From bac1f99e544b2bb4119a6c505236247d8625b9c6 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Mon, 13 Jun 2022 14:59:14 +0200
Subject: [PATCH] CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both()
 in regexp.c

Resolves: CVE-2022-1897
---
 ...ubstitute-overwrites-allocated-buffe.patch | 121 ++++++++++++++++++
 vim.spec                                      |   5 +
 2 files changed, 126 insertions(+)
 create mode 100644 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch

diff --git a/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch b/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
new file mode 100644
index 0000000..71ce847
--- /dev/null
+++ b/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
@@ -0,0 +1,121 @@
+diff -up vim82/src/normal.c.cve1897 vim82/src/normal.c
+--- vim82/src/normal.c.cve1897	2022-06-13 09:31:42.880768567 +0200
++++ vim82/src/normal.c	2022-06-13 09:35:38.560084927 +0200
+@@ -479,6 +479,22 @@ find_command(int cmdchar)
+ }
+ 
+ /*
++ * If currently editing a cmdline or text is locked: beep and give an error
++ * message, return TRUE.
++ */
++    static int
++check_text_locked(oparg_T *oap)
++{
++    if (text_locked())
++    {
++	clearopbeep(oap);
++	text_locked_msg();
++	return TRUE;
++    }
++    return FALSE;
++}
++
++/*
+  * Execute a command in Normal mode.
+  */
+     void
+@@ -742,14 +758,9 @@ getcount:
+ 	goto normal_end;
+     }
+ 
+-    if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW))
+-    {
+-	// This command is not allowed while editing a cmdline: beep.
+-	clearopbeep(oap);
+-	text_locked_msg();
+-	goto normal_end;
+-    }
+-    if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked())
++    if ((nv_cmds[idx].cmd_flags & NV_NCW)
++				&& (check_text_locked(oap) || curbuf_locked()))
++	// this command is not allowed now
+ 	goto normal_end;
+ 
+     /*
+@@ -4212,12 +4223,8 @@ nv_gotofile(cmdarg_T *cap)
+     char_u	*ptr;
+     linenr_T	lnum = -1;
+ 
+-    if (text_locked())
+-    {
+-	clearopbeep(cap->oap);
+-	text_locked_msg();
++    if (check_text_locked(cap->oap))
+ 	return;
+-    }
+     if (curbuf_locked())
+     {
+ 	clearop(cap->oap);
+@@ -6343,14 +6350,7 @@ nv_g_cmd(cmdarg_T *cap)
+ 
+     // "gQ": improved Ex mode
+     case 'Q':
+-	if (text_locked())
+-	{
+-	    clearopbeep(cap->oap);
+-	    text_locked_msg();
+-	    break;
+-	}
+-
+-	if (!checkclearopq(oap))
++	if (!check_text_locked(cap->oap) && !checkclearopq(oap))
+ 	    do_exmode(TRUE);
+ 	break;
+ 
+diff -up vim82/src/testdir/test_substitute.vim.cve1897 vim82/src/testdir/test_substitute.vim
+--- vim82/src/testdir/test_substitute.vim.cve1897	2022-06-13 09:31:42.938768884 +0200
++++ vim82/src/testdir/test_substitute.vim	2022-06-13 09:36:39.013406036 +0200
+@@ -955,5 +955,27 @@ func Test_sub_change_window()
+   delfunc Repl
+ endfunc
+ 
++" This was undoign a change in between computing the length and using it.
++func Do_Test_sub_undo_change()
++  new
++  norm o0000000000000000000000000000000000000000000000000000
++  silent! s/\%')/\=Repl()
++  bwipe!
++endfunc
++
++func Test_sub_undo_change()
++  func Repl()
++    silent! norm g-
++  endfunc
++  call Do_Test_sub_undo_change()
++
++  func! Repl()
++    silent earlier
++  endfunc
++  call Do_Test_sub_undo_change()
++
++  delfunc Repl
++endfunc
++
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+diff -up vim82/src/undo.c.cve1897 vim82/src/undo.c
+--- vim82/src/undo.c.cve1897	2022-06-13 09:31:42.904768698 +0200
++++ vim82/src/undo.c	2022-06-13 09:31:42.938768884 +0200
+@@ -2323,6 +2323,12 @@ undo_time(
+     int		    above = FALSE;
+     int		    did_undo = TRUE;
+ 
++    if (text_locked())
++    {
++	text_locked_msg();
++	return;
++    }
++
+     // First make sure the current undoable change is synced.
+     if (curbuf->b_u_synced == FALSE)
+ 	u_sync(TRUE);
diff --git a/vim.spec b/vim.spec
index e1913f6..8b47419 100644
--- a/vim.spec
+++ b/vim.spec
@@ -128,7 +128,10 @@ Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
 Patch3048: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
 # CVE-2022-1629 vim: buffer over-read
 Patch3049: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
+# CVE-2022-1785 vim: Out-of-bounds Write
 Patch3050: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
+# CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
+Patch3051: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -366,6 +369,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3048 -p1 -b .cve1621
 %patch3049 -p1 -b .cve1629
 %patch3050 -p1 -b .cve1785
+%patch3051 -p1 -b .cve1897
 
 %build
 cd src
@@ -925,6 +929,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %changelog
 * Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-19
 - CVE-2022-1785 vim: Out-of-bounds Write
+- CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
 
 * Tue May 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-18
 - CVE-2022-1621 vim: heap buffer overflow