packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-1154

Browse Source
This commit is contained in:
shixuantong 2022-05-16 17:46:48 +08:00
parent 992f4f00a0
commit 2e848f5b8e
2 changed files with 67 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
backport-CVE-2022-1154.patch Normal file
View File

@ -0,0 +1,59 @@
From b55986c52d4cd88a22d0b0b0e8a79547ba13e1d5 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 29 Mar 2022 13:24:58 +0100
Subject: [PATCH] patch 8.2.4646: using buffer line after it has been freed
Problem: Using buffer line after it has been freed in old regexp engine.
Solution: After getting mark get the line again.
---
src/regexp_bt.c | 9 +++++++++
src/testdir/test_regexp_latin.vim | 7 +++++++
2 files changed, 16 insertions(+)
diff --git a/src/regexp_bt.c b/src/regexp_bt.c
index e017ba5..ff92576 100644
--- a/src/regexp_bt.c
+++ b/src/regexp_bt.c
@@ -3188,8 +3188,17 @@ regmatch(
int mark = OPERAND(scan)[0];
int cmp = OPERAND(scan)[1];
pos_T *pos;
+ size_t col = REG_MULTI ? rex.input - rex.line : 0;
pos = getmark_buf(rex.reg_buf, mark, FALSE);
+
+ // Line may have been freed, get it again.
+ if (REG_MULTI)
+ {
+ rex.line = reg_getline(rex.lnum);
+ rex.input = rex.line + col;
+ }
+
if (pos == NULL // mark doesn't exist
|| pos->lnum <= 0 // mark isn't set in reg_buf
|| (pos->lnum == rex.lnum + rex.reg_firstlnum
diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim
index 5b1db5a..a242d91 100644
--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
@@ -152,10 +152,17 @@ endfunc
func Test_using_mark_position()
" this was using freed memory
+ " new engine
new
norm O0
call assert_fails("s/\\%')", 'E486:')
bwipe!
+
+ " old engine
+ new
+ norm O0
+ call assert_fails("s/\\%#=1\\%')", 'E486:')
+ bwipe!
endfunc
func Test_using_invalid_visual_position()
--
1.8.3.1

9
vim.spec
View File

@ -11,7 +11,7 @@
Name: vim
Epoch: 2
Version: 8.2
Release: 25
Release: 26
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT
URL: http://www.vim.org
@ -83,6 +83,7 @@ Patch6049: backport-CVE-2022-0729.patch
Patch6050: backport-CVE-2022-0685.patch
Patch6051: backport-CVE-2022-0943.patch
Patch6052: backport-CVE-2022-1616.patch
Patch6053: backport-CVE-2022-1154.patch
Patch9000: bugfix-rm-modify-info-version.patch
Patch9001: remove-failed-tests-due-to-patch.patch
@ -485,6 +486,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
%{_mandir}/man1/evim.*
%changelog
* Mon May 16 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-26
- Type:CVE
- ID:CVE-2022-1154
- SUG:NA
- DESC:fix CVE-2022-1154
* Mon May 09 2022 shangyibin <shangyibin1@h-partners.com> - 2:8.2-25
- Type:CVE
- ID:CVE-2022-1616