CVE-2022-1621 vim: heap buffer overflow
Resolves: CVE-2022-1621
This commit is contained in:
parent
bdc81b4f5c
commit
9eda475105
|
@ -0,0 +1,50 @@
|
||||||
|
diff -up vim82/src/errors.h.cve1621 vim82/src/errors.h
|
||||||
|
--- vim82/src/errors.h.cve1621 2022-05-24 13:36:23.883370040 +0200
|
||||||
|
+++ vim82/src/errors.h 2022-05-24 13:36:47.665487703 +0200
|
||||||
|
@@ -387,3 +387,7 @@ EXTERN char e_resulting_text_too_long[]
|
||||||
|
EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
|
||||||
|
INIT(= N_("E1275: String or function required for ->(expr)"));
|
||||||
|
#endif
|
||||||
|
+#ifdef FEAT_SPELL
|
||||||
|
+EXTERN char e_illegal_character_in_word[]
|
||||||
|
+ INIT(= N_("E1280: Illegal character in word"));
|
||||||
|
+#endif
|
||||||
|
diff -up vim82/src/mbyte.c.cve1621 vim82/src/mbyte.c
|
||||||
|
--- vim82/src/mbyte.c.cve1621 2021-03-22 10:02:42.000000000 +0100
|
||||||
|
+++ vim82/src/mbyte.c 2022-05-24 13:36:23.884370045 +0200
|
||||||
|
@@ -4181,7 +4181,7 @@ theend:
|
||||||
|
convert_setup(&vimconv, NULL, NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
-#if defined(FEAT_GUI_GTK) || defined(PROTO)
|
||||||
|
+#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO)
|
||||||
|
/*
|
||||||
|
* Return TRUE if string "s" is a valid utf-8 string.
|
||||||
|
* When "end" is NULL stop at the first NUL.
|
||||||
|
diff -up vim82/src/spellfile.c.cve1621 vim82/src/spellfile.c
|
||||||
|
--- vim82/src/spellfile.c.cve1621 2021-03-22 10:02:42.000000000 +0100
|
||||||
|
+++ vim82/src/spellfile.c 2022-05-24 13:36:23.885370049 +0200
|
||||||
|
@@ -4391,6 +4391,10 @@ store_word(
|
||||||
|
int res = OK;
|
||||||
|
char_u *p;
|
||||||
|
|
||||||
|
+ // Avoid adding illegal bytes to the word tree.
|
||||||
|
+ if (enc_utf8 && !utf_valid_string(word, NULL))
|
||||||
|
+ return FAIL;
|
||||||
|
+
|
||||||
|
(void)spell_casefold(word, len, foldword, MAXWLEN);
|
||||||
|
for (p = pfxlist; res == OK; ++p)
|
||||||
|
{
|
||||||
|
@@ -6191,6 +6195,12 @@ spell_add_word(
|
||||||
|
int i;
|
||||||
|
char_u *spf;
|
||||||
|
|
||||||
|
+ if (enc_utf8 && !utf_valid_string(word, NULL))
|
||||||
|
+ {
|
||||||
|
+ emsg(_(e_illegal_character_in_word));
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (idx == 0) // use internal wordlist
|
||||||
|
{
|
||||||
|
if (int_wordlist == NULL)
|
8
vim.spec
8
vim.spec
|
@ -27,7 +27,7 @@ Summary: The VIM editor
|
||||||
URL: http://www.vim.org/
|
URL: http://www.vim.org/
|
||||||
Name: vim
|
Name: vim
|
||||||
Version: %{baseversion}.%{patchlevel}
|
Version: %{baseversion}.%{patchlevel}
|
||||||
Release: 17%{?dist}
|
Release: 18%{?dist}
|
||||||
License: Vim and MIT
|
License: Vim and MIT
|
||||||
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
|
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
|
||||||
Source1: virc
|
Source1: virc
|
||||||
|
@ -124,6 +124,8 @@ Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
|
||||||
Patch3046: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
|
Patch3046: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
|
||||||
# CVE-2022-1420 vim: Out-of-range Pointer Offset
|
# CVE-2022-1420 vim: Out-of-range Pointer Offset
|
||||||
Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
|
Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
|
||||||
|
# CVE-2022-1621 vim: heap buffer overflow
|
||||||
|
Patch3048: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
|
||||||
|
|
||||||
# gcc is no longer in buildroot by default
|
# gcc is no longer in buildroot by default
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
|
@ -358,6 +360,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
||||||
%patch3045 -p1 -b .cve0943
|
%patch3045 -p1 -b .cve0943
|
||||||
%patch3046 -p1 -b .cve1154
|
%patch3046 -p1 -b .cve1154
|
||||||
%patch3047 -p1 -b .cve1420
|
%patch3047 -p1 -b .cve1420
|
||||||
|
%patch3048 -p1 -b .cve1621
|
||||||
|
|
||||||
%build
|
%build
|
||||||
cd src
|
cd src
|
||||||
|
@ -915,6 +918,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue May 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-18
|
||||||
|
- CVE-2022-1621 vim: heap buffer overflow
|
||||||
|
|
||||||
* Mon Apr 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-17
|
* Mon Apr 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-17
|
||||||
- CVE-2022-1154 vim: use after free in utf_ptr2char
|
- CVE-2022-1154 vim: use after free in utf_ptr2char
|
||||||
- CVE-2022-1420 vim: Out-of-range Pointer Offset
|
- CVE-2022-1420 vim: Out-of-range Pointer Offset
|
||||||
|
|
Loading…
Reference in New Issue