CVE-2022-1785 vim: Out-of-bounds Write

Resolves: CVE-2022-1785
2022-06-13 07:53:12 +02:00 · 2022-06-13 07:53:12 +02:00 · e4ba274723
commit e4ba274723
parent e53ef5204f
2 changed files with 65 additions and 1 deletions
--- a/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
+++ b/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
@ -0,0 +1,59 @@
+diff -up vim82/src/ex_cmds.c.cve1785 vim82/src/ex_cmds.c
+--- vim82/src/ex_cmds.c.cve1785	2022-06-10 10:26:16.883312704 +0200
+++ vim82/src/ex_cmds.c	2022-06-10 10:26:16.910312568 +0200
+@@ -4356,12 +4356,17 @@ ex_substitute(exarg_T *eap)
+ 		// Save flags for recursion.  They can change for e.g.
+ 		// :s/^/\=execute("s#^##gn")
+ 		subflags_save = subflags;
+
+		// Disallow changing text or switching window in an expression.
+		++textwinlock;
+ #endif
+ 		// get length of substitution part
+ 		sublen = vim_regsub_multi(&regmatch,
+ 				    sub_firstlnum - regmatch.startpos[0].lnum,
+ 			       sub, sub_firstline, FALSE, magic_isset(), TRUE);
+ #ifdef FEAT_EVAL
+		--textwinlock;
+
+ 		// If getting the substitute string caused an error, don't do
+ 		// the replacement.
+ 		// Don't keep flags set by a recursive call.
+@@ -4462,9 +4467,15 @@ ex_substitute(exarg_T *eap)
+ 		mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
+ 		new_end += copy_len;
+ 
+#ifdef FEAT_EVAL
+		++textwinlock;
+#endif
+ 		(void)vim_regsub_multi(&regmatch,
+ 				    sub_firstlnum - regmatch.startpos[0].lnum,
+ 				      sub, new_end, TRUE, magic_isset(), TRUE);
+#ifdef FEAT_EVAL
+		--textwinlock;
+#endif
+ 		sub_nsubs++;
+ 		did_sub = TRUE;
+ 
+diff -up vim82/src/testdir/test_substitute.vim.cve1785 vim82/src/testdir/test_substitute.vim
+--- vim82/src/testdir/test_substitute.vim.cve1785	2022-06-10 10:26:16.910312568 +0200
+++ vim82/src/testdir/test_substitute.vim	2022-06-10 10:27:02.166084629 +0200
+@@ -942,5 +942,18 @@ func Test_using_old_sub()
+   set nocompatible
+ endfunc
+ 
+" This was switching windows in between computing the length and using it.
+func Test_sub_change_window()
+  silent! lfile
+  sil! norm o0000000000000000000000000000000000000000000000000000
+  func Repl()
+    lopen
+  endfunc
+  silent!  s/\%')/\=Repl()
+  bwipe!
+  bwipe!
+  delfunc Repl
+endfunc
+
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
--- a/vim.spec
+++ b/vim.spec
@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 18%{?dist}
+Release: 19%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@ -128,6 +128,7 @@ Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
 Patch3048: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
 # CVE-2022-1629 vim: buffer over-read
 Patch3049: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
+Patch3050: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch

 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -364,6 +365,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3047 -p1 -b .cve1420
 %patch3048 -p1 -b .cve1621
 %patch3049 -p1 -b .cve1629
+%patch3050 -p1 -b .cve1785

 %build
 cd src
@ -921,6 +923,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif

 %changelog
+* Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-19
+- CVE-2022-1785 vim: Out-of-bounds Write
+
 * Tue May 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-18
 - CVE-2022-1621 vim: heap buffer overflow
 - CVE-2022-1629 vim: buffer over-read