diff --git a/0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch b/0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch new file mode 100644 index 0000000..ad10a9a --- /dev/null +++ b/0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch @@ -0,0 +1,62 @@ +diff --git a/src/ops.c b/src/ops.c +index 88992b6..80e0ea1 100644 +--- a/src/ops.c ++++ b/src/ops.c +@@ -527,24 +527,8 @@ block_insert( + } + + if (has_mbyte && spaces > 0) +- { +- int off; +- +- // Avoid starting halfway a multi-byte character. +- if (b_insert) +- { +- off = (*mb_head_off)(oldp, oldp + offset + spaces); +- spaces -= off; +- count -= off; +- } +- else +- { +- // spaces fill the gap, the character that's at the edge moves +- // right +- off = (*mb_head_off)(oldp, oldp + offset); +- offset -= off; +- } +- } ++ // avoid copying part of a multi-byte character ++ offset -= (*mb_head_off)(oldp, oldp + offset); + + // Make sure the allocated size matches what is actually copied below. + newp = alloc(STRLEN(oldp) + spaces + s_len +diff --git a/src/testdir/test_utf8.vim b/src/testdir/test_utf8.vim +index 5454e43..bedec20 100644 +--- a/src/testdir/test_utf8.vim ++++ b/src/testdir/test_utf8.vim +@@ -7,7 +7,7 @@ func Test_visual_block_insert() + new + call setline(1, ["aaa", "あああ", "bbb"]) + exe ":norm! gg0l\jjIx\" +- call assert_equal(['axaa', 'xあああ', 'bxbb'], getline(1, '$')) ++ call assert_equal(['axaa', ' xあああ', 'bxbb'], getline(1, '$')) + bwipeout! + endfunc + +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index dc8e376..8de9e3d 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -976,4 +976,13 @@ func Test_visual_block_append_invalid_char() + bwipe! + endfunc + ++func Test_visual_block_insert_round_off() ++ new ++ " The number of characters are tuned to fill a 4096 byte allocated block, ++ " so that valgrind reports going over the end. ++ call setline(1, ['xxxxx', repeat('0', 1350), "\t", repeat('x', 60)]) ++ exe "normal gg0\GI" .. repeat('0', 1320) .. "\" ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/vim.spec b/vim.spec index 6c7979d..0cac2cb 100644 --- a/vim.spec +++ b/vim.spec @@ -90,6 +90,8 @@ Patch3028: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch Patch3029: 0001-patch-8.2.3949-using-freed-memory-with-V.patch # CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c Patch3030: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch +# CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c +Patch3031: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -307,6 +309,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3028 -p1 -b .cve4193 %patch3029 -p1 -b .cve4192 %patch3030 -p1 -b .cve0261 +%patch3031 -p1 -b .cve0318 %build cd src @@ -866,6 +869,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %changelog * Thu Jan 27 2022 Zdenek Dohnal - 2:8.2.2637-11 - CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c +- CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c * Thu Jan 13 2022 Zdenek Dohnal - 2:8.2.2637-10 - CVE-2021-4193 vim: vulnerable to Out-of-bounds Read