!412 [sync] PR-407: fix CVE-2022-3352

From: @openeuler-sync-bot Reviewed-by: @lvying6 Signed-off-by: @lvying6
2022-10-11 02:16:27 +00:00 · 2022-10-11 02:16:27 +00:00 · 18499e4633
commit 18499e4633
parent 5bb2289dd1 bed35feb5f
2 changed files with 85 additions and 1 deletions
--- a/backport-CVE-2022-3352.patch
+++ b/backport-CVE-2022-3352.patch
@ -0,0 +1,77 @@
+From ef976323e770315b5fca544efb6b2faa25674d15 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 28 Sep 2022 11:48:30 +0100
+Subject: [PATCH] patch 9.0.0614: SpellFileMissing autocmd may delete buffer
+
+Problem:    SpellFileMissing autocmd may delete buffer.
+Solution:   Disallow deleting the current buffer to avoid using freed memory.
+---
+ src/buffer.c                 |  6 +++++-
+ src/spell.c                  |  6 ++++++
+ src/testdir/test_autocmd.vim | 11 +++++++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index f66c234..b647d82 100644
+--- a/src/buffer.c
+++ b/src/buffer.c
+@@ -465,8 +465,12 @@ can_unload_buffer(buf_T *buf)
+ 	    }
+     }
+     if (!can_unload)
+    {
+	char_u *fname = buf->b_fname != NULL ? buf->b_fname : buf->b_ffname;
+
+ 	semsg(_("E937: Attempt to delete a buffer that is in use: %s"),
+-								 buf->b_fname);
+				fname != NULL ? fname : (char_u *)"[No Name]");
+    }
+     return can_unload;
+ }
+ 
+diff --git a/src/spell.c b/src/spell.c
+index 1d7a1ae..e32dbe7 100644
+--- a/src/spell.c
+++ b/src/spell.c
+@@ -1539,6 +1539,10 @@ spell_load_lang(char_u *lang)
+     sl.sl_slang = NULL;
+     sl.sl_nobreak = FALSE;
+ 
+    // Disallow deleting the current buffer.  Autocommands can do weird things
+    // and cause "lang" to be freed.
+    ++curbuf->b_locked;
+
+     // We may retry when no spell file is found for the language, an
+     // autocommand may load it then.
+     for (round = 1; round <= 2; ++round)
+@@ -1592,6 +1596,8 @@ spell_load_lang(char_u *lang)
+ 	STRCPY(fname_enc + STRLEN(fname_enc) - 3, "add.spl");
+ 	do_in_runtimepath(fname_enc, DIP_ALL, spell_load_cb, &sl);
+     }
+
+    --curbuf->b_locked;
+ }
+ 
+ /*
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index 27ec80d..e7ffc37 100755
+--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
+@@ -2343,3 +2343,14 @@ func Test_BufWrite_lockmarks()
+   call delete('Xtest')
+   call delete('Xtest2')
+ endfunc
+
+" this was wiping out the current buffer and using freed memory
+func Test_SpellFileMissing_bwipe()
+  next 0
+  au SpellFileMissing 0 bwipe
+  call assert_fails('set spell spelllang=0', 'E937:')
+
+  au! SpellFileMissing
+  bwipe
+endfunc
+
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -11,7 +11,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        58
+Release:        59
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -162,6 +162,7 @@ Patch6128:      backport-CVE-2022-3134.patch
 Patch6129:      backport-CVE-2022-3234.patch
 Patch6130:      backport-CVE-2022-3235.patch
 Patch6131:      backport-CVE-2022-3256.patch
+Patch6132:      backport-CVE-2022-3352.patch

 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      remove-failed-tests-due-to-patch.patch
@ -564,6 +565,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Sat Oct 08 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-59
+- Type:CVE
+- ID:CVE-2022-3352
+- SUG:NA
+- DESC:fix CVE-2022-3352
+
 * Fri Sep 23 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-58
 - Type:CVE
 - ID:CVE-2022-3256