CVE-2022-1420 vim: Out-of-range Pointer Offset
Resolves: CVE-2022-1420
This commit is contained in:
Zdenek Dohnal
parent
70b0772976
commit
bdc81b4f5c
@ -0,0 +1,51 @@
|
||||
diff -up vim82/src/errors.h.cve1420 vim82/src/errors.h
|
||||
--- vim82/src/errors.h.cve1420 2022-04-25 16:01:03.559985019 +0200
|
||||
+++ vim82/src/errors.h 2022-04-25 16:01:58.113332024 +0200
|
||||
@@ -383,3 +383,7 @@ EXTERN char e_cannot_use_default_values_
|
||||
INIT(= N_("E1172: Cannot use default values in a lambda"));
|
||||
EXTERN char e_resulting_text_too_long[]
|
||||
INIT(= N_("E1240: Resulting text too long"));
|
||||
+#ifdef FEAT_EVAL
|
||||
+EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
|
||||
+ INIT(= N_("E1275: String or function required for ->(expr)"));
|
||||
+#endif
|
||||
diff -up vim82/src/eval.c.cve1420 vim82/src/eval.c
|
||||
--- vim82/src/eval.c.cve1420 2022-04-25 16:01:03.560985007 +0200
|
||||
+++ vim82/src/eval.c 2022-04-25 16:14:11.746600369 +0200
|
||||
@@ -3718,13 +3718,20 @@ eval_lambda(
|
||||
if (**arg != ')')
|
||||
{
|
||||
emsg(_(e_missing_close));
|
||||
- ret = FAIL;
|
||||
+ return FAIL;
|
||||
+ }
|
||||
+ if (rettv->v_type != VAR_STRING && rettv->v_type != VAR_FUNC
|
||||
+ && rettv->v_type != VAR_PARTIAL)
|
||||
+ {
|
||||
+ emsg(_(e_string_or_function_required_for_arrow_parens_expr));
|
||||
+ return FAIL;
|
||||
}
|
||||
++*arg;
|
||||
}
|
||||
if (ret != OK)
|
||||
return FAIL;
|
||||
- else if (**arg != '(')
|
||||
+
|
||||
+ if (**arg != '(')
|
||||
{
|
||||
if (verbose)
|
||||
{
|
||||
diff -up vim82/src/testdir/test_lambda.vim.cve1420 vim82/src/testdir/test_lambda.vim
|
||||
--- vim82/src/testdir/test_lambda.vim.cve1420 2022-04-25 16:01:03.560985007 +0200
|
||||
+++ vim82/src/testdir/test_lambda.vim 2022-04-25 16:17:01.694886566 +0200
|
||||
@@ -64,6 +64,10 @@ function Test_lambda_fails()
|
||||
call assert_fails('echo {a, a -> a + a}(1, 2)', 'E853:')
|
||||
call assert_fails('echo {a, b -> a + b)}(1, 2)', 'E451:')
|
||||
echo assert_fails('echo 10->{a -> a + 2}', 'E107:')
|
||||
+ call assert_fails('eval 0->(3)()', "E1275:")
|
||||
+ call assert_fails('eval 0->([3])()', "E1275:")
|
||||
+ call assert_fails('eval 0->({"a": 3})()', "E1275:")
|
||||
+ call assert_fails('eval 0->(xxx)()', "E121:")
|
||||
endfunc
|
||||
|
||||
func Test_not_lamda()
|
||||
4
vim.spec
4
vim.spec
@ -122,6 +122,8 @@ Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
|
||||
Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
|
||||
# CVE-2022-1154 vim: use after free in utf_ptr2char
|
||||
Patch3046: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
|
||||
# CVE-2022-1420 vim: Out-of-range Pointer Offset
|
||||
Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
|
||||
|
||||
# gcc is no longer in buildroot by default
|
||||
BuildRequires: gcc
|
||||
@ -355,6 +357,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
||||
%patch3044 -p1 -b .cve0554
|
||||
%patch3045 -p1 -b .cve0943
|
||||
%patch3046 -p1 -b .cve1154
|
||||
%patch3047 -p1 -b .cve1420
|
||||
|
||||
%build
|
||||
cd src
|
||||
@ -914,6 +917,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
||||
%changelog
|
||||
* Mon Apr 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-17
|
||||
- CVE-2022-1154 vim: use after free in utf_ptr2char
|
||||
- CVE-2022-1420 vim: Out-of-range Pointer Offset
|
||||
|
||||
* Mon Mar 28 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16
|
||||
- CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
|
||||
|
||||
Loading…
Reference in New Issue
Block a user