From 2ed4952b168ac672d687fe0b2f157d8d0427cc49 Mon Sep 17 00:00:00 2001 From: shangyibin Date: Mon, 9 May 2022 15:14:53 +0800 Subject: [PATCH] CVE-2022-1616 (cherry picked from commit dc7ea9fcedd944e08f352b3ff1c9edf7a293f764) --- backport-CVE-2022-1616.patch | 58 ++++++++++++++++++++++++++++++++++++ vim.spec | 9 +++++- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-1616.patch diff --git a/backport-CVE-2022-1616.patch b/backport-CVE-2022-1616.patch new file mode 100644 index 0000000..4751e75 --- /dev/null +++ b/backport-CVE-2022-1616.patch @@ -0,0 +1,58 @@ +From d88934406c5375d88f8f1b65331c9f0cab68cc6c Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 6 May 2022 20:38:47 +0100 +Subject: [PATCH] patch 8.2.4895: buffer overflow with invalid command with + composing chars + +Problem: Buffer overflow with invalid command with composing chars. +Solution: Check that the whole character fits in the buffer. +--- + src/ex_docmd.c | 4 +++- + src/testdir/test_cmdline.vim | 11 +++++++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/ex_docmd.c b/src/ex_docmd.c +index dfcbf37..f142c46 100644 +--- a/src/ex_docmd.c ++++ b/src/ex_docmd.c +@@ -3092,7 +3092,7 @@ append_command(char_u *cmd) + + STRCAT(IObuff, ": "); + d = IObuff + STRLEN(IObuff); +- while (*s != NUL && d - IObuff < IOSIZE - 7) ++ while (*s != NUL && d - IObuff + 5 < IOSIZE) + { + if (enc_utf8 ? (s[0] == 0xc2 && s[1] == 0xa0) : *s == 0xa0) + { +@@ -3100,6 +3100,8 @@ append_command(char_u *cmd) + STRCPY(d, ""); + d += 4; + } ++ else if (d - IObuff + (*mb_ptr2len)(s) + 1 >= IOSIZE) ++ break; + else + MB_COPY_CHAR(s, d); + } +diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim +index 5297951..41a73d2 100644 +--- a/src/testdir/test_cmdline.vim ++++ b/src/testdir/test_cmdline.vim +@@ -870,4 +870,15 @@ func Test_cmdwin_cedit() + delfunc CmdWinType + endfunc + ++" this was going over the end of IObuff ++func Test_report_error_with_composing() ++ let caught = 'no' ++ try ++ exe repeat('0', 987) .. "0\xdd\x80\xdd\x80\xdd\x80\xdd\x80" ++ catch /E492:/ ++ let caught = 'yes' ++ endtry ++ call assert_equal('yes', caught) ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index 33db6fe..4b20bb9 100644 --- a/vim.spec +++ b/vim.spec @@ -11,7 +11,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 24 +Release: 25 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -82,6 +82,7 @@ Patch6048: backport-CVE-2022-0714.patch Patch6049: backport-CVE-2022-0729.patch Patch6050: backport-CVE-2022-0685.patch Patch6051: backport-CVE-2022-0943.patch +Patch6052: backport-CVE-2022-1616.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: remove-failed-tests-due-to-patch.patch @@ -484,6 +485,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Mon May 09 2022 shangyibin - 2:8.2-25 +- Type:CVE +- ID:CVE-2022-1616 +- SUG:NA +- DESC:fix CVE-2022-1616 + * Thu Mar 24 2022 yuanxin - 2:8.2-24 - Type:CVE - ID:CVE-2022-0943 -- Gitee