CVE-2022-0319 vim: heap-based out-of-bounds read

Resolves: CVE-2022-0319
2022-02-08 14:12:11 +01:00 · 2022-02-08 14:12:11 +01:00 · 604cf01a29
commit 604cf01a29
parent 319be2ae2d
2 changed files with 50 additions and 1 deletions
--- a/0001-patch-8.2.4154-ml_get-error-when-exchanging-windows-.patch
+++ b/0001-patch-8.2.4154-ml_get-error-when-exchanging-windows-.patch
@ -0,0 +1,43 @@
+diff -up vim82/src/testdir/test_visual.vim.cve0319 vim82/src/testdir/test_visual.vim
+--- vim82/src/testdir/test_visual.vim.cve0319	2022-02-08 13:24:54.170813231 +0100
+++ vim82/src/testdir/test_visual.vim	2022-02-08 13:26:21.313747976 +0100
+@@ -985,4 +985,15 @@ func Test_visual_block_insert_round_off(
+   bwipe!
+ endfunc
+ 
+" this was causing an ml_get error
+func Test_visual_exchange_windows()
+  enew!
+  new
+  call setline(1, ['foo', 'bar'])
+  exe "normal G\<C-V>gg\<C-W>\<C-X>OO\<Esc>"
+  bwipe!
+  bwipe!
+endfunc
+
+
+ " vim: shiftwidth=2 sts=2 expandtab
+diff -up vim82/src/window.c.cve0319 vim82/src/window.c
+--- vim82/src/window.c.cve0319	2022-02-08 13:24:54.137813879 +0100
+++ vim82/src/window.c	2022-02-08 13:24:54.171813211 +0100
+@@ -1697,6 +1697,11 @@ win_exchange(long Prenum)
+ 
+     (void)win_comp_pos();		// recompute window positions
+ 
+    if (wp->w_buffer != curbuf)
+	reset_VIsual_and_resel();
+    else if (VIsual_active)
+	wp->w_cursor = curwin->w_cursor;
+
+     win_enter(wp, TRUE);
+     redraw_all_later(NOT_VALID);
+ }
+@@ -5261,7 +5266,7 @@ frame_remove(frame_T *frp)
+ win_alloc_lines(win_T *wp)
+ {
+     wp->w_lines_valid = 0;
+-    wp->w_lines = ALLOC_CLEAR_MULT(wline_T, Rows );
+    wp->w_lines = ALLOC_CLEAR_MULT(wline_T, Rows);
+     if (wp->w_lines == NULL)
+ 	return FAIL;
+     return OK;
--- a/vim.spec
+++ b/vim.spec
@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@ -94,6 +94,8 @@ Patch3030: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch
 Patch3031: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch
 # CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c
 Patch3032: 0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch
+# CVE-2022-0319 vim: heap-based out-of-bounds read
+Patch3033: 0001-patch-8.2.4154-ml_get-error-when-exchanging-windows-.patch

 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -313,6 +315,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3030 -p1 -b .cve0261
 %patch3031 -p1 -b .cve0318
 %patch3032 -p1 -b .cve0359
+%patch3033 -p1 -b .cve0319

 %build
 cd src
@ -870,6 +873,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif

 %changelog
+* Tue Feb 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
+- CVE-2022-0319 vim: heap-based out-of-bounds read
+
 * Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-11
 - CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
 - CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c