From b2adf98c277dab6f069da4536af193f2db41538a Mon Sep 17 00:00:00 2001 From: shangyibin Date: Mon, 9 May 2022 16:07:18 +0800 Subject: [PATCH] CVE-2022-1616 --- backport-CVE-2022-1616.patch | 58 ++++++++++++++++++++++++++++++++++++ vim.spec | 9 +++++- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-1616.patch diff --git a/backport-CVE-2022-1616.patch b/backport-CVE-2022-1616.patch new file mode 100644 index 0000000..4751e75 --- /dev/null +++ b/backport-CVE-2022-1616.patch @@ -0,0 +1,58 @@ +From d88934406c5375d88f8f1b65331c9f0cab68cc6c Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 6 May 2022 20:38:47 +0100 +Subject: [PATCH] patch 8.2.4895: buffer overflow with invalid command with + composing chars + +Problem: Buffer overflow with invalid command with composing chars. +Solution: Check that the whole character fits in the buffer. +--- + src/ex_docmd.c | 4 +++- + src/testdir/test_cmdline.vim | 11 +++++++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/ex_docmd.c b/src/ex_docmd.c +index dfcbf37..f142c46 100644 +--- a/src/ex_docmd.c ++++ b/src/ex_docmd.c +@@ -3092,7 +3092,7 @@ append_command(char_u *cmd) + + STRCAT(IObuff, ": "); + d = IObuff + STRLEN(IObuff); +- while (*s != NUL && d - IObuff < IOSIZE - 7) ++ while (*s != NUL && d - IObuff + 5 < IOSIZE) + { + if (enc_utf8 ? (s[0] == 0xc2 && s[1] == 0xa0) : *s == 0xa0) + { +@@ -3100,6 +3100,8 @@ append_command(char_u *cmd) + STRCPY(d, ""); + d += 4; + } ++ else if (d - IObuff + (*mb_ptr2len)(s) + 1 >= IOSIZE) ++ break; + else + MB_COPY_CHAR(s, d); + } +diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim +index 5297951..41a73d2 100644 +--- a/src/testdir/test_cmdline.vim ++++ b/src/testdir/test_cmdline.vim +@@ -870,4 +870,15 @@ func Test_cmdwin_cedit() + delfunc CmdWinType + endfunc + ++" this was going over the end of IObuff ++func Test_report_error_with_composing() ++ let caught = 'no' ++ try ++ exe repeat('0', 987) .. "0\xdd\x80\xdd\x80\xdd\x80\xdd\x80" ++ catch /E492:/ ++ let caught = 'yes' ++ endtry ++ call assert_equal('yes', caught) ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index 4f8c329..718898d 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 31 +Release: 32 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -93,6 +93,7 @@ Patch6056: backport-CVE-2022-0554.patch Patch6057: backport-CVE-2022-0943.patch Patch6058: backport-CVE-2021-4069.patch Patch6059: backport-CVE-2022-0629.patch +Patch6060: backport-CVE-2022-1616.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -481,6 +482,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Mon May 09 2022 shangyibin - 2:8.2-32 +- Type:CVE +- ID:CVE-2022-1616 +- SUG:NA +- DESC:fix CVE-2022-1616 + * Fri Apr 1 2022 wangjiang - 2:8.2-31 - Type:CVE - ID:CVE-2022-0629 -- Gitee