CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c

Resolves: CVE-2022-0318
2022-01-27 18:20:40 +01:00 · 2022-01-27 18:20:40 +01:00 · b3a7cde64b
parent f5e8ebfed2
commit b3a7cde64b
2 changed files with 66 additions and 0 deletions
--- a/0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch
+++ b/0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch
@ -0,0 +1,62 @@
+diff --git a/src/ops.c b/src/ops.c
+index 88992b6..80e0ea1 100644
+--- a/src/ops.c
+++ b/src/ops.c
+@@ -527,24 +527,8 @@ block_insert(
+ 	}
+ 
+ 	if (has_mbyte && spaces > 0)
+-	{
+-	    int off;
+-
+-	    // Avoid starting halfway a multi-byte character.
+-	    if (b_insert)
+-	    {
+-		off = (*mb_head_off)(oldp, oldp + offset + spaces);
+-		spaces -= off;
+-		count -= off;
+-	    }
+-	    else
+-	    {
+-		// spaces fill the gap, the character that's at the edge moves
+-		// right
+-		off = (*mb_head_off)(oldp, oldp + offset);
+-		offset -= off;
+-	    }
+-	}
+	    // avoid copying part of a multi-byte character
+	    offset -= (*mb_head_off)(oldp, oldp + offset);
+ 
+ 	// Make sure the allocated size matches what is actually copied below.
+ 	newp = alloc(STRLEN(oldp) + spaces + s_len
+diff --git a/src/testdir/test_utf8.vim b/src/testdir/test_utf8.vim
+index 5454e43..bedec20 100644
+--- a/src/testdir/test_utf8.vim
+++ b/src/testdir/test_utf8.vim
+@@ -7,7 +7,7 @@ func Test_visual_block_insert()
+   new
+   call setline(1, ["aaa", "あああ", "bbb"])
+   exe ":norm! gg0l\<C-V>jjIx\<Esc>"
+-  call assert_equal(['axaa', 'xあああ', 'bxbb'], getline(1, '$'))
+  call assert_equal(['axaa', ' xあああ', 'bxbb'], getline(1, '$'))
+   bwipeout!
+ endfunc
+ 
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index dc8e376..8de9e3d 100644
+--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
+@@ -976,4 +976,13 @@ func Test_visual_block_append_invalid_char()
+   bwipe!
+ endfunc
+ 
+func Test_visual_block_insert_round_off()
+  new
+  " The number of characters are tuned to fill a 4096 byte allocated block,
+  " so that valgrind reports going over the end.
+  call setline(1, ['xxxxx', repeat('0', 1350), "\t", repeat('x', 60)])
+  exe "normal gg0\<C-V>GI" .. repeat('0', 1320) .. "\<Esc>"
+  bwipe!
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
--- a/vim.spec
+++ b/vim.spec
@ -90,6 +90,8 @@ Patch3028: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch
 Patch3029: 0001-patch-8.2.3949-using-freed-memory-with-V.patch
 # CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
 Patch3030: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch
+# CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
+Patch3031: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch

 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -307,6 +309,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3028 -p1 -b .cve4193
 %patch3029 -p1 -b .cve4192
 %patch3030 -p1 -b .cve0261
+%patch3031 -p1 -b .cve0318

 %build
 cd src
@ -866,6 +869,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %changelog
 * Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-11
 - CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
+- CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c

 * Thu Jan 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-10
 - CVE-2021-4193 vim: vulnerable to Out-of-bounds Read