CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
Resolves: CVE-2022-1927
This commit is contained in:
parent
bac1f99e54
commit
f77538d02c
106
0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
Normal file
106
0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
Normal file
@ -0,0 +1,106 @@
|
|||||||
|
diff -up vim82/src/ex_docmd.c.cve1927 vim82/src/ex_docmd.c
|
||||||
|
--- vim82/src/ex_docmd.c.cve1927 2021-03-22 10:02:42.000000000 +0100
|
||||||
|
+++ vim82/src/ex_docmd.c 2022-06-13 15:29:45.099472751 +0200
|
||||||
|
@@ -3081,6 +3081,8 @@ parse_cmd_address(exarg_T *eap, char **e
|
||||||
|
{
|
||||||
|
int address_count = 1;
|
||||||
|
linenr_T lnum;
|
||||||
|
+ int need_check_cursor = FALSE;
|
||||||
|
+ int ret = FAIL;
|
||||||
|
|
||||||
|
// Repeat for all ',' or ';' separated addresses.
|
||||||
|
for (;;)
|
||||||
|
@@ -3091,7 +3093,7 @@ parse_cmd_address(exarg_T *eap, char **e
|
||||||
|
lnum = get_address(eap, &eap->cmd, eap->addr_type, eap->skip, silent,
|
||||||
|
eap->addr_count == 0, address_count++);
|
||||||
|
if (eap->cmd == NULL) // error detected
|
||||||
|
- return FAIL;
|
||||||
|
+ goto theend;
|
||||||
|
if (lnum == MAXLNUM)
|
||||||
|
{
|
||||||
|
if (*eap->cmd == '%') // '%' - all lines
|
||||||
|
@@ -3136,14 +3138,14 @@ parse_cmd_address(exarg_T *eap, char **e
|
||||||
|
// there is no Vim command which uses '%' and
|
||||||
|
// ADDR_WINDOWS or ADDR_TABS
|
||||||
|
*errormsg = _(e_invrange);
|
||||||
|
- return FAIL;
|
||||||
|
+ goto theend;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case ADDR_TABS_RELATIVE:
|
||||||
|
case ADDR_UNSIGNED:
|
||||||
|
case ADDR_QUICKFIX:
|
||||||
|
*errormsg = _(e_invrange);
|
||||||
|
- return FAIL;
|
||||||
|
+ goto theend;
|
||||||
|
case ADDR_ARGUMENTS:
|
||||||
|
if (ARGCOUNT == 0)
|
||||||
|
eap->line1 = eap->line2 = 0;
|
||||||
|
@@ -3175,7 +3177,7 @@ parse_cmd_address(exarg_T *eap, char **e
|
||||||
|
if (eap->addr_type != ADDR_LINES)
|
||||||
|
{
|
||||||
|
*errormsg = _(e_invrange);
|
||||||
|
- return FAIL;
|
||||||
|
+ goto theend;
|
||||||
|
}
|
||||||
|
|
||||||
|
++eap->cmd;
|
||||||
|
@@ -3183,11 +3185,11 @@ parse_cmd_address(exarg_T *eap, char **e
|
||||||
|
{
|
||||||
|
fp = getmark('<', FALSE);
|
||||||
|
if (check_mark(fp) == FAIL)
|
||||||
|
- return FAIL;
|
||||||
|
+ goto theend;
|
||||||
|
eap->line1 = fp->lnum;
|
||||||
|
fp = getmark('>', FALSE);
|
||||||
|
if (check_mark(fp) == FAIL)
|
||||||
|
- return FAIL;
|
||||||
|
+ goto theend;
|
||||||
|
eap->line2 = fp->lnum;
|
||||||
|
++eap->addr_count;
|
||||||
|
}
|
||||||
|
@@ -3202,10 +3204,13 @@ parse_cmd_address(exarg_T *eap, char **e
|
||||||
|
if (!eap->skip)
|
||||||
|
{
|
||||||
|
curwin->w_cursor.lnum = eap->line2;
|
||||||
|
+
|
||||||
|
// Don't leave the cursor on an illegal line or column, but do
|
||||||
|
// accept zero as address, so 0;/PATTERN/ works correctly.
|
||||||
|
+ // Check the cursor position before returning.
|
||||||
|
if (eap->line2 > 0)
|
||||||
|
check_cursor();
|
||||||
|
+ need_check_cursor = TRUE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if (*eap->cmd != ',')
|
||||||
|
@@ -3221,7 +3226,12 @@ parse_cmd_address(exarg_T *eap, char **e
|
||||||
|
if (lnum == MAXLNUM)
|
||||||
|
eap->addr_count = 0;
|
||||||
|
}
|
||||||
|
- return OK;
|
||||||
|
+ ret = OK;
|
||||||
|
+
|
||||||
|
+theend:
|
||||||
|
+ if (need_check_cursor)
|
||||||
|
+ check_cursor();
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
diff -up vim82/src/testdir/test_excmd.vim.cve1927 vim82/src/testdir/test_excmd.vim
|
||||||
|
--- vim82/src/testdir/test_excmd.vim.cve1927 2022-06-13 15:26:53.941517542 +0200
|
||||||
|
+++ vim82/src/testdir/test_excmd.vim 2022-06-13 15:30:53.972860361 +0200
|
||||||
|
@@ -536,4 +536,13 @@ func Test_sandbox()
|
||||||
|
sandbox call Sandbox_tests()
|
||||||
|
endfunc
|
||||||
|
|
||||||
|
+" This was leaving the cursor in line zero
|
||||||
|
+func Test_using_zero_in_range()
|
||||||
|
+ new
|
||||||
|
+ norm o00
|
||||||
|
+ silent! 0;s/\%')
|
||||||
|
+ bwipe!
|
||||||
|
+endfunc
|
||||||
|
+
|
||||||
|
+
|
||||||
|
" vim: shiftwidth=2 sts=2 expandtab
|
4
vim.spec
4
vim.spec
@ -132,6 +132,8 @@ Patch3049: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
|
|||||||
Patch3050: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
|
Patch3050: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
|
||||||
# CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
|
# CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
|
||||||
Patch3051: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
|
Patch3051: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
|
||||||
|
# CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
|
||||||
|
Patch3052: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
|
||||||
|
|
||||||
# gcc is no longer in buildroot by default
|
# gcc is no longer in buildroot by default
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -370,6 +372,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
|||||||
%patch3049 -p1 -b .cve1629
|
%patch3049 -p1 -b .cve1629
|
||||||
%patch3050 -p1 -b .cve1785
|
%patch3050 -p1 -b .cve1785
|
||||||
%patch3051 -p1 -b .cve1897
|
%patch3051 -p1 -b .cve1897
|
||||||
|
%patch3052 -p1 -b .cve1927
|
||||||
|
|
||||||
%build
|
%build
|
||||||
cd src
|
cd src
|
||||||
@ -930,6 +933,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
|||||||
* Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-19
|
* Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-19
|
||||||
- CVE-2022-1785 vim: Out-of-bounds Write
|
- CVE-2022-1785 vim: Out-of-bounds Write
|
||||||
- CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
|
- CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
|
||||||
|
- CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
|
||||||
|
|
||||||
* Tue May 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-18
|
* Tue May 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-18
|
||||||
- CVE-2022-1621 vim: heap buffer overflow
|
- CVE-2022-1621 vim: heap buffer overflow
|
||||||
|
Loading…
Reference in New Issue
Block a user