diff --git a/0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch b/0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch new file mode 100644 index 0000000..276843a --- /dev/null +++ b/0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch @@ -0,0 +1,61 @@ +diff --git a/src/errors.h b/src/errors.h +index 3008020..3daf1a6 100644 +--- a/src/errors.h ++++ b/src/errors.h +@@ -381,3 +381,5 @@ EXTERN char e_missing_end_block[] + INIT(= N_("E1171: Missing } after inline function")); + EXTERN char e_cannot_use_default_values_in_lambda[] + INIT(= N_("E1172: Cannot use default values in a lambda")); ++EXTERN char e_resulting_text_too_long[] ++ INIT(= N_("E1240: Resulting text too long")); +diff --git a/src/indent.c b/src/indent.c +index 4f909d0..77d8b0a 100644 +--- a/src/indent.c ++++ b/src/indent.c +@@ -1696,6 +1696,11 @@ ex_retab(exarg_T *eap) + if (ptr[col] == NUL) + break; + vcol += chartabsize(ptr + col, (colnr_T)vcol); ++ if (vcol >= MAXCOL) ++ { ++ emsg(_(e_resulting_text_too_long)); ++ break; ++ } + if (has_mbyte) + col += (*mb_ptr2len)(ptr + col); + else +diff --git a/src/testdir/test_retab.vim b/src/testdir/test_retab.vim +index c7190aa..6133e8f 100644 +--- a/src/testdir/test_retab.vim ++++ b/src/testdir/test_retab.vim +@@ -70,6 +70,8 @@ func Test_retab() + call assert_equal(" a b c ", Retab('!', 3)) + call assert_equal(" a b c ", Retab('', 5)) + call assert_equal(" a b c ", Retab('!', 5)) ++ ++ set tabstop& expandtab& + endfunc + + func Test_retab_error() +@@ -80,4 +82,21 @@ func Test_retab_error() + call assert_fails('ret 80000000000000000000', 'E475:') + endfunc + ++func Test_retab_endless() ++ new ++ call setline(1, "\t0\t") ++ let caught = 'no' ++ try ++ while 1 ++ set ts=4000 ++ retab 4 ++ endwhile ++ catch /E1240/ ++ let caught = 'yes' ++ endtry ++ bwipe! ++ set tabstop& ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/vim.spec b/vim.spec index f2b0373..aa49305 100644 --- a/vim.spec +++ b/vim.spec @@ -27,7 +27,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 12%{?dist} +Release: 13%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: virc @@ -110,6 +110,8 @@ Patch3038: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch Patch3039: 0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch # CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c Patch3040: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch +# CVE-2022-0572 vim: heap overflow in ex_retab() may lead to crash +Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -337,6 +339,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3038 -p1 -b .cve0413 %patch3039 -p1 -b .cve0443 %patch3040 -p1 -b .cve0392 +%patch3041 -p1 -b .cve0572 %build cd src @@ -894,6 +897,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %endif %changelog +* Wed Feb 16 2022 Zdenek Dohnal - 2:8.2.2637-13 +- CVE-2022-0572 vim: heap overflow in ex_retab() may lead to crash + * Thu Feb 10 2022 Zdenek Dohnal - 2:8.2.2637-12 - CVE-2022-0413 vim: use after free in src/ex_cmds.c - CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c