CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
Resolves: CVE-2022-1897
This commit is contained in:
Zdenek Dohnal
parent
e4ba274723
commit
bac1f99e54
121
0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
Normal file
121
0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
Normal file
@ -0,0 +1,121 @@
|
||||
diff -up vim82/src/normal.c.cve1897 vim82/src/normal.c
|
||||
--- vim82/src/normal.c.cve1897 2022-06-13 09:31:42.880768567 +0200
|
||||
+++ vim82/src/normal.c 2022-06-13 09:35:38.560084927 +0200
|
||||
@@ -479,6 +479,22 @@ find_command(int cmdchar)
|
||||
}
|
||||
|
||||
/*
|
||||
+ * If currently editing a cmdline or text is locked: beep and give an error
|
||||
+ * message, return TRUE.
|
||||
+ */
|
||||
+ static int
|
||||
+check_text_locked(oparg_T *oap)
|
||||
+{
|
||||
+ if (text_locked())
|
||||
+ {
|
||||
+ clearopbeep(oap);
|
||||
+ text_locked_msg();
|
||||
+ return TRUE;
|
||||
+ }
|
||||
+ return FALSE;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
* Execute a command in Normal mode.
|
||||
*/
|
||||
void
|
||||
@@ -742,14 +758,9 @@ getcount:
|
||||
goto normal_end;
|
||||
}
|
||||
|
||||
- if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW))
|
||||
- {
|
||||
- // This command is not allowed while editing a cmdline: beep.
|
||||
- clearopbeep(oap);
|
||||
- text_locked_msg();
|
||||
- goto normal_end;
|
||||
- }
|
||||
- if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked())
|
||||
+ if ((nv_cmds[idx].cmd_flags & NV_NCW)
|
||||
+ && (check_text_locked(oap) || curbuf_locked()))
|
||||
+ // this command is not allowed now
|
||||
goto normal_end;
|
||||
|
||||
/*
|
||||
@@ -4212,12 +4223,8 @@ nv_gotofile(cmdarg_T *cap)
|
||||
char_u *ptr;
|
||||
linenr_T lnum = -1;
|
||||
|
||||
- if (text_locked())
|
||||
- {
|
||||
- clearopbeep(cap->oap);
|
||||
- text_locked_msg();
|
||||
+ if (check_text_locked(cap->oap))
|
||||
return;
|
||||
- }
|
||||
if (curbuf_locked())
|
||||
{
|
||||
clearop(cap->oap);
|
||||
@@ -6343,14 +6350,7 @@ nv_g_cmd(cmdarg_T *cap)
|
||||
|
||||
// "gQ": improved Ex mode
|
||||
case 'Q':
|
||||
- if (text_locked())
|
||||
- {
|
||||
- clearopbeep(cap->oap);
|
||||
- text_locked_msg();
|
||||
- break;
|
||||
- }
|
||||
-
|
||||
- if (!checkclearopq(oap))
|
||||
+ if (!check_text_locked(cap->oap) && !checkclearopq(oap))
|
||||
do_exmode(TRUE);
|
||||
break;
|
||||
|
||||
diff -up vim82/src/testdir/test_substitute.vim.cve1897 vim82/src/testdir/test_substitute.vim
|
||||
--- vim82/src/testdir/test_substitute.vim.cve1897 2022-06-13 09:31:42.938768884 +0200
|
||||
+++ vim82/src/testdir/test_substitute.vim 2022-06-13 09:36:39.013406036 +0200
|
||||
@@ -955,5 +955,27 @@ func Test_sub_change_window()
|
||||
delfunc Repl
|
||||
endfunc
|
||||
|
||||
+" This was undoign a change in between computing the length and using it.
|
||||
+func Do_Test_sub_undo_change()
|
||||
+ new
|
||||
+ norm o0000000000000000000000000000000000000000000000000000
|
||||
+ silent! s/\%')/\=Repl()
|
||||
+ bwipe!
|
||||
+endfunc
|
||||
+
|
||||
+func Test_sub_undo_change()
|
||||
+ func Repl()
|
||||
+ silent! norm g-
|
||||
+ endfunc
|
||||
+ call Do_Test_sub_undo_change()
|
||||
+
|
||||
+ func! Repl()
|
||||
+ silent earlier
|
||||
+ endfunc
|
||||
+ call Do_Test_sub_undo_change()
|
||||
+
|
||||
+ delfunc Repl
|
||||
+endfunc
|
||||
+
|
||||
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
||||
diff -up vim82/src/undo.c.cve1897 vim82/src/undo.c
|
||||
--- vim82/src/undo.c.cve1897 2022-06-13 09:31:42.904768698 +0200
|
||||
+++ vim82/src/undo.c 2022-06-13 09:31:42.938768884 +0200
|
||||
@@ -2323,6 +2323,12 @@ undo_time(
|
||||
int above = FALSE;
|
||||
int did_undo = TRUE;
|
||||
|
||||
+ if (text_locked())
|
||||
+ {
|
||||
+ text_locked_msg();
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
// First make sure the current undoable change is synced.
|
||||
if (curbuf->b_u_synced == FALSE)
|
||||
u_sync(TRUE);
|
||||
5
vim.spec
5
vim.spec
@ -128,7 +128,10 @@ Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
|
||||
Patch3048: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
|
||||
# CVE-2022-1629 vim: buffer over-read
|
||||
Patch3049: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
|
||||
# CVE-2022-1785 vim: Out-of-bounds Write
|
||||
Patch3050: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
|
||||
# CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
|
||||
Patch3051: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
|
||||
|
||||
# gcc is no longer in buildroot by default
|
||||
BuildRequires: gcc
|
||||
@ -366,6 +369,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
||||
%patch3048 -p1 -b .cve1621
|
||||
%patch3049 -p1 -b .cve1629
|
||||
%patch3050 -p1 -b .cve1785
|
||||
%patch3051 -p1 -b .cve1897
|
||||
|
||||
%build
|
||||
cd src
|
||||
@ -925,6 +929,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
||||
%changelog
|
||||
* Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-19
|
||||
- CVE-2022-1785 vim: Out-of-bounds Write
|
||||
- CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
|
||||
|
||||
* Tue May 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-18
|
||||
- CVE-2022-1621 vim: heap buffer overflow
|
||||
|
||||
Loading…
Reference in New Issue
Block a user