rpms/vim
6
0
Fork 0
Code Issues Pull Requests Releases Activity

2002320 - CVE-2021-3770 vim: using retab with large value may lead to heap buffer overflow [rhel-9.0]

Browse Source 
Resolves: rhbz#2002320
This commit is contained in:
Zdenek Dohnal 2021-10-15 08:54:02 +02:00
parent e4ca460b9b
commit d2eb71664f
2 changed files with 204 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

200
vim-cve-var-retab.patch Normal file
View File

@ -0,0 +1,200 @@
diff --git a/src/indent.c b/src/indent.c
index e1c6f52..a002b4b 100644
--- a/src/indent.c
+++ b/src/indent.c
@@ -18,18 +18,19 @@
/*
* Set the integer values corresponding to the string setting of 'vartabstop'.
* "array" will be set, caller must free it if needed.
+ * Return FAIL for an error.
*/
int
tabstop_set(char_u *var, int **array)
{
- int valcount = 1;
- int t;
- char_u *cp;
+ int valcount = 1;
+ int t;
+ char_u *cp;
if (var[0] == NUL || (var[0] == '0' && var[1] == NUL))
{
*array = NULL;
- return TRUE;
+ return OK;
}
for (cp = var; *cp != NUL; ++cp)
@@ -43,8 +44,8 @@ tabstop_set(char_u *var, int **array)
if (cp != end)
emsg(_(e_positive));
else
- emsg(_(e_invarg));
- return FALSE;
+ semsg(_(e_invarg2), cp);
+ return FAIL;
}
}
@@ -55,26 +56,36 @@ tabstop_set(char_u *var, int **array)
++valcount;
continue;
}
- emsg(_(e_invarg));
- return FALSE;
+ semsg(_(e_invarg2), var);
+ return FAIL;
}
*array = ALLOC_MULT(int, valcount + 1);
if (*array == NULL)
- return FALSE;
+ return FAIL;
(*array)[0] = valcount;
t = 1;
for (cp = var; *cp != NUL;)
{
- (*array)[t++] = atoi((char *)cp);
- while (*cp != NUL && *cp != ',')
+ int n = atoi((char *)cp);
+
+ // Catch negative values, overflow and ridiculous big values.
+ if (n < 0 || n > 9999)
+ {
+ semsg(_(e_invarg2), cp);
+ vim_free(*array);
+ *array = NULL;
+ return FAIL;
+ }
+ (*array)[t++] = n;
+ while (*cp != NUL && *cp != ',')
++cp;
if (*cp != NUL)
++cp;
}
- return TRUE;
+ return OK;
}
/*
@@ -1561,7 +1572,7 @@ ex_retab(exarg_T *eap)
#ifdef FEAT_VARTABS
new_ts_str = eap->arg;
- if (!tabstop_set(eap->arg, &new_vts_array))
+ if (tabstop_set(eap->arg, &new_vts_array) == FAIL)
return;
while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',')
++(eap->arg);
@@ -1577,12 +1588,18 @@ ex_retab(exarg_T *eap)
else
new_ts_str = vim_strnsave(new_ts_str, eap->arg - new_ts_str);
#else
- new_ts = getdigits(&(eap->arg));
- if (new_ts < 0)
+ ptr = eap->arg;
+ new_ts = getdigits(&ptr);
+ if (new_ts < 0 && *eap->arg == '-')
{
emsg(_(e_positive));
return;
}
+ if (new_ts < 0 || new_ts > 9999)
+ {
+ semsg(_(e_invarg2), eap->arg);
+ return;
+ }
if (new_ts == 0)
new_ts = curbuf->b_p_ts;
#endif
diff --git a/src/option.c b/src/option.c
index b9d7edb..9a3b71e 100644
--- a/src/option.c
+++ b/src/option.c
@@ -2349,9 +2349,9 @@ didset_options2(void)
#endif
#ifdef FEAT_VARTABS
vim_free(curbuf->b_p_vsts_array);
- tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
+ (void)tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
vim_free(curbuf->b_p_vts_array);
- tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
+ (void)tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
#endif
}
@@ -5828,7 +5828,7 @@ buf_copy_options(buf_T *buf, int flags)
buf->b_p_vsts = vim_strsave(p_vsts);
COPY_OPT_SCTX(buf, BV_VSTS);
if (p_vsts && p_vsts != empty_option)
- tabstop_set(p_vsts, &buf->b_p_vsts_array);
+ (void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
else
buf->b_p_vsts_array = 0;
buf->b_p_vsts_nopaste = p_vsts_nopaste
@@ -5988,7 +5988,7 @@ buf_copy_options(buf_T *buf, int flags)
buf->b_p_isk = save_p_isk;
#ifdef FEAT_VARTABS
if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
- tabstop_set(p_vts, &buf->b_p_vts_array);
+ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
else
buf->b_p_vts_array = NULL;
#endif
@@ -6003,7 +6003,7 @@ buf_copy_options(buf_T *buf, int flags)
buf->b_p_vts = vim_strsave(p_vts);
COPY_OPT_SCTX(buf, BV_VTS);
if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
- tabstop_set(p_vts, &buf->b_p_vts_array);
+ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
else
buf->b_p_vts_array = NULL;
#endif
@@ -6700,7 +6700,7 @@ paste_option_changed(void)
if (buf->b_p_vsts_array)
vim_free(buf->b_p_vsts_array);
if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
- tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
+ (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
else
buf->b_p_vsts_array = 0;
#endif
diff --git a/src/optionstr.c b/src/optionstr.c
index 521242d..db015e8 100644
--- a/src/optionstr.c
+++ b/src/optionstr.c
@@ -2215,7 +2215,7 @@ ambw_end:
if (errmsg == NULL)
{
int *oldarray = curbuf->b_p_vsts_array;
- if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)))
+ if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)) == OK)
{
if (oldarray)
vim_free(oldarray);
@@ -2254,7 +2254,7 @@ ambw_end:
{
int *oldarray = curbuf->b_p_vts_array;
- if (tabstop_set(*varp, &(curbuf->b_p_vts_array)))
+ if (tabstop_set(*varp, &(curbuf->b_p_vts_array)) == OK)
{
vim_free(oldarray);
#ifdef FEAT_FOLDING
diff --git a/src/testdir/test_retab.vim b/src/testdir/test_retab.vim
index b792da5..c7190aa 100644
--- a/src/testdir/test_retab.vim
+++ b/src/testdir/test_retab.vim
@@ -75,6 +75,9 @@ endfunc
func Test_retab_error()
call assert_fails('retab -1', 'E487:')
call assert_fails('retab! -1', 'E487:')
+ call assert_fails('ret -1000', 'E487:')
+ call assert_fails('ret 10000', 'E475:')
+ call assert_fails('ret 80000000000000000000', 'E475:')
endfunc
" vim: shiftwidth=2 sts=2 expandtab

4
vim.spec
View File

@ -70,6 +70,8 @@ Patch3017: vim-python3-tests.patch
Patch3018: vim-crypto-warning.patch Patch3018: vim-crypto-warning.patch
Patch3019: 0001-patch-8.2.3115-Coverity-complains-about-free_wininfo.patch Patch3019: 0001-patch-8.2.3115-Coverity-complains-about-free_wininfo.patch
Patch3020: 0001-patch-8.2.3290-Vim9-compiling-dict-may-use-pointer-a.patch Patch3020: 0001-patch-8.2.3290-Vim9-compiling-dict-may-use-pointer-a.patch
# 2002320 - CVE-2021-3770 vim: using retab with large value may lead to heap buffer overflow [rhel-9.0]
Patch3021: vim-cve-var-retab.patch
# gcc is no longer in buildroot by default # gcc is no longer in buildroot by default
BuildRequires: gcc BuildRequires: gcc
@ -277,6 +279,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
%patch3018 -p1 -b .fips-warning %patch3018 -p1 -b .fips-warning
%patch3019 -p1 -b .covscan-free-wininfo %patch3019 -p1 -b .covscan-free-wininfo
%patch3020 -p1 -b .covscan-key-freed %patch3020 -p1 -b .covscan-key-freed
%patch3021 -p1 -b .cve-var-retab
%build %build
cd src cd src
@ -839,6 +842,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
- 2011424 - Remove vim-7.4-syncolor.patch - 2011424 - Remove vim-7.4-syncolor.patch
- 2011429 - Remove downstream patch vim-7.4-nowarning.patch - 2011429 - Remove downstream patch vim-7.4-nowarning.patch
- 2011749 - Update test suite to work without default mouse behavior - 2011749 - Update test suite to work without default mouse behavior
- 2002320 - CVE-2021-3770 vim: using retab with large value may lead to heap buffer overflow [rhel-9.0]
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2:8.2.2637-5 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2:8.2.2637-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags