CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
Resolves: CVE-2022-0318
This commit is contained in:
parent
f5e8ebfed2
commit
b3a7cde64b
|
@ -0,0 +1,62 @@
|
||||||
|
diff --git a/src/ops.c b/src/ops.c
|
||||||
|
index 88992b6..80e0ea1 100644
|
||||||
|
--- a/src/ops.c
|
||||||
|
+++ b/src/ops.c
|
||||||
|
@@ -527,24 +527,8 @@ block_insert(
|
||||||
|
}
|
||||||
|
|
||||||
|
if (has_mbyte && spaces > 0)
|
||||||
|
- {
|
||||||
|
- int off;
|
||||||
|
-
|
||||||
|
- // Avoid starting halfway a multi-byte character.
|
||||||
|
- if (b_insert)
|
||||||
|
- {
|
||||||
|
- off = (*mb_head_off)(oldp, oldp + offset + spaces);
|
||||||
|
- spaces -= off;
|
||||||
|
- count -= off;
|
||||||
|
- }
|
||||||
|
- else
|
||||||
|
- {
|
||||||
|
- // spaces fill the gap, the character that's at the edge moves
|
||||||
|
- // right
|
||||||
|
- off = (*mb_head_off)(oldp, oldp + offset);
|
||||||
|
- offset -= off;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
+ // avoid copying part of a multi-byte character
|
||||||
|
+ offset -= (*mb_head_off)(oldp, oldp + offset);
|
||||||
|
|
||||||
|
// Make sure the allocated size matches what is actually copied below.
|
||||||
|
newp = alloc(STRLEN(oldp) + spaces + s_len
|
||||||
|
diff --git a/src/testdir/test_utf8.vim b/src/testdir/test_utf8.vim
|
||||||
|
index 5454e43..bedec20 100644
|
||||||
|
--- a/src/testdir/test_utf8.vim
|
||||||
|
+++ b/src/testdir/test_utf8.vim
|
||||||
|
@@ -7,7 +7,7 @@ func Test_visual_block_insert()
|
||||||
|
new
|
||||||
|
call setline(1, ["aaa", "あああ", "bbb"])
|
||||||
|
exe ":norm! gg0l\<C-V>jjIx\<Esc>"
|
||||||
|
- call assert_equal(['axaa', 'xあああ', 'bxbb'], getline(1, '$'))
|
||||||
|
+ call assert_equal(['axaa', ' xあああ', 'bxbb'], getline(1, '$'))
|
||||||
|
bwipeout!
|
||||||
|
endfunc
|
||||||
|
|
||||||
|
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
|
||||||
|
index dc8e376..8de9e3d 100644
|
||||||
|
--- a/src/testdir/test_visual.vim
|
||||||
|
+++ b/src/testdir/test_visual.vim
|
||||||
|
@@ -976,4 +976,13 @@ func Test_visual_block_append_invalid_char()
|
||||||
|
bwipe!
|
||||||
|
endfunc
|
||||||
|
|
||||||
|
+func Test_visual_block_insert_round_off()
|
||||||
|
+ new
|
||||||
|
+ " The number of characters are tuned to fill a 4096 byte allocated block,
|
||||||
|
+ " so that valgrind reports going over the end.
|
||||||
|
+ call setline(1, ['xxxxx', repeat('0', 1350), "\t", repeat('x', 60)])
|
||||||
|
+ exe "normal gg0\<C-V>GI" .. repeat('0', 1320) .. "\<Esc>"
|
||||||
|
+ bwipe!
|
||||||
|
+endfunc
|
||||||
|
+
|
||||||
|
" vim: shiftwidth=2 sts=2 expandtab
|
4
vim.spec
4
vim.spec
|
@ -90,6 +90,8 @@ Patch3028: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch
|
||||||
Patch3029: 0001-patch-8.2.3949-using-freed-memory-with-V.patch
|
Patch3029: 0001-patch-8.2.3949-using-freed-memory-with-V.patch
|
||||||
# CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
|
# CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
|
||||||
Patch3030: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch
|
Patch3030: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch
|
||||||
|
# CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
|
||||||
|
Patch3031: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch
|
||||||
|
|
||||||
# gcc is no longer in buildroot by default
|
# gcc is no longer in buildroot by default
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
|
@ -307,6 +309,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
||||||
%patch3028 -p1 -b .cve4193
|
%patch3028 -p1 -b .cve4193
|
||||||
%patch3029 -p1 -b .cve4192
|
%patch3029 -p1 -b .cve4192
|
||||||
%patch3030 -p1 -b .cve0261
|
%patch3030 -p1 -b .cve0261
|
||||||
|
%patch3031 -p1 -b .cve0318
|
||||||
|
|
||||||
%build
|
%build
|
||||||
cd src
|
cd src
|
||||||
|
@ -866,6 +869,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-11
|
* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-11
|
||||||
- CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
|
- CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
|
||||||
|
- CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
|
||||||
|
|
||||||
* Thu Jan 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-10
|
* Thu Jan 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-10
|
||||||
- CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
|
- CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
|
||||||
|
|
Loading…
Reference in New Issue