CVE-2022-1621 vim: heap buffer overflow

Resolves: CVE-2022-1621
2022-05-24 13:37:53 +02:00 · 2022-05-24 13:37:53 +02:00 · 9eda475105
commit 9eda475105
parent bdc81b4f5c
2 changed files with 57 additions and 1 deletions
--- a/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
+++ b/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
@ -0,0 +1,50 @@
+diff -up vim82/src/errors.h.cve1621 vim82/src/errors.h
+--- vim82/src/errors.h.cve1621	2022-05-24 13:36:23.883370040 +0200
+++ vim82/src/errors.h	2022-05-24 13:36:47.665487703 +0200
+@@ -387,3 +387,7 @@ EXTERN char e_resulting_text_too_long[]
+ EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
+ 	INIT(= N_("E1275: String or function required for ->(expr)"));
+ #endif
+#ifdef FEAT_SPELL
+EXTERN char e_illegal_character_in_word[]
+	INIT(= N_("E1280: Illegal character in word"));
+#endif
+diff -up vim82/src/mbyte.c.cve1621 vim82/src/mbyte.c
+--- vim82/src/mbyte.c.cve1621	2021-03-22 10:02:42.000000000 +0100
+++ vim82/src/mbyte.c	2022-05-24 13:36:23.884370045 +0200
+@@ -4181,7 +4181,7 @@ theend:
+     convert_setup(&vimconv, NULL, NULL);
+ }
+ 
+-#if defined(FEAT_GUI_GTK) || defined(PROTO)
+#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO)
+ /*
+  * Return TRUE if string "s" is a valid utf-8 string.
+  * When "end" is NULL stop at the first NUL.
+diff -up vim82/src/spellfile.c.cve1621 vim82/src/spellfile.c
+--- vim82/src/spellfile.c.cve1621	2021-03-22 10:02:42.000000000 +0100
+++ vim82/src/spellfile.c	2022-05-24 13:36:23.885370049 +0200
+@@ -4391,6 +4391,10 @@ store_word(
+     int		res = OK;
+     char_u	*p;
+ 
+    // Avoid adding illegal bytes to the word tree.
+    if (enc_utf8 && !utf_valid_string(word, NULL))
+	return FAIL;
+
+     (void)spell_casefold(word, len, foldword, MAXWLEN);
+     for (p = pfxlist; res == OK; ++p)
+     {
+@@ -6191,6 +6195,12 @@ spell_add_word(
+     int		i;
+     char_u	*spf;
+ 
+    if (enc_utf8 && !utf_valid_string(word, NULL))
+    {
+	emsg(_(e_illegal_character_in_word));
+	return;
+    }
+
+     if (idx == 0)	    // use internal wordlist
+     {
+ 	if (int_wordlist == NULL)
--- a/vim.spec
+++ b/vim.spec
@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@ -124,6 +124,8 @@ Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
 Patch3046: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
 # CVE-2022-1420 vim: Out-of-range Pointer Offset
 Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
+# CVE-2022-1621 vim: heap buffer overflow
+Patch3048: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch

 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -358,6 +360,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3045 -p1 -b .cve0943
 %patch3046 -p1 -b .cve1154
 %patch3047 -p1 -b .cve1420
+%patch3048 -p1 -b .cve1621

 %build
 cd src
@ -915,6 +918,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif

 %changelog
+* Tue May 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-18
+- CVE-2022-1621 vim: heap buffer overflow
+
 * Mon Apr 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-17
 - CVE-2022-1154 vim: use after free in utf_ptr2char
 - CVE-2022-1420 vim: Out-of-range Pointer Offset