CVE-2022-0572 vim: heap overflow in ex_retab() may lead to crash

Resolves: CVE-2022-0572
2022-02-16 10:44:26 +01:00 · 2022-02-16 10:44:26 +01:00 · fa96bd974d
commit fa96bd974d
parent 33c9a2555d
2 changed files with 68 additions and 1 deletions
--- a/0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch
+++ b/0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch
@ -0,0 +1,61 @@
 diff --git a/src/errors.h b/src/errors.h
 index 3008020..3daf1a6 100644
 --- a/src/errors.h
 +++ b/src/errors.h
@@ -381,3 +381,5 @@ EXTERN char e_missing_end_block[]
 	INIT(= N_("E1171: Missing } after inline function"));
 EXTERN char e_cannot_use_default_values_in_lambda[]
 	INIT(= N_("E1172: Cannot use default values in a lambda"));
 +EXTERN char e_resulting_text_too_long[]
 +	INIT(= N_("E1240: Resulting text too long"));
 diff --git a/src/indent.c b/src/indent.c
 index 4f909d0..77d8b0a 100644
 --- a/src/indent.c
 +++ b/src/indent.c
@@ -1696,6 +1696,11 @@ ex_retab(exarg_T *eap)
 	    if (ptr[col] == NUL)
 		break;
 	    vcol += chartabsize(ptr + col, (colnr_T)vcol);
 +	    if (vcol >= MAXCOL)
 +	    {
 +		emsg(_(e_resulting_text_too_long));
 +		break;
 +	    }
 	    if (has_mbyte)
 		col += (*mb_ptr2len)(ptr + col);
 	    else
 diff --git a/src/testdir/test_retab.vim b/src/testdir/test_retab.vim
 index c7190aa..6133e8f 100644
 --- a/src/testdir/test_retab.vim
 +++ b/src/testdir/test_retab.vim
@@ -70,6 +70,8 @@ func Test_retab()
   call assert_equal("    a       b        c    ",         Retab('!', 3))
   call assert_equal("    a       b        c    ",         Retab('',  5))
   call assert_equal("    a       b        c    ",         Retab('!', 5))
 +
 +  set tabstop& expandtab&
 endfunc
 func Test_retab_error()
@@ -80,4 +82,21 @@ func Test_retab_error()
   call assert_fails('ret 80000000000000000000', 'E475:')
 endfunc
 +func Test_retab_endless()
 +  new
 +  call setline(1, "\t0\t")
 +  let caught = 'no'
 +  try
 +    while 1
 +      set ts=4000
 +      retab 4
 +    endwhile
 +  catch /E1240/
 +    let caught = 'yes'
 +  endtry
 +  bwipe!
 +  set tabstop&
 +endfunc
 +
 +
 " vim: shiftwidth=2 sts=2 expandtab
--- a/vim.spec
+++ b/vim.spec
@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 12%{?dist}
+Release: 13%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@ -110,6 +110,8 @@ Patch3038: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
 Patch3039: 0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch
 # CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
 Patch3040: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch
 # CVE-2022-0572 vim: heap overflow in ex_retab() may lead to crash
 Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -337,6 +339,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3038 -p1 -b .cve0413
 %patch3039 -p1 -b .cve0443
 %patch3040 -p1 -b .cve0392
 %patch3041 -p1 -b .cve0572
 %build
 cd src
@ -894,6 +897,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif
 %changelog
 * Wed Feb 16 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-13
 - CVE-2022-0572 vim: heap overflow in ex_retab() may lead to crash
 * Thu Feb 10 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
 - CVE-2022-0413 vim: use after free in src/ex_cmds.c
 - CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c