From 9bb8309703653e414d82c02355fc6128a48a21be Mon Sep 17 00:00:00 2001 From: wangjiang Date: Mon, 11 Jul 2022 17:36:38 +0800 Subject: [PATCH] fix CVE-2022-2210 --- backport-CVE-2022-2210.patch | 67 ++++++++++++++++++++++++++++++++++++ vim.spec | 9 ++++- 2 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-2210.patch diff --git a/backport-CVE-2022-2210.patch b/backport-CVE-2022-2210.patch new file mode 100644 index 0000000..3ec2772 --- /dev/null +++ b/backport-CVE-2022-2210.patch @@ -0,0 +1,67 @@ +From c101abff4c6756db4f5e740fde289decb9452efa Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sun, 26 Jun 2022 16:53:34 +0100 +Subject: [PATCH] patch 8.2.5164: invalid memory access after diff buffer + manipulations + +Problem: Invalid memory access after diff buffer manipulations. +Solution: Use zero offset when change removes all lines in a diff block. +--- + src/diff.c | 4 ++-- + src/testdir/test_diffmode.vim | 12 ++++++++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/diff.c b/src/diff.c +index eddf33165628..91e5ae2f2f68 100644 +--- a/src/diff.c ++++ b/src/diff.c +@@ -391,9 +391,9 @@ diff_mark_adjust_tp( + // 2. 3. 4. 5.: inserted/deleted lines touching this diff. + if (deleted > 0) + { ++ off = 0; + if (dp->df_lnum[idx] >= line1) + { +- off = dp->df_lnum[idx] - lnum_deleted; + if (last <= line2) + { + // 4. delete all lines of diff +@@ -414,6 +414,7 @@ diff_mark_adjust_tp( + else + { + // 5. delete lines at or just before top of diff ++ off = dp->df_lnum[idx] - lnum_deleted; + n = off; + dp->df_count[idx] -= line2 - dp->df_lnum[idx] + 1; + check_unchanged = TRUE; +@@ -422,7 +423,6 @@ diff_mark_adjust_tp( + } + else + { +- off = 0; + if (last < line2) + { + // 2. delete at end of diff +diff --git a/src/testdir/test_diffmode.vim b/src/testdir/test_diffmode.vim +index afa8f891be55..4c7aff5ccb6e 100644 +--- a/src/testdir/test_diffmode.vim ++++ b/src/testdir/test_diffmode.vim +@@ -840,3 +840,15 @@ func Test_diff_only() + set nodiff + %bwipe! + endfunc ++ ++" This was causing invalid diff block values ++" FIXME: somehow this causes a valgrind error when run directly but not when ++" run as a test. ++func Test_diff_manipulations() ++ set diff ++ split 0 ++ sil! norm R doobdeuR doobdeuR doobdeu ++ ++ set nodiff ++ %bwipe! ++endfunc +-- +2.33.0 + diff --git a/vim.spec b/vim.spec index 6e22a26..426e073 100644 --- a/vim.spec +++ b/vim.spec @@ -11,7 +11,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 42 +Release: 43 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -134,6 +134,7 @@ Patch6100: backport-CVE-2022-2285.patch Patch6101: backport-CVE-2022-2304.patch Patch6102: backport-CVE-2022-2344.patch Patch6103: backport-CVE-2022-2345.patch +Patch6104: backport-CVE-2022-2210.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: remove-failed-tests-due-to-patch.patch @@ -536,6 +537,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Mon Jul 11 2022 wangjiang - 2:8.2-43 +- Type:CVE +- ID:CVE-2022-2210 +- SUG:NA +- DESC:fix CVE-2022-2210 + * Mon Jul 11 2022 shixuantong - 2:8.2-42 - Type:CVE - ID:CVE-2022-2000 CVE-2022-2042 CVE-2022-2284 CVE-2022-2285 CVE-2022-2304 CVE-2022-2344 CVE-2022-2345 -- Gitee