!382 fix CVE-2022-3099

From: @renxichen Reviewed-by: @markeryang, @lvying6 Signed-off-by: @lvying6
2022-09-09 09:20:29 +00:00 · 2022-09-09 09:20:29 +00:00 · 9f3e5942db
commit 9f3e5942db
parent 738aca9625 a7a8a8c9fb
2 changed files with 65 additions and 1 deletions
--- a/backport-CVE-2022-3099.patch
+++ b/backport-CVE-2022-3099.patch
@ -0,0 +1,57 @@
+From 35d21c6830fc2d68aca838424a0e786821c5891c Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 2 Sep 2022 16:47:16 +0100
+Subject: [PATCH] patch 9.0.0360: crash when invalid line number on :for is
+ ignored
+
+Problem:    Crash when invalid line number on :for is ignored.
+Solution:   Do not check breakpoint for non-existing line.
+---
+ src/ex_docmd.c                  |  2 +-
+ src/testdir/test_eval_stuff.vim | 13 +++++++++++++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index ae1f195..0b6b217 100644
+--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
+@@ -1068,7 +1068,7 @@ do_cmdline(
+ 
+ 		    // Check for the next breakpoint at or after the ":while"
+ 		    // or ":for".
+-		    if (breakpoint != NULL)
+		    if (breakpoint != NULL && lines_ga.ga_len > current_line)
+ 		    {
+ 			*breakpoint = dbg_find_breakpoint(
+ 			       getline_equal(fgetline, cookie, getsourceline),
+diff --git a/src/testdir/test_eval_stuff.vim b/src/testdir/test_eval_stuff.vim
+index 313d791..934286b 100644
+--- a/src/testdir/test_eval_stuff.vim
+++ b/src/testdir/test_eval_stuff.vim
+@@ -1,5 +1,7 @@
+ " Tests for various eval things.
+ 
+source shared.vim
+
+ function s:foo() abort
+   try
+     return [] == 0
+@@ -221,3 +223,15 @@ func Test_deep_recursion()
+   " this was running out of stack
+   call assert_fails("exe 'if ' .. repeat('(', 1002)", 'E1169: Expression too recursive: ((')
+ endfunc
+
+func Test_for_invalid_line_count()
+  let lines =<< trim END
+      111111111111111111111111 for line in ['one']
+      endfor
+  END
+  call writefile(lines, 'XinvalidFor')
+  " only test that this doesn't crash
+  call RunVim([], [], '-u NONE -e -s -S XinvalidFor -c qa')
+
+  call delete('XinvalidFor')
+endfunc
+-- 
+1.8.3.1
+
--- a/vim.spec
+++ b/vim.spec
@ -11,7 +11,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        54
+Release:        55
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -157,6 +157,7 @@ Patch6123:      backport-CVE-2022-2946.patch
 Patch6124:      backport-CVE-2022-2980.patch
 Patch6125:      backport-patch-8.2.1677-memory-access-errors-when-calling-set.patch
 Patch6126:      backport-CVE-2022-3016.patch
+Patch6127:      backport-CVE-2022-3099.patch

 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      remove-failed-tests-due-to-patch.patch
@ -559,6 +560,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Thu Sep 08 2022 renhongxun <renhongxun@h-partners.com> - 2:8.2-55
+- Type:CVE
+- ID:CVE-2022-3099
+- SUG:NA
+- DESC:fix CVE-2022-3099
+
 * Mon Aug 29 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-54
 - Type:CVE
 - ID:CVE-2022-3016