diff --git a/backport-CVE-2022-1733.patch b/backport-CVE-2022-1733.patch new file mode 100644 index 0000000000000000000000000000000000000000..499cdbf1c807d157f7bde843a3370e21c6c9d92c --- /dev/null +++ b/backport-CVE-2022-1733.patch @@ -0,0 +1,44 @@ +From 60ae0e71490c97f2871a6344aca61cacf220f813 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Mon, 16 May 2022 18:06:15 +0100 +Subject: [PATCH] patch 8.2.4968: reading past end of the line when C-indenting + +Problem: Reading past end of the line when C-indenting. +Solution: Check for NUL. +--- + src/cindent.c | 2 +- + src/testdir/test_cindent.vim | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/cindent.c b/src/cindent.c +index 28d1558..1b2763f 100644 +--- a/src/cindent.c ++++ b/src/cindent.c +@@ -91,7 +91,7 @@ skip_string(char_u *p) + while (vim_isdigit(p[i - 1])) // '\000' + ++i; + } +- if (p[i] == '\'') // check for trailing ' ++ if (p[i - 1] != NUL && p[i] == '\'') // check for trailing ' + { + p += i; + continue; +diff --git a/src/testdir/test_cindent.vim b/src/testdir/test_cindent.vim +index 2a87460..3b2200a 100644 +--- a/src/testdir/test_cindent.vim ++++ b/src/testdir/test_cindent.vim +@@ -5263,4 +5263,11 @@ func Test_find_brace_backwards() + endfunc + + ++" This was reading past the end of the line ++func Test_cindent_check_funcdecl() ++ new ++ sil norm o0('\0=L ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/backport-CVE-2022-1735.patch b/backport-CVE-2022-1735.patch new file mode 100644 index 0000000000000000000000000000000000000000..007f18ebfb6e04c0db52de61dda8023a876debda --- /dev/null +++ b/backport-CVE-2022-1735.patch @@ -0,0 +1,122 @@ +From 7ce5b2b590256ce53d6af28c1d203fb3bc1d2d97 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Mon, 16 May 2022 19:40:59 +0100 +Subject: [PATCH] patch 8.2.4969: changing text in Visual mode may cause + invalid memory access + +Problem: Changing text in Visual mode may cause invalid memory access. +Solution: Check the Visual position after making a change. +--- + src/change.c | 3 +++ + src/edit.c | 12 ++---------- + src/misc2.c | 25 +++++++++++++++++++++++++ + src/proto/misc2.pro | 1 + + src/testdir/test_visual.vim | 10 ++++++++++ + 5 files changed, 41 insertions(+), 10 deletions(-) + +diff --git a/src/change.c b/src/change.c +index f2dfc93..a5ebbdf 100644 +--- a/src/change.c ++++ b/src/change.c +@@ -523,6 +523,9 @@ changed_common( + #endif + } + ++ if (VIsual_active) ++ check_visual_pos(); ++ + FOR_ALL_TAB_WINDOWS(tp, wp) + { + if (wp->w_buffer == curbuf) +diff --git a/src/edit.c b/src/edit.c +index f77cc05..0dd6b93 100644 +--- a/src/edit.c ++++ b/src/edit.c +@@ -3101,16 +3101,8 @@ stop_insert( + + // may have started Visual mode, adjust the position for + // deleted characters. +- if (VIsual_active && VIsual.lnum == curwin->w_cursor.lnum) +- { +- int len = (int)STRLEN(ml_get_curline()); +- +- if (VIsual.col > len) +- { +- VIsual.col = len; +- VIsual.coladd = 0; +- } +- } ++ if (VIsual_active) ++ check_visual_pos(); + } + } + did_ai = FALSE; +diff --git a/src/misc2.c b/src/misc2.c +index 80731f0..51244da 100644 +--- a/src/misc2.c ++++ b/src/misc2.c +@@ -618,6 +618,31 @@ check_cursor(void) + check_cursor_col(); + } + ++/* ++ * Check if VIsual position is valid, correct it if not. ++ * Can be called when in Visual mode and a change has been made. ++ */ ++ void ++check_visual_pos(void) ++{ ++ if (VIsual.lnum > curbuf->b_ml.ml_line_count) ++ { ++ VIsual.lnum = curbuf->b_ml.ml_line_count; ++ VIsual.col = 0; ++ VIsual.coladd = 0; ++ } ++ else ++ { ++ int len = (int)STRLEN(ml_get(VIsual.lnum)); ++ ++ if (VIsual.col > len) ++ { ++ VIsual.col = len; ++ VIsual.coladd = 0; ++ } ++ } ++} ++ + #if defined(FEAT_TEXTOBJ) || defined(PROTO) + /* + * Make sure curwin->w_cursor is not on the NUL at the end of the line. +diff --git a/src/proto/misc2.pro b/src/proto/misc2.pro +index a52b462..6e6e22d 100644 +--- a/src/proto/misc2.pro ++++ b/src/proto/misc2.pro +@@ -17,6 +17,7 @@ void check_cursor_lnum(void); + void check_cursor_col(void); + void check_cursor_col_win(win_T *win); + void check_cursor(void); ++void check_visual_pos(void); + void adjust_cursor_col(void); + int leftcol_changed(void); + void vim_mem_profile_dump(void); +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index 4f8f056..d21f8f1 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -956,3 +956,13 @@ func Test_visual_block_insert_round_off() + bwipe! + endfunc + ++func Test_visual_block_with_substitute() ++ " this was reading beyond the end of the line ++ new ++ norm a0) ++ sil! norm  O ++ s/) ++ sil! norm  ++ bwipe! ++endfunc ++ +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index 31e401d087104a6ee56620ff5753613c6624328f..4bf233af1ffff89c4d35b167544533aa6a3ca76e 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 34 +Release: 35 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -104,6 +104,8 @@ Patch6067: backport-CVE-2022-1621.patch Patch6068: backport-spell-test-fails-because-of-new-illegal-byte-check.patch Patch6069: backport-command-line-editing-not-sufficiently-tested.patch Patch6070: backport-CVE-2022-1619.patch +Patch6071: backport-CVE-2022-1733.patch +Patch6072: backport-CVE-2022-1735.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -492,6 +494,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Tue May 31 2022 shixuantong - 2:8.2-35 +- Type:CVE +- ID:CVE-2022-1733 CVE-2022-1735 +- SUG:NA +- DESC:fix CVE-2022-1733 CVE-2022-1735 + * Sat May 21 2022 shixuantong - 2:8.2-34 - Type:CVE - ID:CVE-2022-1629 CVE-2022-1620 CVE-2022-1674 CVE-2022-1621 CVE-2022-1619