diff --git a/0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch b/0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch new file mode 100644 index 0000000..a248a8a --- /dev/null +++ b/0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch @@ -0,0 +1,94 @@ +diff --git a/src/ops.c b/src/ops.c +index d8e96ff..88992b6 100644 +--- a/src/ops.c ++++ b/src/ops.c +@@ -534,22 +534,27 @@ block_insert( + if (b_insert) + { + off = (*mb_head_off)(oldp, oldp + offset + spaces); ++ spaces -= off; ++ count -= off; + } + else + { +- off = (*mb_off_next)(oldp, oldp + offset); +- offset += off; ++ // spaces fill the gap, the character that's at the edge moves ++ // right ++ off = (*mb_head_off)(oldp, oldp + offset); ++ offset -= off; + } +- spaces -= off; +- count -= off; + } + +- newp = alloc(STRLEN(oldp) + s_len + count + 1); ++ // Make sure the allocated size matches what is actually copied below. ++ newp = alloc(STRLEN(oldp) + spaces + s_len ++ + (spaces > 0 && !bdp->is_short ? ts_val - spaces : 0) ++ + count + 1); + if (newp == NULL) + continue; + + // copy up to shifted part +- mch_memmove(newp, oldp, (size_t)(offset)); ++ mch_memmove(newp, oldp, (size_t)offset); + oldp += offset; + + // insert pre-padding +@@ -560,14 +565,21 @@ block_insert( + mch_memmove(newp + startcol, s, (size_t)s_len); + offset += s_len; + +- if (spaces && !bdp->is_short) ++ if (spaces > 0 && !bdp->is_short) + { +- // insert post-padding +- vim_memset(newp + offset + spaces, ' ', (size_t)(ts_val - spaces)); +- // We're splitting a TAB, don't copy it. +- oldp++; +- // We allowed for that TAB, remember this now +- count++; ++ if (*oldp == TAB) ++ { ++ // insert post-padding ++ vim_memset(newp + offset + spaces, ' ', ++ (size_t)(ts_val - spaces)); ++ // we're splitting a TAB, don't copy it ++ oldp++; ++ // We allowed for that TAB, remember this now ++ count++; ++ } ++ else ++ // Not a TAB, no extra spaces ++ count = spaces; + } + + if (spaces > 0) +@@ -1574,7 +1586,7 @@ op_insert(oparg_T *oap, long count1) + oap->start_vcol = t; + } + else if (oap->op_type == OP_APPEND +- && oap->end.col + oap->end.coladd ++ && oap->start.col + oap->start.coladd + >= curbuf->b_op_start_orig.col + + curbuf->b_op_start_orig.coladd) + { +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index 7c5f973..dc8e376 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -967,4 +967,13 @@ func Test_visual_put_in_block() + bwipe! + endfunc + ++func Test_visual_block_append_invalid_char() ++ " this was going over the end of the line ++ new ++ call setline(1, [' let xxx', 'xxxxxˆ', 'xxxxxxxxxxx']) ++ exe "normal 0\jjA-\" ++ call assert_equal([' - let xxx', 'xxxxx -ˆ', 'xxxxxxxx-xxx'], getline(1, 3)) ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/vim.spec b/vim.spec index 234c6df..6c7979d 100644 --- a/vim.spec +++ b/vim.spec @@ -27,7 +27,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 10%{?dist} +Release: 11%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: virc @@ -88,6 +88,8 @@ Patch3027: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch Patch3028: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch # CVE-2021-4192 vim: vulnerable to Use After Free Patch3029: 0001-patch-8.2.3949-using-freed-memory-with-V.patch +# CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c +Patch3030: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -304,6 +306,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3027 -p1 -b .cve4019 %patch3028 -p1 -b .cve4193 %patch3029 -p1 -b .cve4192 +%patch3030 -p1 -b .cve0261 %build cd src @@ -861,6 +864,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %endif %changelog +* Thu Jan 27 2022 Zdenek Dohnal - 2:8.2.2637-11 +- CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c + * Thu Jan 13 2022 Zdenek Dohnal - 2:8.2.2637-10 - CVE-2021-4193 vim: vulnerable to Out-of-bounds Read - CVE-2021-4192 vim: vulnerable to Use After Free