1 -b .cve1154
%patch3047 -p1 -b .cve1420
%patch3048 -p1 -b .cve1621
%patch3049 -p1 -b .cve1629
%build
cd src
@ -903,6 +921,16 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
%endif
%changelog
* Wed May 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16.2
- CVE-2022-1621 vim: heap buffer overflow
- CVE-2022-1629 vim: buffer over-read
* Mon Apr 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16.1
- CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
- CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim
- CVE-2022-1154 vim: use after free in utf_ptr2char
- CVE-2022-1420 vim: Out-of-range Pointer Offset
* Thu Feb 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-15
- CVE-2022-0714 vim: buffer overflow [rhel-9]