CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
Resolves: CVE-2022-0318
This commit is contained in:
parent
f5e8ebfed2
commit
b3a7cde64b
|
@ -0,0 +1,62 @@
|
|||
diff --git a/src/ops.c b/src/ops.c
|
||||
index 88992b6..80e0ea1 100644
|
||||
--- a/src/ops.c
|
||||
+++ b/src/ops.c
|
||||
@@ -527,24 +527,8 @@ block_insert(
|
||||
}
|
||||
|
||||
if (has_mbyte && spaces > 0)
|
||||
- {
|
||||
- int off;
|
||||
-
|
||||
- // Avoid starting halfway a multi-byte character.
|
||||
- if (b_insert)
|
||||
- {
|
||||
- off = (*mb_head_off)(oldp, oldp + offset + spaces);
|
||||
- spaces -= off;
|
||||
- count -= off;
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
- // spaces fill the gap, the character that's at the edge moves
|
||||
- // right
|
||||
- off = (*mb_head_off)(oldp, oldp + offset);
|
||||
- offset -= off;
|
||||
- }
|
||||
- }
|
||||
+ // avoid copying part of a multi-byte character
|
||||
+ offset -= (*mb_head_off)(oldp, oldp + offset);
|
||||
|
||||
// Make sure the allocated size matches what is actually copied below.
|
||||
newp = alloc(STRLEN(oldp) + spaces + s_len
|
||||
diff --git a/src/testdir/test_utf8.vim b/src/testdir/test_utf8.vim
|
||||
index 5454e43..bedec20 100644
|
||||
--- a/src/testdir/test_utf8.vim
|
||||
+++ b/src/testdir/test_utf8.vim
|
||||
@@ -7,7 +7,7 @@ func Test_visual_block_insert()
|
||||
new
|
||||
call setline(1, ["aaa", "あああ", "bbb"])
|
||||
exe ":norm! gg0l\<C-V>jjIx\<Esc>"
|
||||
- call assert_equal(['axaa', 'xあああ', 'bxbb'], getline(1, '$'))
|
||||
+ call assert_equal(['axaa', ' xあああ', 'bxbb'], getline(1, '$'))
|
||||
bwipeout!
|
||||
endfunc
|
||||
|
||||
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
|
||||
index dc8e376..8de9e3d 100644
|
||||
--- a/src/testdir/test_visual.vim
|
||||
+++ b/src/testdir/test_visual.vim
|
||||
@@ -976,4 +976,13 @@ func Test_visual_block_append_invalid_char()
|
||||
bwipe!
|
||||
endfunc
|
||||
|
||||
+func Test_visual_block_insert_round_off()
|
||||
+ new
|
||||
+ " The number of characters are tuned to fill a 4096 byte allocated block,
|
||||
+ " so that valgrind reports going over the end.
|
||||
+ call setline(1, ['xxxxx', repeat('0', 1350), "\t", repeat('x', 60)])
|
||||
+ exe "normal gg0\<C-V>GI" .. repeat('0', 1320) .. "\<Esc>"
|
||||
+ bwipe!
|
||||
+endfunc
|
||||
+
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
4
vim.spec
4
vim.spec
|
@ -90,6 +90,8 @@ Patch3028: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch
|
|||
Patch3029: 0001-patch-8.2.3949-using-freed-memory-with-V.patch
|
||||
# CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
|
||||
Patch3030: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch
|
||||
# CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
|
||||
Patch3031: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch
|
||||
|
||||
# gcc is no longer in buildroot by default
|
||||
BuildRequires: gcc
|
||||
|
@ -307,6 +309,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
|||
%patch3028 -p1 -b .cve4193
|
||||
%patch3029 -p1 -b .cve4192
|
||||
%patch3030 -p1 -b .cve0261
|
||||
%patch3031 -p1 -b .cve0318
|
||||
|
||||
%build
|
||||
cd src
|
||||
|
@ -866,6 +869,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
|||
%changelog
|
||||
* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-11
|
||||
- CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
|
||||
- CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
|
||||
|
||||
* Thu Jan 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-10
|
||||
- CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
|
||||
|
|
Loading…
Reference in New Issue