From 76e4c51c358f6155a0707fe806bc7ac658b4f94d Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Wed, 9 Feb 2022 11:56:07 +0100
Subject: [PATCH] CVE-2022-0417 vim: heap-based-buffer-overflow in ex_retab()
 of src/indent.c

Resolves: CVE-2022-0417
---
 ...etab-0-may-cause-illegal-memory-acce.patch | 95 +++++++++++++++++++
 vim.spec                                      |  4 +
 2 files changed, 99 insertions(+)
 create mode 100644 0001-patch-8.2.4245-retab-0-may-cause-illegal-memory-acce.patch

diff --git a/0001-patch-8.2.4245-retab-0-may-cause-illegal-memory-acce.patch b/0001-patch-8.2.4245-retab-0-may-cause-illegal-memory-acce.patch
new file mode 100644
index 0000000..be23fb3
--- /dev/null
+++ b/0001-patch-8.2.4245-retab-0-may-cause-illegal-memory-acce.patch
@@ -0,0 +1,95 @@
+diff -up vim82/src/indent.c.cve0417 vim82/src/indent.c
+--- vim82/src/indent.c.cve0417	2022-02-09 10:01:34.250009316 +0100
++++ vim82/src/indent.c	2022-02-09 10:02:54.802588536 +0100
+@@ -71,7 +71,7 @@ tabstop_set(char_u *var, int **array)
+ 	int n = atoi((char *)cp);
+ 
+ 	// Catch negative values, overflow and ridiculous big values.
+-	if (n < 0 || n > 9999)
++	if (n < 0 || n > TABSTOP_MAX)
+ 	{
+ 	    semsg(_(e_invarg2), cp);
+ 	    vim_free(*array);
+@@ -1595,7 +1595,7 @@ ex_retab(exarg_T *eap)
+ 	emsg(_(e_positive));
+ 	return;
+     }
+-    if (new_ts < 0 || new_ts > 9999)
++    if (new_ts < 0 || new_ts > TABSTOP_MAX)
+     {
+ 	semsg(_(e_invarg2), eap->arg);
+ 	return;
+diff -up vim82/src/option.c.cve0417 vim82/src/option.c
+--- vim82/src/option.c.cve0417	2022-02-09 10:01:34.196009598 +0100
++++ vim82/src/option.c	2022-02-09 10:28:10.398548161 +0100
+@@ -3640,6 +3640,11 @@ set_num_option(
+ 	errmsg = e_positive;
+ 	curbuf->b_p_ts = 8;
+     }
++    else if (curbuf->b_p_ts > TABSTOP_MAX)
++    {
++	errmsg = e_invarg;
++	curbuf->b_p_ts = 8;
++    }
+     if (p_tm < 0)
+     {
+ 	errmsg = e_positive;
+@@ -5830,7 +5835,7 @@ buf_copy_options(buf_T *buf, int flags)
+ 	    if (p_vsts && p_vsts != empty_option)
+ 		(void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
+ 	    else
+-		buf->b_p_vsts_array = 0;
++		buf->b_p_vsts_array = NULL;
+ 	    buf->b_p_vsts_nopaste = p_vsts_nopaste
+ 				 ? vim_strsave(p_vsts_nopaste) : NULL;
+ #endif
+@@ -6649,9 +6654,7 @@ paste_option_changed(void)
+ 	    if (buf->b_p_vsts)
+ 		free_string_option(buf->b_p_vsts);
+ 	    buf->b_p_vsts = empty_option;
+-	    if (buf->b_p_vsts_array)
+-		vim_free(buf->b_p_vsts_array);
+-	    buf->b_p_vsts_array = 0;
++	    VIM_CLEAR(buf->b_p_vsts_array);
+ #endif
+ 	}
+ 
+@@ -6697,12 +6700,11 @@ paste_option_changed(void)
+ 		free_string_option(buf->b_p_vsts);
+ 	    buf->b_p_vsts = buf->b_p_vsts_nopaste
+ 			 ? vim_strsave(buf->b_p_vsts_nopaste) : empty_option;
+-	    if (buf->b_p_vsts_array)
+-		vim_free(buf->b_p_vsts_array);
++	    vim_free(buf->b_p_vsts_array);
+ 	    if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
+ 		(void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
+ 	    else
+-		buf->b_p_vsts_array = 0;
++		buf->b_p_vsts_array = NULL;
+ #endif
+ 	}
+ 
+diff -up vim82/src/testdir/test_options.vim.cve0417 vim82/src/testdir/test_options.vim
+--- vim82/src/testdir/test_options.vim.cve0417	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/testdir/test_options.vim	2022-02-09 10:01:34.251009311 +0100
+@@ -362,6 +362,8 @@ func Test_set_errors()
+   call assert_fails('set shiftwidth=-1', 'E487:')
+   call assert_fails('set sidescroll=-1', 'E487:')
+   call assert_fails('set tabstop=-1', 'E487:')
++  call assert_fails('set tabstop=10000', 'E474:')
++  call assert_fails('set tabstop=5500000000', 'E474:')
+   call assert_fails('set textwidth=-1', 'E487:')
+   call assert_fails('set timeoutlen=-1', 'E487:')
+   call assert_fails('set updatecount=-1', 'E487:')
+diff -up vim82/src/vim.h.cve0417 vim82/src/vim.h
+--- vim82/src/vim.h.cve0417	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/vim.h	2022-02-09 10:01:34.252009306 +0100
+@@ -2032,6 +2032,8 @@ typedef int sock_T;
+ 
+ #define DICT_MAXNEST 100	// maximum nesting of lists and dicts
+ 
++#define TABSTOP_MAX 9999
++
+ #ifdef FEAT_CLIPBOARD
+ 
+ // VIM_ATOM_NAME is the older Vim-specific selection type for X11.  Still
diff --git a/vim.spec b/vim.spec
index 3bac147..0143df8 100644
--- a/vim.spec
+++ b/vim.spec
@@ -100,6 +100,8 @@ Patch3033: 0001-patch-8.2.4154-ml_get-error-when-exchanging-windows-.patch
 Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch
 # CVE-2022-0368 vim: Out-of-bounds Read in vim
 Patch3035: 0001-patch-8.2.4217-illegal-memory-access-when-undo-makes.patch
+# CVE-2022-0417 vim: heap-based-buffer-overflow in ex_retab() of src/indent.c
+Patch3036: 0001-patch-8.2.4245-retab-0-may-cause-illegal-memory-acce.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -322,6 +324,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3033 -p1 -b .cve0319
 %patch3034 -p1 -b .cve0361
 %patch3035 -p1 -b .cve0368
+%patch3036 -p1 -b .cve0417
 
 %build
 cd src
@@ -881,6 +884,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %changelog
 * Wed Feb 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
 - CVE-2022-0368 vim: Out-of-bounds Read in vim
+- CVE-2022-0417 vim: heap-based-buffer-overflow in ex_retab() of src/indent.c
 
 * Tue Feb 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
 - CVE-2022-0319 vim: heap-based out-of-bounds read