CVE-2022-0413 vim: use after free in src/ex_cmds.c

Resolves: CVE-2022-0413
2022-02-10 08:29:33 +01:00 · 2022-02-10 08:29:33 +01:00 · b3c80bdcc6
commit b3c80bdcc6
parent 34033283f8
2 changed files with 75 additions and 0 deletions
--- a/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
+++ b/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
@ -0,0 +1,69 @@
 diff -up vim82/src/ex_cmds.c.cve0413 vim82/src/ex_cmds.c
 --- vim82/src/ex_cmds.c.cve0413	2022-02-10 08:09:27.644493218 +0100
 +++ vim82/src/ex_cmds.c	2022-02-10 08:09:27.653493168 +0100
@@ -3627,6 +3627,7 @@ ex_substitute(exarg_T *eap)
     int		save_do_all;		// remember user specified 'g' flag
     int		save_do_ask;		// remember user specified 'c' flag
     char_u	*pat = NULL, *sub = NULL;	// init for GCC
 +    char_u	*sub_copy = NULL;
     int		delimiter;
     int		sublen;
     int		got_quit = FALSE;
@@ -3928,11 +3929,20 @@ ex_substitute(exarg_T *eap)
     sub_firstline = NULL;
     /*
 -     * ~ in the substitute pattern is replaced with the old pattern.
 -     * We do it here once to avoid it to be replaced over and over again.
 -     * But don't do it when it starts with "\=", then it's an expression.
 +     * If the substitute pattern starts with "\=" then it's an expression.
 +     * Make a copy, a recursive function may free it.
 +     * Otherwise, '~' in the substitute pattern is replaced with the old
 +     * pattern.  We do it here once to avoid it to be replaced over and over
 +     * again.
      */
 -    if (!(sub[0] == '\\' && sub[1] == '='))
 +    if (sub[0] == '\\' && sub[1] == '=')
 +    {
 +	sub = vim_strsave(sub);
 +	if (sub == NULL)
 +	    return;
 +	sub_copy = sub;
 +    }
 +    else
 	sub = regtilde(sub, magic_isset());
     /*
@@ -4737,6 +4747,7 @@ outofmem:
 #endif
     vim_regfree(regmatch.regprog);
 +    vim_free(sub_copy);
     // Restore the flag values, they can be used for ":&&".
     subflags.do_all = save_do_all;
 diff -up vim82/src/testdir/test_substitute.vim.cve0413 vim82/src/testdir/test_substitute.vim
 --- vim82/src/testdir/test_substitute.vim.cve0413	2022-02-10 08:09:27.654493162 +0100
 +++ vim82/src/testdir/test_substitute.vim	2022-02-10 08:10:14.392230843 +0100
@@ -926,4 +926,21 @@ func Test_substitute_multiline_submatch(
   close!
 endfunc
 +" This was using "old_sub" after it was freed.
 +func Test_using_old_sub()
 +  set compatible maxfuncdepth=10
 +  new
 +  call setline(1, 'some text.')
 +  func Repl()
 +    ~
 +    s/
 +  endfunc
 +  silent!  s/\%')/\=Repl()
 +
 +  delfunc Repl
 +  bwipe!
 +  set nocompatible
 +endfunc
 +
 +
 " vim: shiftwidth=2 sts=2 expandtab
--- a/vim.spec
+++ b/vim.spec
@ -104,6 +104,8 @@ Patch3035: 0001-patch-8.2.4217-illegal-memory-access-when-undo-makes.patch
 Patch3036: 0001-patch-8.2.4245-retab-0-may-cause-illegal-memory-acce.patch
 # CVE-2022-0408 vim: Stack-based Buffer Overflow in spellsuggest.c
 Patch3037: 0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch
 # CVE-2022-0413 vim: use after free in src/ex_cmds.c
 Patch3038: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -328,6 +330,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3035 -p1 -b .cve0368
 %patch3036 -p1 -b .cve0417
 %patch3037 -p1 -b .cve0408
 %patch3038 -p1 -b .cve0413
 %build
 cd src
@ -885,6 +888,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif
 %changelog
 * Thu Feb 10 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
 - CVE-2022-0413 vim: use after free in src/ex_cmds.c
 * Wed Feb 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
 - CVE-2022-0368 vim: Out-of-bounds Read in vim
 - CVE-2022-0417 vim: heap-based-buffer-overflow in ex_retab() of src/indent.c