CVE-2021-4192 vim: vulnerable to Use After Free
Resolves: CVE-2021-4192
This commit is contained in:
Zdenek Dohnal
parent
b7a801e714
commit
520837ecc5
|
|
@ -0,0 +1,44 @@
|
|||
diff -up vim82/src/regexp.c.cve4192 vim82/src/regexp.c
|
||||
--- vim82/src/regexp.c.cve4192 2021-03-22 10:02:42.000000000 +0100
|
||||
+++ vim82/src/regexp.c 2022-01-13 10:54:17.629176807 +0100
|
||||
@@ -1316,9 +1316,9 @@ reg_match_visual(void)
|
||||
if (lnum < top.lnum || lnum > bot.lnum)
|
||||
return FALSE;
|
||||
|
||||
+ col = (colnr_T)(rex.input - rex.line);
|
||||
if (mode == 'v')
|
||||
{
|
||||
- col = (colnr_T)(rex.input - rex.line);
|
||||
if ((lnum == top.lnum && col < top.col)
|
||||
|| (lnum == bot.lnum && col >= bot.col + (*p_sel != 'e')))
|
||||
return FALSE;
|
||||
@@ -1333,7 +1333,12 @@ reg_match_visual(void)
|
||||
end = end2;
|
||||
if (top.col == MAXCOL || bot.col == MAXCOL)
|
||||
end = MAXCOL;
|
||||
- cols = win_linetabsize(wp, rex.line, (colnr_T)(rex.input - rex.line));
|
||||
+
|
||||
+ // getvvcol() flushes rex.line, need to get it again
|
||||
+ rex.line = reg_getline(rex.lnum);
|
||||
+ rex.input = rex.line + col;
|
||||
+
|
||||
+ cols = win_linetabsize(wp, rex.line, col);
|
||||
if (cols < start || cols > end - (*p_sel == 'e'))
|
||||
return FALSE;
|
||||
}
|
||||
diff -up vim82/src/testdir/test_regexp_latin.vim.cve4192 vim82/src/testdir/test_regexp_latin.vim
|
||||
--- vim82/src/testdir/test_regexp_latin.vim.cve4192 2022-01-13 10:52:05.508789448 +0100
|
||||
+++ vim82/src/testdir/test_regexp_latin.vim 2022-01-13 10:52:05.510789454 +0100
|
||||
@@ -946,4 +946,12 @@ func Test_using_invalid_visual_position(
|
||||
bwipe!
|
||||
endfunc
|
||||
|
||||
+func Test_using_visual_position()
|
||||
+ " this was using freed memory
|
||||
+ new
|
||||
+ exe "norm 0o\<Esc>\<C-V>k\<C-X>o0"
|
||||
+ /\%V
|
||||
+ bwipe!
|
||||
+endfunc
|
||||
+
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
||||
4
vim.spec
4
vim.spec
|
|
@ -86,6 +86,8 @@ Patch3026: 0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch
|
|||
Patch3027: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch
|
||||
# CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
|
||||
Patch3028: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch
|
||||
# CVE-2021-4192 vim: vulnerable to Use After Free
|
||||
Patch3029: 0001-patch-8.2.3949-using-freed-memory-with-V.patch
|
||||
|
||||
# gcc is no longer in buildroot by default
|
||||
BuildRequires: gcc
|
||||
|
|
@ -301,6 +303,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
|||
%patch3026 -p1 -b .cve3984
|
||||
%patch3027 -p1 -b .cve4019
|
||||
%patch3028 -p1 -b .cve4193
|
||||
%patch3029 -p1 -b .cve4192
|
||||
|
||||
%build
|
||||
cd src
|
||||
|
|
@ -860,6 +863,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
|||
%changelog
|
||||
* Thu Jan 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-10
|
||||
- CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
|
||||
- CVE-2021-4192 vim: vulnerable to Use After Free
|
||||
|
||||
* Mon Dec 06 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-9
|
||||
- 2028431 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-9.0]
|
||||
|
|
|
|||
Loading…
Reference in New Issue