CVE-2022-0413 vim: use after free in src/ex_cmds.c

Resolves: CVE-2022-0413
2022-02-10 08:29:33 +01:00 · 2022-02-10 08:29:33 +01:00 · b3c80bdcc6
commit b3c80bdcc6
parent 34033283f8
2 changed files with 75 additions and 0 deletions
--- a/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
+++ b/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
@ -0,0 +1,69 @@
+diff -up vim82/src/ex_cmds.c.cve0413 vim82/src/ex_cmds.c
+--- vim82/src/ex_cmds.c.cve0413	2022-02-10 08:09:27.644493218 +0100
+++ vim82/src/ex_cmds.c	2022-02-10 08:09:27.653493168 +0100
+@@ -3627,6 +3627,7 @@ ex_substitute(exarg_T *eap)
+     int		save_do_all;		// remember user specified 'g' flag
+     int		save_do_ask;		// remember user specified 'c' flag
+     char_u	*pat = NULL, *sub = NULL;	// init for GCC
+    char_u	*sub_copy = NULL;
+     int		delimiter;
+     int		sublen;
+     int		got_quit = FALSE;
+@@ -3928,11 +3929,20 @@ ex_substitute(exarg_T *eap)
+     sub_firstline = NULL;
+ 
+     /*
+-     * ~ in the substitute pattern is replaced with the old pattern.
+-     * We do it here once to avoid it to be replaced over and over again.
+-     * But don't do it when it starts with "\=", then it's an expression.
+     * If the substitute pattern starts with "\=" then it's an expression.
+     * Make a copy, a recursive function may free it.
+     * Otherwise, '~' in the substitute pattern is replaced with the old
+     * pattern.  We do it here once to avoid it to be replaced over and over
+     * again.
+      */
+-    if (!(sub[0] == '\\' && sub[1] == '='))
+    if (sub[0] == '\\' && sub[1] == '=')
+    {
+	sub = vim_strsave(sub);
+	if (sub == NULL)
+	    return;
+	sub_copy = sub;
+    }
+    else
+ 	sub = regtilde(sub, magic_isset());
+ 
+     /*
+@@ -4737,6 +4747,7 @@ outofmem:
+ #endif
+ 
+     vim_regfree(regmatch.regprog);
+    vim_free(sub_copy);
+ 
+     // Restore the flag values, they can be used for ":&&".
+     subflags.do_all = save_do_all;
+diff -up vim82/src/testdir/test_substitute.vim.cve0413 vim82/src/testdir/test_substitute.vim
+--- vim82/src/testdir/test_substitute.vim.cve0413	2022-02-10 08:09:27.654493162 +0100
+++ vim82/src/testdir/test_substitute.vim	2022-02-10 08:10:14.392230843 +0100
+@@ -926,4 +926,21 @@ func Test_substitute_multiline_submatch(
+   close!
+ endfunc
+ 
+" This was using "old_sub" after it was freed.
+func Test_using_old_sub()
+  set compatible maxfuncdepth=10
+  new
+  call setline(1, 'some text.')
+  func Repl()
+    ~
+    s/
+  endfunc
+  silent!  s/\%')/\=Repl()
+
+  delfunc Repl
+  bwipe!
+  set nocompatible
+endfunc
+
+
+ " vim: shiftwidth=2 sts=2 expandtab
--- a/vim.spec
+++ b/vim.spec
@ -104,6 +104,8 @@ Patch3035: 0001-patch-8.2.4217-illegal-memory-access-when-undo-makes.patch
 Patch3036: 0001-patch-8.2.4245-retab-0-may-cause-illegal-memory-acce.patch
 # CVE-2022-0408 vim: Stack-based Buffer Overflow in spellsuggest.c
 Patch3037: 0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch
+# CVE-2022-0413 vim: use after free in src/ex_cmds.c
+Patch3038: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch

 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -328,6 +330,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3035 -p1 -b .cve0368
 %patch3036 -p1 -b .cve0417
 %patch3037 -p1 -b .cve0408
+%patch3038 -p1 -b .cve0413

 %build
 cd src
@ -885,6 +888,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif

 %changelog
+* Thu Feb 10 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
+- CVE-2022-0413 vim: use after free in src/ex_cmds.c
+
 * Wed Feb 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
 - CVE-2022-0368 vim: Out-of-bounds Read in vim
 - CVE-2022-0417 vim: heap-based-buffer-overflow in ex_retab() of src/indent.c