From 143e89aefc38dd8657817f4336429ee768364325 Mon Sep 17 00:00:00 2001 From: wangjiang Date: Mon, 11 Jul 2022 16:00:24 +0800 Subject: [PATCH] fix CVE-2022-2210 --- backport-CVE-2022-2210.patch | 67 ++++++++++++++++++++++++++++++++++++ vim.spec | 9 ++++- 2 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-2210.patch diff --git a/backport-CVE-2022-2210.patch b/backport-CVE-2022-2210.patch new file mode 100644 index 0000000..b75d736 --- /dev/null +++ b/backport-CVE-2022-2210.patch @@ -0,0 +1,67 @@ +From c101abff4c6756db4f5e740fde289decb9452efa Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sun, 26 Jun 2022 16:53:34 +0100 +Subject: [PATCH] patch 8.2.5164: invalid memory access after diff buffer + manipulations + +Problem: Invalid memory access after diff buffer manipulations. +Solution: Use zero offset when change removes all lines in a diff block. +--- + src/diff.c | 4 ++-- + src/testdir/test_diffmode.vim | 12 ++++++++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/diff.c b/src/diff.c +index eddf33165628..91e5ae2f2f68 100644 +--- a/src/diff.c ++++ b/src/diff.c +@@ -391,9 +391,9 @@ diff_mark_adjust_tp( + // 2. 3. 4. 5.: inserted/deleted lines touching this diff. + if (deleted > 0) + { ++ off = 0; + if (dp->df_lnum[idx] >= line1) + { +- off = dp->df_lnum[idx] - lnum_deleted; + if (last <= line2) + { + // 4. delete all lines of diff +@@ -414,6 +414,7 @@ diff_mark_adjust_tp( + else + { + // 5. delete lines at or just before top of diff ++ off = dp->df_lnum[idx] - lnum_deleted; + n = off; + dp->df_count[idx] -= line2 - dp->df_lnum[idx] + 1; + check_unchanged = TRUE; +@@ -422,7 +423,6 @@ diff_mark_adjust_tp( + } + else + { +- off = 0; + if (last < line2) + { + // 2. delete at end of diff +diff --git a/src/testdir/test_diffmode.vim b/src/testdir/test_diffmode.vim +index afa8f891be55..4c7aff5ccb6e 100644 +--- a/src/testdir/test_diffmode.vim ++++ b/src/testdir/test_diffmode.vim +@@ -1021,3 +1021,15 @@ func Test_diff_only() + set nodiff + %bwipe! + endfunc ++ ++" This was causing invalid diff block values ++" FIXME: somehow this causes a valgrind error when run directly but not when ++" run as a test. ++func Test_diff_manipulations() ++ set diff ++ split 0 ++ sil! norm R doobdeuR doobdeuR doobdeu ++ ++ set nodiff ++ %bwipe! ++endfunc +-- +2.33.0 + diff --git a/vim.spec b/vim.spec index ea99187..8d3843b 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 49 +Release: 50 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -139,6 +139,7 @@ Patch6102: backport-cannot-list-options-one-per-line.patch Patch6103: backport-CVE-2022-2207.patch Patch6104: backport-CVE-2022-2208.patch Patch6105: backport-test-for-DiffUpdated-fails.patch +Patch6106: backport-CVE-2022-2210.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -527,6 +528,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Mon Jul 11 2022 wangjiang - 2:8.2-50 +- Type:CVE +- ID:CVE-2022-2210 +- SUG:NA +- DESC:fix CVE-2022-2210 + * Fri Jul 08 2022 tianwei - 2:8.2-49 - Type:CVE - ID:CVE-2022-2207 CVE-2022-2208 -- Gitee