CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
Resolves: CVE-2022-0261
This commit is contained in:
parent
520837ecc5
commit
f5e8ebfed2
|
@ -0,0 +1,94 @@
|
|||
diff --git a/src/ops.c b/src/ops.c
|
||||
index d8e96ff..88992b6 100644
|
||||
--- a/src/ops.c
|
||||
+++ b/src/ops.c
|
||||
@@ -534,22 +534,27 @@ block_insert(
|
||||
if (b_insert)
|
||||
{
|
||||
off = (*mb_head_off)(oldp, oldp + offset + spaces);
|
||||
+ spaces -= off;
|
||||
+ count -= off;
|
||||
}
|
||||
else
|
||||
{
|
||||
- off = (*mb_off_next)(oldp, oldp + offset);
|
||||
- offset += off;
|
||||
+ // spaces fill the gap, the character that's at the edge moves
|
||||
+ // right
|
||||
+ off = (*mb_head_off)(oldp, oldp + offset);
|
||||
+ offset -= off;
|
||||
}
|
||||
- spaces -= off;
|
||||
- count -= off;
|
||||
}
|
||||
|
||||
- newp = alloc(STRLEN(oldp) + s_len + count + 1);
|
||||
+ // Make sure the allocated size matches what is actually copied below.
|
||||
+ newp = alloc(STRLEN(oldp) + spaces + s_len
|
||||
+ + (spaces > 0 && !bdp->is_short ? ts_val - spaces : 0)
|
||||
+ + count + 1);
|
||||
if (newp == NULL)
|
||||
continue;
|
||||
|
||||
// copy up to shifted part
|
||||
- mch_memmove(newp, oldp, (size_t)(offset));
|
||||
+ mch_memmove(newp, oldp, (size_t)offset);
|
||||
oldp += offset;
|
||||
|
||||
// insert pre-padding
|
||||
@@ -560,14 +565,21 @@ block_insert(
|
||||
mch_memmove(newp + startcol, s, (size_t)s_len);
|
||||
offset += s_len;
|
||||
|
||||
- if (spaces && !bdp->is_short)
|
||||
+ if (spaces > 0 && !bdp->is_short)
|
||||
{
|
||||
- // insert post-padding
|
||||
- vim_memset(newp + offset + spaces, ' ', (size_t)(ts_val - spaces));
|
||||
- // We're splitting a TAB, don't copy it.
|
||||
- oldp++;
|
||||
- // We allowed for that TAB, remember this now
|
||||
- count++;
|
||||
+ if (*oldp == TAB)
|
||||
+ {
|
||||
+ // insert post-padding
|
||||
+ vim_memset(newp + offset + spaces, ' ',
|
||||
+ (size_t)(ts_val - spaces));
|
||||
+ // we're splitting a TAB, don't copy it
|
||||
+ oldp++;
|
||||
+ // We allowed for that TAB, remember this now
|
||||
+ count++;
|
||||
+ }
|
||||
+ else
|
||||
+ // Not a TAB, no extra spaces
|
||||
+ count = spaces;
|
||||
}
|
||||
|
||||
if (spaces > 0)
|
||||
@@ -1574,7 +1586,7 @@ op_insert(oparg_T *oap, long count1)
|
||||
oap->start_vcol = t;
|
||||
}
|
||||
else if (oap->op_type == OP_APPEND
|
||||
- && oap->end.col + oap->end.coladd
|
||||
+ && oap->start.col + oap->start.coladd
|
||||
>= curbuf->b_op_start_orig.col
|
||||
+ curbuf->b_op_start_orig.coladd)
|
||||
{
|
||||
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
|
||||
index 7c5f973..dc8e376 100644
|
||||
--- a/src/testdir/test_visual.vim
|
||||
+++ b/src/testdir/test_visual.vim
|
||||
@@ -967,4 +967,13 @@ func Test_visual_put_in_block()
|
||||
bwipe!
|
||||
endfunc
|
||||
|
||||
+func Test_visual_block_append_invalid_char()
|
||||
+ " this was going over the end of the line
|
||||
+ new
|
||||
+ call setline(1, [' let xxx', 'xxxxx', 'xxxxxxxxxxx'])
|
||||
+ exe "normal 0\<C-V>jjA-\<Esc>"
|
||||
+ call assert_equal([' - let xxx', 'xxxxx -', 'xxxxxxxx-xxx'], getline(1, 3))
|
||||
+ bwipe!
|
||||
+endfunc
|
||||
+
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
8
vim.spec
8
vim.spec
|
@ -27,7 +27,7 @@ Summary: The VIM editor
|
|||
URL: http://www.vim.org/
|
||||
Name: vim
|
||||
Version: %{baseversion}.%{patchlevel}
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
License: Vim and MIT
|
||||
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
|
||||
Source1: virc
|
||||
|
@ -88,6 +88,8 @@ Patch3027: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch
|
|||
Patch3028: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch
|
||||
# CVE-2021-4192 vim: vulnerable to Use After Free
|
||||
Patch3029: 0001-patch-8.2.3949-using-freed-memory-with-V.patch
|
||||
# CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
|
||||
Patch3030: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch
|
||||
|
||||
# gcc is no longer in buildroot by default
|
||||
BuildRequires: gcc
|
||||
|
@ -304,6 +306,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
|||
%patch3027 -p1 -b .cve4019
|
||||
%patch3028 -p1 -b .cve4193
|
||||
%patch3029 -p1 -b .cve4192
|
||||
%patch3030 -p1 -b .cve0261
|
||||
|
||||
%build
|
||||
cd src
|
||||
|
@ -861,6 +864,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-11
|
||||
- CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
|
||||
|
||||
* Thu Jan 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-10
|
||||
- CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
|
||||
- CVE-2021-4192 vim: vulnerable to Use After Free
|
||||
|
|
Loading…
Reference in New Issue