From eb9d827451291d536f48346c805f630dbddbe3df Mon Sep 17 00:00:00 2001 From: shixuantong <1726671442@qq.com> Date: Sat, 21 May 2022 18:02:08 +0800 Subject: [PATCH] fix CVE-2022-1629 CVE-2022-1620 CVE-2022-1674 CVE-2022-1621 CVE-2022-1619 --- backport-CVE-2022-1619.patch | 53 +++++ backport-CVE-2022-1620.patch | 45 +++++ backport-CVE-2022-1621.patch | 85 ++++++++ backport-CVE-2022-1629.patch | 56 ++++++ backport-CVE-2022-1674.patch | 44 +++++ ...line-editing-not-sufficiently-tested.patch | 187 ++++++++++++++++++ ...ml-text-objects-are-not-fully-tested.patch | 164 +++++++++++++++ ...de-coverage-for-ex_docmd.c_functions.patch | 109 ++++++++++ ...ls-because-of-new-illegal-byte-check.patch | 34 ++++ vim.spec | 17 +- 10 files changed, 793 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-1619.patch create mode 100644 backport-CVE-2022-1620.patch create mode 100644 backport-CVE-2022-1621.patch create mode 100644 backport-CVE-2022-1629.patch create mode 100644 backport-CVE-2022-1674.patch create mode 100644 backport-command-line-editing-not-sufficiently-tested.patch create mode 100644 backport-html-text-objects-are-not-fully-tested.patch create mode 100644 backport-insufficient-code-coverage-for-ex_docmd.c_functions.patch create mode 100644 backport-spell-test-fails-because-of-new-illegal-byte-check.patch diff --git a/backport-CVE-2022-1619.patch b/backport-CVE-2022-1619.patch new file mode 100644 index 0000000..1e6eebf --- /dev/null +++ b/backport-CVE-2022-1619.patch @@ -0,0 +1,53 @@ +From ef02f16609ff0a26ffc6e20263523424980898fe Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 7 May 2022 10:49:10 +0100 +Subject: [PATCH] patch 8.2.4899: with latin1 encoding CTRL-W might go before + the cmdline + +Problem: With latin1 encoding CTRL-W might go before the start of the +command line. +Solution: Check already being at the start of the command line. +--- + src/ex_getln.c | 11 +++++++---- + src/testdir/test_cmdline.vim | 3 +++ + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/ex_getln.c b/src/ex_getln.c +index 68b4757..771a9cd 100644 +--- a/src/ex_getln.c ++++ b/src/ex_getln.c +@@ -1583,10 +1583,13 @@ getcmdline_int( + { + while (p > ccline.cmdbuff && vim_isspace(p[-1])) + --p; +- i = vim_iswordc(p[-1]); +- while (p > ccline.cmdbuff && !vim_isspace(p[-1]) +- && vim_iswordc(p[-1]) == i) +- --p; ++ if (p > ccline.cmdbuff) ++ { ++ i = vim_iswordc(p[-1]); ++ while (p > ccline.cmdbuff && !vim_isspace(p[-1]) ++ && vim_iswordc(p[-1]) == i) ++ --p; ++ } + } + else + --p; +diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim +index cbf7986..1ccdbe2 100644 +--- a/src/testdir/test_cmdline.vim ++++ b/src/testdir/test_cmdline.vim +@@ -476,6 +476,9 @@ func Test_cmdline_remove_char() + + call feedkeys(":abc def\\\\"\", 'tx') + call assert_equal('"def', @:, e) ++ ++ " This was going before the start in latin1. ++ call feedkeys(": \\", 'tx') + endfor + + let &encoding = encoding_save +-- +1.8.3.1 + diff --git a/backport-CVE-2022-1620.patch b/backport-CVE-2022-1620.patch new file mode 100644 index 0000000..99ec950 --- /dev/null +++ b/backport-CVE-2022-1620.patch @@ -0,0 +1,45 @@ +From 8e4b76da1d7e987d43ca960dfbc372d1c617466f Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 7 May 2022 11:28:06 +0100 +Subject: [PATCH] patch 8.2.4901: NULL pointer access when using invalid + pattern + +Problem: NULL pointer access when using invalid pattern. +Solution: Check for failed regexp program. +--- + src/buffer.c | 2 +- + src/testdir/test_buffer.vim | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/buffer.c b/src/buffer.c +index 5801bce..758d920 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -2830,7 +2830,7 @@ fname_match( + rmp->rm_ic = p_fic || ignore_case; + if (vim_regexec(rmp, name, (colnr_T)0)) + match = name; +- else ++ else if (rmp->regprog != NULL) + { + // Replace $(HOME) with '~' and try matching again. + p = home_replace_save(NULL, name); +diff --git a/src/testdir/test_buffer.vim b/src/testdir/test_buffer.vim +index dc35bb4..8300f3d 100644 +--- a/src/testdir/test_buffer.vim ++++ b/src/testdir/test_buffer.vim +@@ -63,4 +63,11 @@ func Test_bunload_with_offset() + call delete('b4') + endfunc + ++" this was using a NULL pointer after failing to use the pattern ++func Test_buf_pattern_invalid() ++ vsplit 0000000 ++ silent! buf [0--]\&\zs*\zs*e ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/backport-CVE-2022-1621.patch b/backport-CVE-2022-1621.patch new file mode 100644 index 0000000..1be3b02 --- /dev/null +++ b/backport-CVE-2022-1621.patch @@ -0,0 +1,85 @@ +From 7c824682d2028432ee082703ef0ab399867a089b Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sun, 8 May 2022 22:32:58 +0100 +Subject: [PATCH] patch 8.2.4919: can add invalid bytes with :spellgood + +Problem: Can add invalid bytes with :spellgood. +Solution: Check for a valid word string. +--- + src/globals.h | 5 +++++ + src/mbyte.c | 2 +- + src/spellfile.c | 10 ++++++++++ + src/testdir/test_spellfile.vim | 6 ++++++ + 4 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/src/globals.h b/src/globals.h +index 7be3bfd..086d04e 100644 +--- a/src/globals.h ++++ b/src/globals.h +@@ -1745,3 +1745,8 @@ EXTERN int did_repeated_msg INIT(= 0); + # define REPEATED_MSG_LOOKING 1 + # define REPEATED_MSG_SAFESTATE 2 + #endif ++ ++#ifdef FEAT_SPELL ++EXTERN char e_illegal_character_in_word[] ++ INIT(= N_("E1280: Illegal character in word")); ++#endif +diff --git a/src/mbyte.c b/src/mbyte.c +index 5dd2562..28c5e85 100644 +--- a/src/mbyte.c ++++ b/src/mbyte.c +@@ -4045,7 +4045,7 @@ theend: + convert_setup(&vimconv, NULL, NULL); + } + +-#if defined(FEAT_GUI_GTK) || defined(PROTO) ++#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO) + /* + * Return TRUE if string "s" is a valid utf-8 string. + * When "end" is NULL stop at the first NUL. +diff --git a/src/spellfile.c b/src/spellfile.c +index b9451ec..5171572 100644 +--- a/src/spellfile.c ++++ b/src/spellfile.c +@@ -4366,6 +4366,10 @@ store_word( + int res = OK; + char_u *p; + ++ // Avoid adding illegal bytes to the word tree. ++ if (enc_utf8 && !utf_valid_string(word, NULL)) ++ return FAIL; ++ + (void)spell_casefold(word, len, foldword, MAXWLEN); + for (p = pfxlist; res == OK; ++p) + { +@@ -6167,6 +6171,12 @@ spell_add_word( + int i; + char_u *spf; + ++ if (enc_utf8 && !utf_valid_string(word, NULL)) ++ { ++ emsg(_(e_illegal_character_in_word)); ++ return; ++ } ++ + if (idx == 0) // use internal wordlist + { + if (int_wordlist == NULL) +diff --git a/src/testdir/test_spellfile.vim b/src/testdir/test_spellfile.vim +index 53eca84..1382c02 100644 +--- a/src/testdir/test_spellfile.vim ++++ b/src/testdir/test_spellfile.vim +@@ -170,3 +170,9 @@ func Test_spell_normal() + set spellfile= + bw! + endfunc ++ ++" Invalid bytes may cause trouble when creating the word list. ++func Test_check_for_valid_word() ++ call assert_fails("spellgood! 0^B\xac", 'E1280:') ++endfunc ++ +-- +1.8.3.1 + diff --git a/backport-CVE-2022-1629.patch b/backport-CVE-2022-1629.patch new file mode 100644 index 0000000..37e2ea1 --- /dev/null +++ b/backport-CVE-2022-1629.patch @@ -0,0 +1,56 @@ +From 53a70289c2712808e6d4e88927e03cac01b470dd Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Mon, 9 May 2022 13:15:07 +0100 +Subject: [PATCH] patch 8.2.4925: trailing backslash may cause reading past end + of line + +Problem: Trailing backslash may cause reading past end of line. +Solution: Check for NUL after backslash. +--- + src/search.c | 4 ++++ + src/testdir/test_textobjects.vim | 10 +++++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/search.c b/src/search.c +index 1a5dc1a..75f0c59 100644 +--- a/src/search.c ++++ b/src/search.c +@@ -4457,7 +4457,11 @@ find_next_quote( + if (c == NUL) + return -1; + else if (escape != NULL && vim_strchr(escape, c)) ++ { + ++col; ++ if (line[col] == NUL) ++ return -1; ++ } + else if (c == quotechar) + break; + if (has_mbyte) +diff --git a/src/testdir/test_textobjects.vim b/src/testdir/test_textobjects.vim +index 49fc9c8..3fc0283 100644 +--- a/src/testdir/test_textobjects.vim ++++ b/src/testdir/test_textobjects.vim +@@ -154,10 +154,18 @@ func Test_string_html_objects() + call assert_equal('-', getline('.'), e) + + set quoteescape& ++ ++ " this was going beyond the end of the line ++ %del ++ sil! norm i"\ ++ sil! norm i"\ ++ sil! norm i"\ ++ call assert_equal('"\', getline(1)) ++ ++ bwipe! + endfor + + set enc=utf-8 +- bwipe! + endfunc + + func Test_empty_html_tag() +-- +1.8.3.1 + diff --git a/backport-CVE-2022-1674.patch b/backport-CVE-2022-1674.patch new file mode 100644 index 0000000..42335e0 --- /dev/null +++ b/backport-CVE-2022-1674.patch @@ -0,0 +1,44 @@ +From a59f2dfd0cf9ee1a584d3de5b7c2d47648e79060 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 11 May 2022 11:42:28 +0100 +Subject: [PATCH] patch 8.2.4938: crash when matching buffer with invalid + pattern + +Problem: Crash when matching buffer with invalid pattern. +Solution: Check for NULL regprog. +--- + src/buffer.c | 2 +- + src/testdir/test_buffer.vim | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/buffer.c b/src/buffer.c +index 758d920..88094ee 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -2805,7 +2805,7 @@ buflist_match( + + // First try the short file name, then the long file name. + match = fname_match(rmp, buf->b_sfname, ignore_case); +- if (match == NULL) ++ if (match == NULL && rmp->regprog != NULL) + match = fname_match(rmp, buf->b_ffname, ignore_case); + + return match; +diff --git a/src/testdir/test_buffer.vim b/src/testdir/test_buffer.vim +index 8300f3d..6039ff8 100644 +--- a/src/testdir/test_buffer.vim ++++ b/src/testdir/test_buffer.vim +@@ -68,6 +68,10 @@ func Test_buf_pattern_invalid() + vsplit 0000000 + silent! buf [0--]\&\zs*\zs*e + bwipe! ++ ++ vsplit 00000000000000000000000000 ++ silent! buf [0--]\&\zs*\zs*e ++ bwipe! + endfunc + + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/backport-command-line-editing-not-sufficiently-tested.patch b/backport-command-line-editing-not-sufficiently-tested.patch new file mode 100644 index 0000000..978d6aa --- /dev/null +++ b/backport-command-line-editing-not-sufficiently-tested.patch @@ -0,0 +1,187 @@ +From 59cb041d0a56d8555857da7e063ec61504ee1fa7 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 18 Dec 2019 22:26:31 +0100 +Subject: [PATCH] patch 8.2.0023: command line editing not sufficiently tested +Problem: Command line editing not sufficiently tested. +Solution: Add more tests. (Dominique Pelle, closes #5374) + +Reference:https://github.com/vim/vim/commit/59cb041d0a56d8555857da7e063ec61504ee1fa7 +--- + src/testdir/Make_all.mak | 1 + + src/testdir/test_alot.vim | 1 + + src/testdir/test_cmdline.vim | 56 +++++++++++++++++++++++++++++++++----------- + src/testdir/test_ex_mode.vim | 54 ++++++++++++++++++++++++++++++++++++ + 4 files changed, 98 insertions(+), 14 deletions(-) + create mode 100644 src/testdir/test_ex_mode.vim + +diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak +index 665bcc7..05e7a2c 100644 +--- a/src/testdir/Make_all.mak ++++ b/src/testdir/Make_all.mak +@@ -102,6 +102,7 @@ NEW_TESTS = \ + test_ex_equal \ + test_ex_undo \ + test_ex_z \ ++ test_ex_mode \ + test_excmd \ + test_exec_while_if \ + test_execute_func \ +diff --git a/src/testdir/test_alot.vim b/src/testdir/test_alot.vim +index 894ec58..25241b2 100644 +--- a/src/testdir/test_alot.vim ++++ b/src/testdir/test_alot.vim +@@ -13,6 +13,7 @@ source test_delete.vim + source test_ex_equal.vim + source test_ex_undo.vim + source test_ex_z.vim ++source test_ex_mode.vim + source test_execute_func.vim + source test_expand.vim + source test_expand_dllpath.vim +diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim +index 5297951..837ef63 100644 +--- a/src/testdir/test_cmdline.vim ++++ b/src/testdir/test_cmdline.vim +@@ -419,7 +419,7 @@ func Test_expand_star_star() + call delete('a', 'rf') + endfunc + +-func Test_paste_in_cmdline() ++func Test_cmdline_paste() + let @a = "def" + call feedkeys(":abc \a ghi\\"\", 'tx') + call assert_equal('"abc def ghi', @:) +@@ -459,18 +459,37 @@ func Test_paste_in_cmdline() + bwipe! + endfunc + +-func Test_remove_char_in_cmdline() +- call feedkeys(":abc def\\\\"\", 'tx') +- call assert_equal('"abc ef', @:) ++func Test_cmdline_remove_char() ++ let encoding_save = &encoding ++ ++ for e in ['utf8', 'latin1'] ++ exe 'set encoding=' . e ++ ++ call feedkeys(":abc def\\\\"\", 'tx') ++ call assert_equal('"abc ef', @:, e) ++ ++ call feedkeys(":abc def\\\\"\", 'tx') ++ call assert_equal('"abcdef', @:) ++ ++ call feedkeys(":abc def ghi\\\\"\", 'tx') ++ call assert_equal('"abc ghi', @:, e) + +- call feedkeys(":abc def\\\\"\", 'tx') +- call assert_equal('"abcdef', @:) ++ call feedkeys(":abc def\\\\"\", 'tx') ++ call assert_equal('"def', @:, e) ++ endfor ++ ++ let &encoding = encoding_save ++endfunc + +- call feedkeys(":abc def ghi\\\\"\", 'tx') +- call assert_equal('"abc ghi', @:) ++func Test_cmdline_keymap_ctrl_hat() ++ if !has('keymap') ++ return ++ endif + +- call feedkeys(":abc def\\\\"\", 'tx') +- call assert_equal('"def', @:) ++ set keymap=esperanto ++ call feedkeys(":\"Jxauxdo \Jxauxdo \Jxauxdo\", 'tx') ++ call assert_equal('"Jxauxdo Ä´aÅ­do Jxauxdo', @:) ++ set keymap= + endfunc + + func Test_illegal_address1() +@@ -741,20 +760,20 @@ func Test_cmdline_overstrike() + + " Test overstrike in the middle of the command line. + call feedkeys(":\"01234\\\ab\\cd\", 'xt') +- call assert_equal('"0ab1cd4', @:) ++ call assert_equal('"0ab1cd4', @:, e) + + " Test overstrike going beyond end of command line. + call feedkeys(":\"01234\\\ab\\cdefgh\", 'xt') +- call assert_equal('"0ab1cdefgh', @:) ++ call assert_equal('"0ab1cdefgh', @:, e) + + " Test toggling insert/overstrike a few times. + call feedkeys(":\"01234\\ab\\cd\\ef\", 'xt') +- call assert_equal('"ab0cd3ef4', @:) ++ call assert_equal('"ab0cd3ef4', @:, e) + endfor + + " Test overstrike with multi-byte characters. + call feedkeys(":\"テキストエディタ\\\ab\\cd\", 'xt') +- call assert_equal('"テabã‚­cdエディタ', @:) ++ call assert_equal('"テabã‚­cdエディタ', @:, e) + + let &encoding = encoding_save + endfunc +diff --git a/src/testdir/test_ex_mode.vim b/src/testdir/test_ex_mode.vim +new file mode 100644 +index 0000000..00a35a3 +--- /dev/null ++++ b/src/testdir/test_ex_mode.vim +@@ -0,0 +1,54 @@ ++" Test editing line in Ex mode (see :help Q and :help gQ). ++ ++" Helper function to test editing line in Q Ex mode ++func Ex_Q(cmd) ++ " Is there a simpler way to test editing Ex line? ++ call feedkeys("Q" ++ \ .. "let s:test_ex =<< END\" ++ \ .. a:cmd .. "\" ++ \ .. "END\" ++ \ .. "visual\", 'tx') ++ return s:test_ex[0] ++endfunc ++ ++" Helper function to test editing line in gQ Ex mode ++func Ex_gQ(cmd) ++ call feedkeys("gQ" .. a:cmd .. "\\"\", 'tx') ++ let ret = @:[1:] " Remove leading quote. ++ call feedkeys("visual\", 'tx') ++ return ret ++endfunc ++ ++" Helper function to test editing line with both Q and gQ Ex mode. ++func Ex(cmd) ++ return [Ex_Q(a:cmd), Ex_gQ(a:cmd)] ++endfunc ++ ++" Test editing line in Ex mode (both Q and gQ) ++func Test_ex_mode() ++ let encoding_save = &encoding ++ set sw=2 ++ ++ for e in ['utf8', 'latin1'] ++ exe 'set encoding=' . e ++ ++ call assert_equal(['bar', 'bar'], Ex("foo bar\bar"), e) ++ call assert_equal(["1\2", "1\2"], Ex("1\\2"), e) ++ call assert_equal(["1\2\3", '213'], Ex("1\2\3"), e) ++ call assert_equal(['0123', '2013'], Ex("01\2\3"), e) ++ call assert_equal(['0123', '0213'], Ex("01\2\3"), e) ++ call assert_equal(['01234', '0342'], Ex("012\\\3\4"), e) ++ call assert_equal(["foo bar\", 'foo '], Ex("foo bar\"), e) ++ call assert_equal(['foo', 'foo'], Ex("fooba\\"), e) ++ call assert_equal(["foo\tbar", 'foobar'], Ex("foo\bar"), e) ++ call assert_equal(["abbrev\t", 'abbreviate'], Ex("abbrev\"), e) ++ call assert_equal([' 1', "1\\"], Ex("1\\"), e) ++ call assert_equal([' 1', "1\\"], Ex("1\\\"), e) ++ call assert_equal([' foo', ' foo'], Ex(" foo\"), e) ++ call assert_equal(['foo', ' foo0'], Ex(" foo0\"), e) ++ call assert_equal(['foo', ' foo^'], Ex(" foo^\"), e) ++ endfor ++ ++ set sw& ++ let &encoding = encoding_save ++endfunc +-- +2.27.0 diff --git a/backport-html-text-objects-are-not-fully-tested.patch b/backport-html-text-objects-are-not-fully-tested.patch new file mode 100644 index 0000000..a35afdc --- /dev/null +++ b/backport-html-text-objects-are-not-fully-tested.patch @@ -0,0 +1,164 @@ +From af631f61bc42d0dddafe1bc0c06872cf3aaeb239 Mon Sep 17 00:00:00 2001 +From: Dominique Pelle +Date: Fri, 3 Sep 2021 16:50:16 +0200 +Subject: [PATCH] patch 8.2.3398: html text objects are not fully tested +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Problem: Html text objects are not fully tested. +Solution: Add tests for dbcs encoding and different number of backslashes. +(Dominique Pellé, closes #8831) +--- + src/testdir/test_textobjects.vim | 135 ++++++++++++++++++++------------------- + 1 file changed, 70 insertions(+), 65 deletions(-) + +diff --git a/src/testdir/test_textobjects.vim b/src/testdir/test_textobjects.vim +index 042c534..49fc9c8 100644 +--- a/src/testdir/test_textobjects.vim ++++ b/src/testdir/test_textobjects.vim +@@ -88,71 +88,76 @@ endfunc + + " Tests for string and html text objects + func Test_string_html_objects() +- enew! +- +- let t = '"wo\"rd\\" foo' +- put =t +- normal! da" +- call assert_equal('foo', getline('.')) +- +- let t = "'foo' 'bar' 'piep'" +- put =t +- normal! 0va'a'rx +- call assert_equal("xxxxxxxxxxxx'piep'", getline('.')) +- +- let t = "bla bla `quote` blah" +- put =t +- normal! 02f`da` +- call assert_equal("bla bla blah", getline('.')) +- +- let t = 'out " in "noXno"' +- put =t +- normal! 0fXdi" +- call assert_equal('out " in ""', getline('.')) +- +- let t = "\"'\" 'blah' rep 'buh'" +- put =t +- normal! 03f'vi'ry +- call assert_equal("\"'\" 'blah'yyyyy'buh'", getline('.')) +- +- set quoteescape=+*- +- let t = "bla `s*`d-`+++`l**` b`la" +- put =t +- normal! di` +- call assert_equal("bla `` b`la", getline('.')) +- +- let t = 'voo "nah" sdf " asdf" sdf " sdf" sd' +- put =t +- normal! $F"va"oha"i"rz +- call assert_equal('voo "zzzzzzzzzzzzzzzzzzzzzzzzzzzzsd', getline('.')) +- +- let t = "-asdfXasdfasdf-" +- put =t +- normal! fXdit +- call assert_equal('-asdfasdf-', getline('.')) +- +- let t = "-asdXasdfasdf-" +- put =t +- normal! 0fXdit +- call assert_equal('--', getline('.')) +- +- let t = "-asdfXasdfasdf-" +- put =t +- normal! fXdat +- call assert_equal('-asdfasdf-', getline('.')) +- +- let t = "-asdXasdfasdf-" +- put =t +- normal! 0fXdat +- call assert_equal('--', getline('.')) +- +- let t = "-\ninnertext object\n" +- put =t +- normal! dit +- call assert_equal('-', getline('.')) +- +- set quoteescape& +- enew! ++ for e in ['utf-8', 'latin1', 'cp932'] ++ enew! ++ exe 'set enc=' .. e ++ ++ let t = '"wo\"rd\\" foo' ++ put =t ++ normal! da" ++ call assert_equal('foo', getline('.'), e) ++ ++ let t = "'foo' 'bar' 'piep'" ++ put =t ++ normal! 0va'a'rx ++ call assert_equal("xxxxxxxxxxxx'piep'", getline('.'), e) ++ ++ let t = "bla bla `quote` blah" ++ put =t ++ normal! 02f`da` ++ call assert_equal("bla bla blah", getline('.'), e) ++ ++ let t = 'out " in "noXno"' ++ put =t ++ normal! 0fXdi" ++ call assert_equal('out " in ""', getline('.'), e) ++ ++ let t = "\"'\" 'blah' rep 'buh'" ++ put =t ++ normal! 03f'vi'ry ++ call assert_equal("\"'\" 'blah'yyyyy'buh'", getline('.'), e) ++ ++ set quoteescape=+*- ++ let t = "bla `s*`d-`+++`l**` b`la" ++ put =t ++ normal! di` ++ call assert_equal("bla `` b`la", getline('.'), e) ++ ++ let t = 'voo "nah" sdf " asdf" sdf " sdf" sd' ++ put =t ++ normal! $F"va"oha"i"rz ++ call assert_equal('voo "zzzzzzzzzzzzzzzzzzzzzzzzzzzzsd', getline('.'), e) ++ ++ let t = "-asdfXasdfasdf-" ++ put =t ++ normal! fXdit ++ call assert_equal('-asdfasdf-', getline('.'), e) ++ ++ let t = "-asdXasdfasdf-" ++ put =t ++ normal! 0fXdit ++ call assert_equal('--', getline('.'), e) ++ ++ let t = "-asdfXasdfasdf-" ++ put =t ++ normal! fXdat ++ call assert_equal('-asdfasdf-', getline('.'), e) ++ ++ let t = "-asdXasdfasdf-" ++ put =t ++ normal! 0fXdat ++ call assert_equal('--', getline('.'), e) ++ ++ let t = "-\ninnertext object\n" ++ put =t ++ normal! dit ++ call assert_equal('-', getline('.'), e) ++ ++ set quoteescape& ++ endfor ++ ++ set enc=utf-8 ++ bwipe! + endfunc + + func Test_empty_html_tag() +-- +1.8.3.1 + diff --git a/backport-insufficient-code-coverage-for-ex_docmd.c_functions.patch b/backport-insufficient-code-coverage-for-ex_docmd.c_functions.patch new file mode 100644 index 0000000..ef2b711 --- /dev/null +++ b/backport-insufficient-code-coverage-for-ex_docmd.c_functions.patch @@ -0,0 +1,109 @@ +From 9f6277bdde97b7767ded43a0b5a2023eb601b3b7 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 11 Feb 2020 22:04:02 +0100 +Subject: [PATCH] patch 8.2.0243: insufficient code coverage for ex_docmd.c + functions + +Problem: Insufficient code coverage for ex_docmd.c functions. +Solution: Add more tests. (Yegappan Lakshmanan, closes #5618) +--- + src/testdir/Make_all.mak | 2 ++ + src/testdir/test_buffer.vim | 66 +++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 68 insertions(+) + create mode 100644 src/testdir/test_buffer.vim + +diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak +index 05e7a2c..e608b92 100644 +--- a/src/testdir/Make_all.mak ++++ b/src/testdir/Make_all.mak +@@ -65,6 +65,7 @@ NEW_TESTS = \ + test_blob \ + test_blockedit \ + test_breakindent \ ++ test_buffer \ + test_bufline \ + test_bufwintabinfo \ + test_cd \ +@@ -307,6 +308,7 @@ NEW_TESTS_RES = \ + test_blob.res \ + test_blockedit.res \ + test_breakindent.res \ ++ test_buffer.res \ + test_bufwintabinfo.res \ + test_cdo.res \ + test_changelist.res \ +diff --git a/src/testdir/test_buffer.vim b/src/testdir/test_buffer.vim +new file mode 100644 +index 0000000..dc35bb4 +--- /dev/null ++++ b/src/testdir/test_buffer.vim +@@ -0,0 +1,66 @@ ++" Tests for Vim buffer ++ ++" Test for the :bunload command with an offset ++func Test_bunload_with_offset() ++ %bwipe! ++ call writefile(['B1'], 'b1') ++ call writefile(['B2'], 'b2') ++ call writefile(['B3'], 'b3') ++ call writefile(['B4'], 'b4') ++ ++ " Load four buffers. Unload the second and third buffers and then ++ " execute .+3bunload to unload the last buffer. ++ edit b1 ++ new b2 ++ new b3 ++ new b4 ++ ++ bunload b2 ++ bunload b3 ++ exe bufwinnr('b1') . 'wincmd w' ++ .+3bunload ++ call assert_equal(0, getbufinfo('b4')[0].loaded) ++ call assert_equal('b1', ++ \ fnamemodify(getbufinfo({'bufloaded' : 1})[0].name, ':t')) ++ ++ " Load four buffers. Unload the third and fourth buffers. Execute .+3bunload ++ " and check whether the second buffer is unloaded. ++ ball ++ bunload b3 ++ bunload b4 ++ exe bufwinnr('b1') . 'wincmd w' ++ .+3bunload ++ call assert_equal(0, getbufinfo('b2')[0].loaded) ++ call assert_equal('b1', ++ \ fnamemodify(getbufinfo({'bufloaded' : 1})[0].name, ':t')) ++ ++ " Load four buffers. Unload the second and third buffers and from the last ++ " buffer execute .-3bunload to unload the first buffer. ++ ball ++ bunload b2 ++ bunload b3 ++ exe bufwinnr('b4') . 'wincmd w' ++ .-3bunload ++ call assert_equal(0, getbufinfo('b1')[0].loaded) ++ call assert_equal('b4', ++ \ fnamemodify(getbufinfo({'bufloaded' : 1})[0].name, ':t')) ++ ++ " Load four buffers. Unload the first and second buffers. Execute .-3bunload ++ " from the last buffer and check whether the third buffer is unloaded. ++ ball ++ bunload b1 ++ bunload b2 ++ exe bufwinnr('b4') . 'wincmd w' ++ .-3bunload ++ call assert_equal(0, getbufinfo('b3')[0].loaded) ++ call assert_equal('b4', ++ \ fnamemodify(getbufinfo({'bufloaded' : 1})[0].name, ':t')) ++ ++ %bwipe! ++ call delete('b1') ++ call delete('b2') ++ call delete('b3') ++ call delete('b4') ++endfunc ++ ++" vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/backport-spell-test-fails-because-of-new-illegal-byte-check.patch b/backport-spell-test-fails-because-of-new-illegal-byte-check.patch new file mode 100644 index 0000000..36b2731 --- /dev/null +++ b/backport-spell-test-fails-because-of-new-illegal-byte-check.patch @@ -0,0 +1,34 @@ +From fe978c2b6bb9d897d962595a4a51dd7a71dc8e89 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sun, 8 May 2022 22:43:51 +0100 +Subject: [PATCH] patch 8.2.4921: spell test fails because of new illegal byte + check + +Problem: Spell test fails because of new illegal byte check. +Solution: Remove the test. +--- + src/testdir/test_spell.vim | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim +index 49118a9..437ad5c 100644 +--- a/src/testdir/test_spell.vim ++++ b/src/testdir/test_spell.vim +@@ -552,14 +552,6 @@ func Test_spell_screendump() + call delete('XtestSpell') + endfunc + +-func Test_spell_single_word() +- new +- silent! norm 0R00 +- spell! ß +- silent 0norm 0r$ Dvz= +- bwipe! +-endfunc +- + let g:test_data_aff1 = [ + \"SET ISO8859-1", + \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ", +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index 8d9336c..e42526c 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 35 +Release: 36 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -97,6 +97,15 @@ Patch6060: backport-CVE-2022-0554.patch Patch6061: backport-CVE-2022-0943.patch Patch6062: backport-CVE-2022-1616.patch Patch6063: backport-CVE-2022-1154.patch +Patch6064: backport-html-text-objects-are-not-fully-tested.patch +Patch6065: backport-CVE-2022-1629.patch +Patch6066: backport-insufficient-code-coverage-for-ex_docmd.c_functions.patch +Patch6067: backport-CVE-2022-1620.patch +Patch6068: backport-CVE-2022-1674.patch +Patch6069: backport-CVE-2022-1621.patch +Patch6070: backport-spell-test-fails-because-of-new-illegal-byte-check.patch +Patch6071: backport-command-line-editing-not-sufficiently-tested.patch +Patch6072: backport-CVE-2022-1619.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -485,6 +494,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Sat May 21 2022 shixuantong - 2:8.2-36 +- Type:CVE +- ID:CVE-2022-1629 CVE-2022-1620 CVE-2022-1674 CVE-2022-1621 CVE-2022-1619 +- SUG:NA +- DESC:fix CVE-2022-1629 CVE-2022-1620 CVE-2022-1674 CVE-2022-1621 CVE-2022-1619 + * Mon May 16 2022 shixuantong - 2:8.2-35 - Type:CVE - ID:CVE-2022-1154 -- Gitee