From c2cc83155a9ce0e76319aeff18c375397d72d162 Mon Sep 17 00:00:00 2001 From: rwx403335 Date: Wed, 15 Jun 2022 16:28:57 +0800 Subject: [PATCH] Fix CVE-2022-1886 --- backport-CVE-2022-1886.patch | 52 ++++++++++ ...r-a-put-the-mark-is-on-the-last-byte.patch | 94 +++++++++++++++++++ backport-illegal-memory-access.patch | 41 ++++++++ vim.spec | 11 ++- 4 files changed, 197 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-1886.patch create mode 100644 backport-after-a-put-the-mark-is-on-the-last-byte.patch create mode 100644 backport-illegal-memory-access.patch diff --git a/backport-CVE-2022-1886.patch b/backport-CVE-2022-1886.patch new file mode 100644 index 0000000..f7800d2 --- /dev/null +++ b/backport-CVE-2022-1886.patch @@ -0,0 +1,52 @@ +From 2a585c85013be22f59f184d49612074fd9b115d7 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 25 May 2022 15:15:38 +0100 +Subject: [PATCH] patch 8.2.5016: access before start of text with a put + command + +Problem: Access before start of text with a put command. +Solution: Check the length is more than zero. +--- + src/register.c | 7 +++++-- + src/testdir/test_put.vim | 9 +++++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/register.c b/src/register.c +index 7f77ada..87689f7 100644 +--- a/src/register.c ++++ b/src/register.c +@@ -2078,9 +2078,12 @@ error: + len = STRLEN(y_array[y_size - 1]); + col = (colnr_T)len - lendiff; + if (col > 1) +- curbuf->b_op_end.col = col - 1 +- - mb_head_off(y_array[y_size - 1], ++ { ++ curbuf->b_op_end.col = col - 1; ++ if (len > 0) ++ curbuf->b_op_end.col -= mb_head_off(y_array[y_size - 1], + y_array[y_size - 1] + len - 1); ++ } + else + curbuf->b_op_end.col = 0; + +diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim +index 07f6387..6df04cf 100644 +--- a/src/testdir/test_put.vim ++++ b/src/testdir/test_put.vim +@@ -143,3 +143,12 @@ func Test_multibyte_op_end_mark() + bwipe! + endfunc + ++" this was putting a mark before the start of a line ++func Test_put_empty_register() ++ new ++ norm yy ++ norm [Pi00ggv)s0 ++ sil! norm [P ++ bwipe! ++endfunc ++ +-- +1.8.3.1 + diff --git a/backport-after-a-put-the-mark-is-on-the-last-byte.patch b/backport-after-a-put-the-mark-is-on-the-last-byte.patch new file mode 100644 index 0000000..3fb0629 --- /dev/null +++ b/backport-after-a-put-the-mark-is-on-the-last-byte.patch @@ -0,0 +1,94 @@ +From 4d07253a485819b3a9fd923d263e722ea2109c12 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 25 Nov 2021 19:31:15 +0000 +Subject: [PATCH] patch 8.2.3677: after a put the '] mark is on the last byte + +Problem: After a put the '] mark is on the last byte of a multi-byte + character. +Solution: Move it to the first byte. (closes #9047) +--- + src/register.c | 18 +++++++++++++++--- + src/testdir/test_put.vim | 13 +++++++++++++ + 2 files changed, 28 insertions(+), 3 deletions(-) + +diff --git a/src/register.c b/src/register.c +index d5eb011..49f4079 100644 +--- a/src/register.c ++++ b/src/register.c +@@ -1479,6 +1479,7 @@ do_put( + long cnt; + pos_T orig_start = curbuf->b_op_start; + pos_T orig_end = curbuf->b_op_end; ++ int first_byte_off = 0; + + #ifdef FEAT_CLIPBOARD + // Adjust register name for "unnamed" in 'clipboard'. +@@ -1936,6 +1937,10 @@ do_put( + } + STRMOVE(ptr, oldp + col); + ml_replace(lnum, newp, FALSE); ++ ++ // compute the byte offset for the last character ++ first_byte_off = mb_head_off(newp, ptr - 1); ++ + // Place cursor on last putted char. + if (lnum == curwin->w_cursor.lnum) + { +@@ -1951,10 +1956,15 @@ do_put( + if (VIsual_active) // reset lnum to the last visual line + lnum--; + ++ // put '] at the first byte of the last character + curbuf->b_op_end = curwin->w_cursor; ++ curbuf->b_op_end.col -= first_byte_off; ++ + // For "CTRL-O p" in Insert mode, put cursor after last char + if (totlen && (restart_edit != 0 || (flags & PUT_CURSEND))) + ++curwin->w_cursor.col; ++ else ++ curwin->w_cursor.col -= first_byte_off; + changed_bytes(lnum, col); + } + else +@@ -2061,12 +2071,14 @@ error: + changed_lines(curbuf->b_op_start.lnum, 0, + curbuf->b_op_start.lnum, nr_lines); + +- // put '] mark at last inserted character ++ // Put the '] mark on the first byte of the last inserted character. ++ // Correct the length for change in indent. + curbuf->b_op_end.lnum = lnum; +- // correct length for change in indent + col = (colnr_T)STRLEN(y_array[y_size - 1]) - lendiff; + if (col > 1) +- curbuf->b_op_end.col = col - 1; ++ curbuf->b_op_end.col = col - 1 ++ - mb_head_off(y_array[y_size - 1], ++ y_array[y_size - 1] + col - 1); + else + curbuf->b_op_end.col = 0; + +diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim +index 42bb7e6..07f6387 100644 +--- a/src/testdir/test_put.vim ++++ b/src/testdir/test_put.vim +@@ -130,3 +130,16 @@ func Test_very_larg_count() + bwipe! + endfunc + ++func Test_multibyte_op_end_mark() ++ new ++ call setline(1, 'ั‚ะตัั‚') ++ normal viwdp ++ call assert_equal([0, 1, 7, 0], getpos("'>")) ++ call assert_equal([0, 1, 7, 0], getpos("']")) ++ ++ normal Vyp ++ call assert_equal([0, 1, 2147483647, 0], getpos("'>")) ++ call assert_equal([0, 2, 7, 0], getpos("']")) ++ bwipe! ++endfunc ++ +-- +1.8.3.1 + diff --git a/backport-illegal-memory-access.patch b/backport-illegal-memory-access.patch new file mode 100644 index 0000000..cf1d01e --- /dev/null +++ b/backport-illegal-memory-access.patch @@ -0,0 +1,41 @@ +From 85be8563fe5aff686e9e30d6afff401ccd976f2a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 25 Nov 2021 20:40:11 +0000 +Subject: [PATCH] patch 8.2.3678: illegal memory access + +Problem: Illegal memory access. +Solution: Ignore changed indent when computing byte offset. +--- + src/register.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/register.c b/src/register.c +index 49f4079..7f77ada 100644 +--- a/src/register.c ++++ b/src/register.c +@@ -1969,6 +1969,7 @@ do_put( + } + else + { ++ size_t len; + // Insert at least one line. When y_type is MCHAR, break the first + // line in two. + for (cnt = 1; cnt <= count; ++cnt) +@@ -2074,11 +2075,12 @@ error: + // Put the '] mark on the first byte of the last inserted character. + // Correct the length for change in indent. + curbuf->b_op_end.lnum = lnum; +- col = (colnr_T)STRLEN(y_array[y_size - 1]) - lendiff; ++ len = STRLEN(y_array[y_size - 1]); ++ col = (colnr_T)len - lendiff; + if (col > 1) + curbuf->b_op_end.col = col - 1 + - mb_head_off(y_array[y_size - 1], +- y_array[y_size - 1] + col - 1); ++ y_array[y_size - 1] + len - 1); + else + curbuf->b_op_end.col = 0; + +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index 6676310..522fc81 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 39 +Release: 40 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -113,6 +113,9 @@ Patch6076: backport-CVE-2022-1785.patch Patch6077: backport-CVE-2022-1851.patch Patch6078: backport-semicolon-search-dose-not-work-in-first-line.patch Patch6079: backport-CVE-2022-1927.patch +Patch6080: backport-after-a-put-the-mark-is-on-the-last-byte.patch +Patch6081: backport-illegal-memory-access.patch +Patch6082: backport-CVE-2022-1886.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -501,6 +504,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Wed Jun 15 2022 renhongxun - 2:8.2-40 +- Type:CVE +- ID:CVE-2022-1886 +- SUG:NA +- DESC:fix CVE-2022-1886 + * Tue Jun 14 2022 renhongxun - 2:8.2-39 - Type:CVE - ID:CVE-2022-1927 -- Gitee