2002320 - CVE-2021-3770 vim: using retab with large value may lead to heap buffer overflow [rhel-9.0]
Resolves: rhbz#2002320
This commit is contained in:
parent
e4ca460b9b
commit
d2eb71664f
|
@ -0,0 +1,200 @@
|
|||
diff --git a/src/indent.c b/src/indent.c
|
||||
index e1c6f52..a002b4b 100644
|
||||
--- a/src/indent.c
|
||||
+++ b/src/indent.c
|
||||
@@ -18,18 +18,19 @@
|
||||
/*
|
||||
* Set the integer values corresponding to the string setting of 'vartabstop'.
|
||||
* "array" will be set, caller must free it if needed.
|
||||
+ * Return FAIL for an error.
|
||||
*/
|
||||
int
|
||||
tabstop_set(char_u *var, int **array)
|
||||
{
|
||||
- int valcount = 1;
|
||||
- int t;
|
||||
- char_u *cp;
|
||||
+ int valcount = 1;
|
||||
+ int t;
|
||||
+ char_u *cp;
|
||||
|
||||
if (var[0] == NUL || (var[0] == '0' && var[1] == NUL))
|
||||
{
|
||||
*array = NULL;
|
||||
- return TRUE;
|
||||
+ return OK;
|
||||
}
|
||||
|
||||
for (cp = var; *cp != NUL; ++cp)
|
||||
@@ -43,8 +44,8 @@ tabstop_set(char_u *var, int **array)
|
||||
if (cp != end)
|
||||
emsg(_(e_positive));
|
||||
else
|
||||
- emsg(_(e_invarg));
|
||||
- return FALSE;
|
||||
+ semsg(_(e_invarg2), cp);
|
||||
+ return FAIL;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -55,26 +56,36 @@ tabstop_set(char_u *var, int **array)
|
||||
++valcount;
|
||||
continue;
|
||||
}
|
||||
- emsg(_(e_invarg));
|
||||
- return FALSE;
|
||||
+ semsg(_(e_invarg2), var);
|
||||
+ return FAIL;
|
||||
}
|
||||
|
||||
*array = ALLOC_MULT(int, valcount + 1);
|
||||
if (*array == NULL)
|
||||
- return FALSE;
|
||||
+ return FAIL;
|
||||
(*array)[0] = valcount;
|
||||
|
||||
t = 1;
|
||||
for (cp = var; *cp != NUL;)
|
||||
{
|
||||
- (*array)[t++] = atoi((char *)cp);
|
||||
- while (*cp != NUL && *cp != ',')
|
||||
+ int n = atoi((char *)cp);
|
||||
+
|
||||
+ // Catch negative values, overflow and ridiculous big values.
|
||||
+ if (n < 0 || n > 9999)
|
||||
+ {
|
||||
+ semsg(_(e_invarg2), cp);
|
||||
+ vim_free(*array);
|
||||
+ *array = NULL;
|
||||
+ return FAIL;
|
||||
+ }
|
||||
+ (*array)[t++] = n;
|
||||
+ while (*cp != NUL && *cp != ',')
|
||||
++cp;
|
||||
if (*cp != NUL)
|
||||
++cp;
|
||||
}
|
||||
|
||||
- return TRUE;
|
||||
+ return OK;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1561,7 +1572,7 @@ ex_retab(exarg_T *eap)
|
||||
|
||||
#ifdef FEAT_VARTABS
|
||||
new_ts_str = eap->arg;
|
||||
- if (!tabstop_set(eap->arg, &new_vts_array))
|
||||
+ if (tabstop_set(eap->arg, &new_vts_array) == FAIL)
|
||||
return;
|
||||
while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',')
|
||||
++(eap->arg);
|
||||
@@ -1577,12 +1588,18 @@ ex_retab(exarg_T *eap)
|
||||
else
|
||||
new_ts_str = vim_strnsave(new_ts_str, eap->arg - new_ts_str);
|
||||
#else
|
||||
- new_ts = getdigits(&(eap->arg));
|
||||
- if (new_ts < 0)
|
||||
+ ptr = eap->arg;
|
||||
+ new_ts = getdigits(&ptr);
|
||||
+ if (new_ts < 0 && *eap->arg == '-')
|
||||
{
|
||||
emsg(_(e_positive));
|
||||
return;
|
||||
}
|
||||
+ if (new_ts < 0 || new_ts > 9999)
|
||||
+ {
|
||||
+ semsg(_(e_invarg2), eap->arg);
|
||||
+ return;
|
||||
+ }
|
||||
if (new_ts == 0)
|
||||
new_ts = curbuf->b_p_ts;
|
||||
#endif
|
||||
diff --git a/src/option.c b/src/option.c
|
||||
index b9d7edb..9a3b71e 100644
|
||||
--- a/src/option.c
|
||||
+++ b/src/option.c
|
||||
@@ -2349,9 +2349,9 @@ didset_options2(void)
|
||||
#endif
|
||||
#ifdef FEAT_VARTABS
|
||||
vim_free(curbuf->b_p_vsts_array);
|
||||
- tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
|
||||
+ (void)tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
|
||||
vim_free(curbuf->b_p_vts_array);
|
||||
- tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
|
||||
+ (void)tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
|
||||
#endif
|
||||
}
|
||||
|
||||
@@ -5828,7 +5828,7 @@ buf_copy_options(buf_T *buf, int flags)
|
||||
buf->b_p_vsts = vim_strsave(p_vsts);
|
||||
COPY_OPT_SCTX(buf, BV_VSTS);
|
||||
if (p_vsts && p_vsts != empty_option)
|
||||
- tabstop_set(p_vsts, &buf->b_p_vsts_array);
|
||||
+ (void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
|
||||
else
|
||||
buf->b_p_vsts_array = 0;
|
||||
buf->b_p_vsts_nopaste = p_vsts_nopaste
|
||||
@@ -5988,7 +5988,7 @@ buf_copy_options(buf_T *buf, int flags)
|
||||
buf->b_p_isk = save_p_isk;
|
||||
#ifdef FEAT_VARTABS
|
||||
if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
|
||||
- tabstop_set(p_vts, &buf->b_p_vts_array);
|
||||
+ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
|
||||
else
|
||||
buf->b_p_vts_array = NULL;
|
||||
#endif
|
||||
@@ -6003,7 +6003,7 @@ buf_copy_options(buf_T *buf, int flags)
|
||||
buf->b_p_vts = vim_strsave(p_vts);
|
||||
COPY_OPT_SCTX(buf, BV_VTS);
|
||||
if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
|
||||
- tabstop_set(p_vts, &buf->b_p_vts_array);
|
||||
+ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
|
||||
else
|
||||
buf->b_p_vts_array = NULL;
|
||||
#endif
|
||||
@@ -6700,7 +6700,7 @@ paste_option_changed(void)
|
||||
if (buf->b_p_vsts_array)
|
||||
vim_free(buf->b_p_vsts_array);
|
||||
if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
|
||||
- tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
|
||||
+ (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
|
||||
else
|
||||
buf->b_p_vsts_array = 0;
|
||||
#endif
|
||||
diff --git a/src/optionstr.c b/src/optionstr.c
|
||||
index 521242d..db015e8 100644
|
||||
--- a/src/optionstr.c
|
||||
+++ b/src/optionstr.c
|
||||
@@ -2215,7 +2215,7 @@ ambw_end:
|
||||
if (errmsg == NULL)
|
||||
{
|
||||
int *oldarray = curbuf->b_p_vsts_array;
|
||||
- if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)))
|
||||
+ if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)) == OK)
|
||||
{
|
||||
if (oldarray)
|
||||
vim_free(oldarray);
|
||||
@@ -2254,7 +2254,7 @@ ambw_end:
|
||||
{
|
||||
int *oldarray = curbuf->b_p_vts_array;
|
||||
|
||||
- if (tabstop_set(*varp, &(curbuf->b_p_vts_array)))
|
||||
+ if (tabstop_set(*varp, &(curbuf->b_p_vts_array)) == OK)
|
||||
{
|
||||
vim_free(oldarray);
|
||||
#ifdef FEAT_FOLDING
|
||||
diff --git a/src/testdir/test_retab.vim b/src/testdir/test_retab.vim
|
||||
index b792da5..c7190aa 100644
|
||||
--- a/src/testdir/test_retab.vim
|
||||
+++ b/src/testdir/test_retab.vim
|
||||
@@ -75,6 +75,9 @@ endfunc
|
||||
func Test_retab_error()
|
||||
call assert_fails('retab -1', 'E487:')
|
||||
call assert_fails('retab! -1', 'E487:')
|
||||
+ call assert_fails('ret -1000', 'E487:')
|
||||
+ call assert_fails('ret 10000', 'E475:')
|
||||
+ call assert_fails('ret 80000000000000000000', 'E475:')
|
||||
endfunc
|
||||
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
4
vim.spec
4
vim.spec
|
@ -70,6 +70,8 @@ Patch3017: vim-python3-tests.patch
|
|||
Patch3018: vim-crypto-warning.patch
|
||||
Patch3019: 0001-patch-8.2.3115-Coverity-complains-about-free_wininfo.patch
|
||||
Patch3020: 0001-patch-8.2.3290-Vim9-compiling-dict-may-use-pointer-a.patch
|
||||
# 2002320 - CVE-2021-3770 vim: using retab with large value may lead to heap buffer overflow [rhel-9.0]
|
||||
Patch3021: vim-cve-var-retab.patch
|
||||
|
||||
# gcc is no longer in buildroot by default
|
||||
BuildRequires: gcc
|
||||
|
@ -277,6 +279,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
|||
%patch3018 -p1 -b .fips-warning
|
||||
%patch3019 -p1 -b .covscan-free-wininfo
|
||||
%patch3020 -p1 -b .covscan-key-freed
|
||||
%patch3021 -p1 -b .cve-var-retab
|
||||
|
||||
%build
|
||||
cd src
|
||||
|
@ -839,6 +842,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
|||
- 2011424 - Remove vim-7.4-syncolor.patch
|
||||
- 2011429 - Remove downstream patch vim-7.4-nowarning.patch
|
||||
- 2011749 - Update test suite to work without default mouse behavior
|
||||
- 2002320 - CVE-2021-3770 vim: using retab with large value may lead to heap buffer overflow [rhel-9.0]
|
||||
|
||||
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2:8.2.2637-5
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
|
|
Loading…
Reference in New Issue