CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c

Resolves: CVE-2022-0261
2022-01-27 17:54:47 +01:00 · 2022-01-27 17:54:47 +01:00 · f5e8ebfed2
parent 520837ecc5
commit f5e8ebfed2
2 changed files with 101 additions and 1 deletions
--- a/0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch
+++ b/0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch
@ -0,0 +1,94 @@
+diff --git a/src/ops.c b/src/ops.c
+index d8e96ff..88992b6 100644
+--- a/src/ops.c
+++ b/src/ops.c
+@@ -534,22 +534,27 @@ block_insert(
+ 	    if (b_insert)
+ 	    {
+ 		off = (*mb_head_off)(oldp, oldp + offset + spaces);
+		spaces -= off;
+		count -= off;
+ 	    }
+ 	    else
+ 	    {
+-		off = (*mb_off_next)(oldp, oldp + offset);
+-		offset += off;
+		// spaces fill the gap, the character that's at the edge moves
+		// right
+		off = (*mb_head_off)(oldp, oldp + offset);
+		offset -= off;
+ 	    }
+-	    spaces -= off;
+-	    count -= off;
+ 	}
+ 
+-	newp = alloc(STRLEN(oldp) + s_len + count + 1);
+	// Make sure the allocated size matches what is actually copied below.
+	newp = alloc(STRLEN(oldp) + spaces + s_len
+		    + (spaces > 0 && !bdp->is_short ? ts_val - spaces : 0)
+								  + count + 1);
+ 	if (newp == NULL)
+ 	    continue;
+ 
+ 	// copy up to shifted part
+-	mch_memmove(newp, oldp, (size_t)(offset));
+	mch_memmove(newp, oldp, (size_t)offset);
+ 	oldp += offset;
+ 
+ 	// insert pre-padding
+@@ -560,14 +565,21 @@ block_insert(
+ 	mch_memmove(newp + startcol, s, (size_t)s_len);
+ 	offset += s_len;
+ 
+-	if (spaces && !bdp->is_short)
+	if (spaces > 0 && !bdp->is_short)
+ 	{
+-	    // insert post-padding
+-	    vim_memset(newp + offset + spaces, ' ', (size_t)(ts_val - spaces));
+-	    // We're splitting a TAB, don't copy it.
+-	    oldp++;
+-	    // We allowed for that TAB, remember this now
+-	    count++;
+	    if (*oldp == TAB)
+	    {
+		// insert post-padding
+		vim_memset(newp + offset + spaces, ' ',
+						    (size_t)(ts_val - spaces));
+		// we're splitting a TAB, don't copy it
+		oldp++;
+		// We allowed for that TAB, remember this now
+		count++;
+	    }
+	    else
+		// Not a TAB, no extra spaces
+		count = spaces;
+ 	}
+ 
+ 	if (spaces > 0)
+@@ -1574,7 +1586,7 @@ op_insert(oparg_T *oap, long count1)
+ 		oap->start_vcol = t;
+ 	    }
+ 	    else if (oap->op_type == OP_APPEND
+-		      && oap->end.col + oap->end.coladd
+		      && oap->start.col + oap->start.coladd
+ 			>= curbuf->b_op_start_orig.col
+ 					      + curbuf->b_op_start_orig.coladd)
+ 	    {
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index 7c5f973..dc8e376 100644
+--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
+@@ -967,4 +967,13 @@ func Test_visual_put_in_block()
+   bwipe!
+ endfunc
+ 
+func Test_visual_block_append_invalid_char()
+  " this was going over the end of the line
+  new
+  call setline(1, ['	   let xxx', 'xxxxx', 'xxxxxxxxxxx'])
+  exe "normal 0\<C-V>jjA-\<Esc>"
+  call assert_equal(['	-   let xxx', 'xxxxx   -', 'xxxxxxxx-xxx'], getline(1, 3))
+  bwipe!
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
--- a/vim.spec
+++ b/vim.spec
@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@ -88,6 +88,8 @@ Patch3027: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch
 Patch3028: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch
 # CVE-2021-4192 vim: vulnerable to Use After Free
 Patch3029: 0001-patch-8.2.3949-using-freed-memory-with-V.patch
+# CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
+Patch3030: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch

 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -304,6 +306,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3027 -p1 -b .cve4019
 %patch3028 -p1 -b .cve4193
 %patch3029 -p1 -b .cve4192
+%patch3030 -p1 -b .cve0261

 %build
 cd src
@ -861,6 +864,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif

 %changelog
+* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-11
+- CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
+
 * Thu Jan 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-10
 - CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
 - CVE-2021-4192 vim: vulnerable to Use After Free