!397 fix CVE-2022-3234 CVE-2022-3235

From: @dongyuzhen Reviewed-by: @lvying6 Signed-off-by: @lvying6
2022-09-21 03:25:08 +00:00 · 2022-09-21 03:25:08 +00:00 · 7d26754549
commit 7d26754549
parent 9710307115 c9ded5fb74
3 changed files with 160 additions and 1 deletions
--- a/backport-CVE-2022-3234.patch
+++ b/backport-CVE-2022-3234.patch
@ -0,0 +1,78 @@
+From c249913edc35c0e666d783bfc21595cf9f7d9e0d Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 16 Sep 2022 22:16:59 +0100
+Subject: [PATCH] patch 9.0.0483: illegal memory access when replacing in
+ virtualedit mode
+
+Problem:    Illegal memory access when replacing in virtualedit mode.
+Solution:   Check for replacing NUL after Tab.
+---
+ src/ops.c                        | 12 ++++++++++--
+ src/testdir/test_virtualedit.vim | 14 ++++++++++++++
+ 2 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/src/ops.c b/src/ops.c
+index 9926c00..b4185c7 100644
+--- a/src/ops.c
+++ b/src/ops.c
+@@ -1183,6 +1183,8 @@ op_replace(oparg_T *oap, int c)
+ 
+ 	while (LTOREQ_POS(curwin->w_cursor, oap->end))
+ 	{
+	    int done = FALSE;
+
+ 	    n = gchar_cursor();
+ 	    if (n != NUL)
+ 	    {
+@@ -1193,6 +1195,7 @@ op_replace(oparg_T *oap, int c)
+ 		    if (curwin->w_cursor.lnum == oap->end.lnum)
+ 			oap->end.col += (*mb_char2len)(c) - (*mb_char2len)(n);
+ 		    replace_character(c);
+		    done = TRUE;
+ 		}
+ 		else
+ 		{
+@@ -1211,10 +1214,15 @@ op_replace(oparg_T *oap, int c)
+ 			if (curwin->w_cursor.lnum == oap->end.lnum)
+ 			    getvpos(&oap->end, end_vcol);
+ 		    }
+-		    PBYTE(curwin->w_cursor, c);
+		    // with "coladd" set may move to just after a TAB
+		    if (gchar_cursor() != NUL)
+		    {
+			PBYTE(curwin->w_cursor, c);
+			done = TRUE;
+		    }
+ 		}
+ 	    }
+-	    else if (virtual_op && curwin->w_cursor.lnum == oap->end.lnum)
+	    if (!done && virtual_op && curwin->w_cursor.lnum == oap->end.lnum)
+ 	    {
+ 		int virtcols = oap->end.coladd;
+ 
+diff --git a/src/testdir/test_virtualedit.vim b/src/testdir/test_virtualedit.vim
+index 25ca33f..451a996 100644
+--- a/src/testdir/test_virtualedit.vim
+++ b/src/testdir/test_virtualedit.vim
+@@ -343,4 +343,18 @@ func Test_yank_paste_small_del_reg()
+   set virtualedit=
+ endfunc
+ 
+" this was replacing the NUL at the end of the line 
+func Test_virtualedit_replace_after_tab()
+  new
+  s/\v/	0
+  set ve=all
+  let @" = ''
+  sil! norm vPvr0
+  
+  call assert_equal("\t0", getline(1))
+  set ve&
+  bwipe!
+endfunc
+
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.27.0
+
--- a/backport-CVE-2022-3235.patch
+++ b/backport-CVE-2022-3235.patch
@ -0,0 +1,73 @@
+From 1c3dd8ddcba63c1af5112e567215b3cec2de11d0 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 17 Sep 2022 19:43:23 +0100
+Subject: [PATCH] patch 9.0.0490: using freed memory with cmdwin and BufEnter
+ autocmd
+
+Problem:    Using freed memory with cmdwin and BufEnter autocmd.
+Solution:   Make sure pointer to b_p_iminsert is still valid.
+---
+ src/ex_getln.c               |  6 +++++-
+ src/testdir/test_cmdline.vim | 10 ++++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 8383eee..b299bd0 100644
+--- a/src/ex_getln.c
+++ b/src/ex_getln.c
+@@ -817,6 +817,7 @@ getcmdline_int(
+ #endif
+     expand_T	xpc;
+     long	*b_im_ptr = NULL;
+    buf_T	*b_im_ptr_buf = NULL;	// buffer where b_im_ptr is valid
+     cmdline_info_T save_ccline;
+     int		did_save_ccline = FALSE;
+     int		cmdline_type;
+@@ -938,6 +939,7 @@ getcmdline_int(
+ 	    b_im_ptr = &curbuf->b_p_iminsert;
+ 	else
+ 	    b_im_ptr = &curbuf->b_p_imsearch;
+	b_im_ptr_buf = curbuf;
+ 	if (*b_im_ptr == B_IMODE_LMAP)
+ 	    State |= LANGMAP;
+ #ifdef HAVE_INPUT_METHOD
+@@ -1666,6 +1668,7 @@ getcmdline_int(
+ 		goto cmdline_not_changed;
+ 
+ 	case Ctrl_HAT:
+		b_im_ptr = buf_valid(b_im_ptr_buf) ? b_im_ptr : NULL;
+ 		if (map_to_exists_mode((char_u *)"", LANGMAP, FALSE))
+ 		{
+ 		    // ":lmap" mappings exists, toggle use of mappings.
+@@ -2430,7 +2433,8 @@ returncmd:
+ 
+     State = save_State;
+ #ifdef HAVE_INPUT_METHOD
+-    if (b_im_ptr != NULL && *b_im_ptr != B_IMODE_LMAP)
+    if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf)
+						  && *b_im_ptr != B_IMODE_LMAP)
+ 	im_save_status(b_im_ptr);
+     im_set_active(FALSE);
+ #endif
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index 33808d7..aceaba7 100644
+--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
+@@ -943,4 +943,14 @@ func Test_cmdwin_virtual_edit()
+   set ve= cpo-=$
+ endfunc
+ 
+" This was using a pointer to a freed buffer
+func Test_cmdwin_freed_buffer_ptr()
+  au BufEnter * next 0| file 
+  edit 0
+  silent! norm q/
+
+  au! BufEnter
+  bwipe!
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.33.0
+
--- a/vim.spec
+++ b/vim.spec
@ -11,7 +11,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        56
+Release:        57
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -159,6 +159,8 @@ Patch6125:      backport-patch-8.2.1677-memory-access-errors-when-calling-set.pa
 Patch6126:      backport-CVE-2022-3016.patch
 Patch6127:      backport-CVE-2022-3099.patch
 Patch6128:      backport-CVE-2022-3134.patch
+Patch6129:      backport-CVE-2022-3234.patch
+Patch6130:      backport-CVE-2022-3235.patch

 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      remove-failed-tests-due-to-patch.patch
@ -561,6 +563,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Tue Sep 20 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-57
+- Type:CVE
+- ID:CVE-2022-3234 CVE-2022-3235
+- SUG:NA
+- DESC:fix CVE-2022-3234 CVE-2022-3235
+
 * Wed Sep 14 2022 wangjiang <wangjiang37@h-partners.com> - 2:8.2-56
 - Type:CVE
 - ID:CVE-2022-3134