diff --git a/backport-CVE-2022-2257.patch b/backport-CVE-2022-2257.patch new file mode 100644 index 0000000000000000000000000000000000000000..5427c392bcac54e1aa6f4734fd64d2e1e6ce7067 --- /dev/null +++ b/backport-CVE-2022-2257.patch @@ -0,0 +1,53 @@ +From 083692d598139228e101b8c521aaef7bcf256e9a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 29 Jun 2022 21:16:58 +0100 +Subject: [PATCH] patch 9.0.0009: going past the end of a menu item with only + modifier + +Problem: Going past the end of a menu item with only modifier. +Solution: Check for NUL. +--- + src/message.c | 4 ++-- + src/testdir/test_menu.vim | 13 +++++++++++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/src/message.c b/src/message.c +index 02380e9..becb280 100644 +--- a/src/message.c ++++ b/src/message.c +@@ -1820,8 +1820,8 @@ str2special( + *sp = str + 1; + } + else +- // single-byte character or illegal byte +- *sp = str + 1; ++ // single-byte character, NUL or illegal byte ++ *sp = str + (*str == NUL ? 0 : 1); + + // Make special keys and C0 control characters in <> form, also . + // Use only for lhs of a mapping. +diff --git a/src/testdir/test_menu.vim b/src/testdir/test_menu.vim +index c867162..df717cc 100644 +--- a/src/testdir/test_menu.vim ++++ b/src/testdir/test_menu.vim +@@ -528,4 +528,17 @@ func Test_tmenu() + tunmenu Test + endfunc + ++func Test_only_modifier() ++ exe "tmenu a.b \x80\xfc0" ++ let exp =<< trim [TEXT] ++ --- Menus --- ++ 500 a ++ 500 b ++ t - ++ [TEXT] ++ call assert_equal(exp, split(execute('tmenu'), "\n")) ++ ++ tunmenu a.b ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2264.patch b/backport-CVE-2022-2264.patch new file mode 100644 index 0000000000000000000000000000000000000000..4803c92cd15aa1873eeedfc81d0e5cb0768c105d --- /dev/null +++ b/backport-CVE-2022-2264.patch @@ -0,0 +1,51 @@ +From d25f003342aca9889067f2e839963dfeccf1fe05 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 30 Jun 2022 12:30:19 +0100 +Subject: [PATCH] patch 9.0.0011: reading beyond the end of the line with put + command + +Problem: Reading beyond the end of the line with put command. +Solution: Adjust the end mark position. +--- + src/register.c | 2 ++ + src/testdir/test_put.vim | 12 ++++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/src/register.c b/src/register.c +index 93860ba..30e2001 100644 +--- a/src/register.c ++++ b/src/register.c +@@ -1918,6 +1918,8 @@ do_put( + vim_memset(ptr, ' ', (size_t)spaces); + ptr += spaces; + } ++ else ++ totlen -= spaces; // didn't use these spaces + } + + // may insert some spaces after the new text +diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim +index aa5aa2b..66438bd 100644 +--- a/src/testdir/test_put.vim ++++ b/src/testdir/test_put.vim +@@ -219,5 +219,17 @@ func Test_put_empty_register() + bwipe! + endfunc + ++" this was putting the end mark after the end of the line ++func Test_put_visual_mode() ++ edit! SomeNewBuffer ++ set selection=exclusive ++ exe "norm o\t" ++ m0 ++ sil! norm  p p ++ ++ bwipe! ++ set selection& ++endfunc ++ + + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2284.patch b/backport-CVE-2022-2284.patch new file mode 100644 index 0000000000000000000000000000000000000000..8065da92befd9afa521ca7e74a1e5d5841d3cc89 --- /dev/null +++ b/backport-CVE-2022-2284.patch @@ -0,0 +1,51 @@ +From 3d51ce18ab1be4f9f6061568a4e7fabf00b21794 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 1 Jul 2022 15:26:15 +0100 +Subject: [PATCH] patch 9.0.0017: accessing memory beyond the end of the + line + +Problem: Accessing memory beyond the end of the line. +Solution: Stop Visual mode when closing a window. +--- + src/testdir/test_visual.vim | 12 ++++++++++++ + src/window.c | 2 ++ + 2 files changed, 14 insertions(+) + +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index c323062..e965266 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -1469,5 +1469,17 @@ func Test_visual_paste_clipboard() + bwipe! + endfunc + ++func Test_visual_area_adjusted_when_hiding() ++ " The Visual area ended after the end of the line after :hide ++ call setline(1, 'xxx') ++ vsplit Xfile ++ call setline(1, 'xxxxxxxx') ++ norm! $o ++ hid ++ norm! zW ++ bwipe! ++ bwipe! ++endfunc ++ + + " vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/window.c b/src/window.c +index 992593b..c91ebbc 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -2594,6 +2594,8 @@ win_close(win_T *win, int free_buf) + */ + if (wp->w_buffer != curbuf) + { ++ reset_VIsual_and_resel(); // stop Visual mode ++ + other_buffer = TRUE; + win->w_closing = TRUE; + apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, FALSE, curbuf); +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2285.patch b/backport-CVE-2022-2285.patch new file mode 100644 index 0000000000000000000000000000000000000000..88c8d20aa9d9d4a8d6697315a99c08a00bd5036e --- /dev/null +++ b/backport-CVE-2022-2285.patch @@ -0,0 +1,46 @@ +From 27efc62f5d86afcb2ecb7565587fe8dea4b036fe Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 1 Jul 2022 16:35:45 +0100 +Subject: [PATCH] patch 9.0.0018: going over the end of the typahead + +Problem: Going over the end of the typahead. +Solution: Put a NUL after the typeahead. +--- + src/term.c | 1 + + src/testdir/test_mapping.vim | 10 ++++++++++ + 2 files changed, 11 insertions(+) + +diff --git a/src/term.c b/src/term.c +index 754ef82..7d7b84b 100644 +--- a/src/term.c ++++ b/src/term.c +@@ -5393,6 +5393,7 @@ check_termcode( + if (*tp == ESC && !p_ek && (State & MODE_INSERT)) + continue; + ++ tp[len] = NUL; + key_name[0] = NUL; // no key name found yet + key_name[1] = NUL; // no key name found yet + modifiers = 0; // no modifiers yet +diff --git a/src/testdir/test_mapping.vim b/src/testdir/test_mapping.vim +index ace6453..2927ba7 100644 +--- a/src/testdir/test_mapping.vim ++++ b/src/testdir/test_mapping.vim +@@ -1715,4 +1715,14 @@ func Test_map_after_timed_out_nop() + call delete('Xtest_map_after_timed_out_nop') + endfunc + ++func Test_using_past_typeahead() ++ nnoremap :00 0 ++ exe "norm :set \x80\xfb0=0\" ++ exe "sil norm :0\x0f\\" ++ ++ exe "norm :set \x80\xfb0=\" ++ nunmap :00 ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2286.patch b/backport-CVE-2022-2286.patch new file mode 100644 index 0000000000000000000000000000000000000000..80b6e768c6c7cba332ba89ee06edbc106cf7d6ac --- /dev/null +++ b/backport-CVE-2022-2286.patch @@ -0,0 +1,61 @@ +From f12129f1714f7d2301935bb21d896609bdac221c Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 1 Jul 2022 19:58:30 +0100 +Subject: [PATCH] patch 9.0.0020: with some completion reading past end of + string + +Problem: With some completion reading past end of string. +Solution: Check the length of the string. +--- + src/insexpand.c | 14 ++++++++++++-- + src/testdir/test_ins_complete.vim | 8 ++++++++ + 2 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/src/insexpand.c b/src/insexpand.c +index 4a5feac..734550f 100644 +--- a/src/insexpand.c ++++ b/src/insexpand.c +@@ -2209,11 +2209,21 @@ ins_compl_stop(int c, int prev_mode, int retval) + // but only do this, if the Popup is still visible + if (c == Ctrl_E) + { ++ char_u *p = NULL; ++ + ins_compl_delete(); + if (compl_leader != NULL) +- ins_bytes(compl_leader + get_compl_len()); ++ p = compl_leader; + else if (compl_first_match != NULL) +- ins_bytes(compl_orig_text + get_compl_len()); ++ p = compl_orig_text; ++ if (p != NULL) ++ { ++ int compl_len = get_compl_len(); ++ int len = (int)STRLEN(p); ++ ++ if (len > compl_len) ++ ins_bytes_len(p + compl_len, len - compl_len); ++ } + retval = TRUE; + } + +diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim +index 365c646..20c2b4f 100644 +--- a/src/testdir/test_ins_complete.vim ++++ b/src/testdir/test_ins_complete.vim +@@ -2184,4 +2184,12 @@ func Test_complete_smartindent() + delfunction! FooBarComplete + endfunc + ++func Test_complete_overrun() ++ " this was going past the end of the copied text ++ new ++ sil norm si”0s0  ++ bwipe! ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2287.patch b/backport-CVE-2022-2287.patch new file mode 100644 index 0000000000000000000000000000000000000000..68866dd6f895bff23d97e55c4e5495ad6937eb4e --- /dev/null +++ b/backport-CVE-2022-2287.patch @@ -0,0 +1,90 @@ +From 5e59ea54c0c37c2f84770f068d95280069828774 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 1 Jul 2022 22:26:20 +0100 +Subject: [PATCH] patch 9.0.0021: invalid memory access when adding word to + spell word list + +Problem: Invalid memory access when adding word with a control character to + the internal spell word list. +Solution: Disallow adding a word with control characters or a trailing + slash. +--- + src/spellfile.c | 21 +++++++++++++++++++-- + src/testdir/test_spell.vim | 15 +++++++++++++++ + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/src/spellfile.c b/src/spellfile.c +index f0d6d96..4a0de52 100644 +--- a/src/spellfile.c ++++ b/src/spellfile.c +@@ -4367,6 +4367,23 @@ wordtree_alloc(spellinfo_T *spin) + } + + /* ++ * Return TRUE if "word" contains valid word characters. ++ * Control characters and trailing '/' are invalid. Space is OK. ++ */ ++ static int ++valid_spell_word(char_u *word) ++{ ++ char_u *p; ++ ++ if (enc_utf8 && !utf_valid_string(word, NULL)) ++ return FALSE; ++ for (p = word; *p != NUL; p += mb_ptr2len(p)) ++ if (*p < ' ' || (p[0] == '/' && p[1] == NUL)) ++ return FALSE; ++ return TRUE; ++} ++ ++/* + * Store a word in the tree(s). + * Always store it in the case-folded tree. For a keep-case word this is + * useful when the word can also be used with all caps (no WF_FIXCAP flag) and +@@ -4391,7 +4408,7 @@ store_word( + char_u *p; + + // Avoid adding illegal bytes to the word tree. +- if (enc_utf8 && !utf_valid_string(word, NULL)) ++ if (!valid_spell_word(word)) + return FAIL; + + (void)spell_casefold(curwin, word, len, foldword, MAXWLEN); +@@ -6194,7 +6211,7 @@ spell_add_word( + int i; + char_u *spf; + +- if (enc_utf8 && !utf_valid_string(word, NULL)) ++ if (!valid_spell_word(word)) + { + emsg(_(e_illegal_character_in_word)); + return; +diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim +index 0fd5ed9..0187a17 100644 +--- a/src/testdir/test_spell.vim ++++ b/src/testdir/test_spell.vim +@@ -854,6 +854,21 @@ func Test_spellsuggest_too_deep() + bwipe! + endfunc + ++func Test_spell_good_word_invalid() ++ " This was adding a word with a 0x02 byte, which causes havoc. ++ enew ++ norm o0 ++ sil! norm rzzWs00/ ++ 2 ++ sil! norm VzGprzzW ++ sil! norm z= ++ ++ bwipe! ++ " clear the internal word list ++ set enc=latin1 ++ set enc=utf-8 ++endfunc ++ + func LoadAffAndDic(aff_contents, dic_contents) + set enc=latin1 + set spellfile= +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2288.patch b/backport-CVE-2022-2288.patch new file mode 100644 index 0000000000000000000000000000000000000000..ba7c2862788049b5efa040baaf59433c3e94742b --- /dev/null +++ b/backport-CVE-2022-2288.patch @@ -0,0 +1,54 @@ +From c6fdb15d423df22e1776844811d082322475e48a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 2 Jul 2022 13:43:21 +0100 +Subject: [PATCH] patch 9.0.0025: accessing beyond allocated memory with the + cmdline window + +Problem: Accessing beyond allocated memory when using the cmdline window in + Ex mode. +Solution: Use "*" instead of "'<,'>" for Visual mode. +--- + src/ex_docmd.c | 6 ++++-- + src/testdir/test_cmdline.vim | 8 ++++++++ + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/src/ex_docmd.c b/src/ex_docmd.c +index 271e7e2..697337c 100644 +--- a/src/ex_docmd.c ++++ b/src/ex_docmd.c +@@ -3118,9 +3118,11 @@ parse_command_modifiers( + size_t len = STRLEN(cmd_start); + + // Special case: empty command uses "+": +- // "'<,'>mods" -> "mods'<,'>+ ++ // "'<,'>mods" -> "mods *+ ++ // Use "*" instead of "'<,'>" to avoid the command getting ++ // longer, in case is was allocated. + mch_memmove(orig_cmd, cmd_start, len); +- STRCPY(orig_cmd + len, "'<,'>+"); ++ STRCPY(orig_cmd + len, " *+"); + } + else + { +diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim +index 3685336..f0498a1 100644 +--- a/src/testdir/test_cmdline.vim ++++ b/src/testdir/test_cmdline.vim +@@ -2103,6 +2103,14 @@ func Test_cmdwin_insert_mode_close() + call assert_equal(1, winnr('$')) + endfunc + ++func Test_cmdwin_ex_mode_with_modifier() ++ " this was accessing memory after allocated text in Ex mode ++ new ++ call setline(1, ['some', 'text', 'lines']) ++ silent! call feedkeys("gQnormal vq:atopleft\\\", 'xt') ++ bwipe! ++endfunc ++ + " test that ";" works to find a match at the start of the first line + func Test_zero_line_search() + new +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2289.patch b/backport-CVE-2022-2289.patch new file mode 100644 index 0000000000000000000000000000000000000000..7e4aa5915edb81b1262e91e972653e24b0704925 --- /dev/null +++ b/backport-CVE-2022-2289.patch @@ -0,0 +1,65 @@ +From c5274dd12224421f2430b30c53b881b9403d649e Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 2 Jul 2022 15:10:00 +0100 +Subject: [PATCH] patch 9.0.0026: accessing freed memory with diff put + +Problem: Accessing freed memory with diff put. +Solution: Bail out when diff pointer is no longer valid. +--- + src/diff.c | 24 ++++++++++++++++++++++-- + 1 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/src/diff.c b/src/diff.c +index 91e5ae2..e4bafe2 100644 +--- a/src/diff.c ++++ b/src/diff.c +@@ -2643,6 +2643,20 @@ nv_diffgetput(int put, long count) + } + + /* ++ * Return TRUE if "diff" appears in the list of diff blocks of the current tab. ++ */ ++ static int ++valid_diff(diff_T *diff) ++{ ++ diff_T *dp; ++ ++ for (dp = curtab->tp_first_diff; dp != NULL; dp = dp->df_next) ++ if (dp == diff) ++ return TRUE; ++ return FALSE; ++} ++ ++/* + * ":diffget" + * ":diffput" + */ +@@ -2899,9 +2913,9 @@ ex_diffgetput(exarg_T *eap) + } + } + +- // Adjust marks. This will change the following entries! + if (added != 0) + { ++ // Adjust marks. This will change the following entries! + mark_adjust(lnum, lnum + count - 1, (long)MAXLNUM, (long)added); + if (curwin->w_cursor.lnum >= lnum) + { +@@ -2923,7 +2937,13 @@ ex_diffgetput(exarg_T *eap) + #endif + vim_free(dfree); + } +- else ++ ++ // mark_adjust() may have made "dp" invalid. We don't know where ++ // to continue then, bail out. ++ if (added != 0 && !valid_diff(dp)) ++ break; ++ ++ if (dfree == NULL) + // mark_adjust() may have changed the count in a wrong way + dp->df_count[idx_to] = new_count; + +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2304.patch b/backport-CVE-2022-2304.patch new file mode 100644 index 0000000000000000000000000000000000000000..41b3e32a8eb07bc7ccf01b86b97f03de70d43595 --- /dev/null +++ b/backport-CVE-2022-2304.patch @@ -0,0 +1,55 @@ +From 54e5fed6d27b747ff152cdb6edfb72ff60e70939 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Mon, 4 Jul 2022 13:37:07 +0100 +Subject: [PATCH] patch 9.0.0035: spell dump may go beyond end of an array + +Problem: Spell dump may go beyond end of an array. +Solution: Limit the word length. +--- + src/spell.c | 5 +++-- + src/testdir/test_spell.vim | 12 ++++++++++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/src/spell.c b/src/spell.c +index d866a2d..24abce4 100644 +--- a/src/spell.c ++++ b/src/spell.c +@@ -3996,9 +3996,10 @@ spell_dump_compl( + n = arridx[depth] + curi[depth]; + ++curi[depth]; + c = byts[n]; +- if (c == 0) ++ if (c == 0 || depth >= MAXWLEN - 1) + { +- // End of word, deal with the word. ++ // End of word or reached maximum length, deal with the ++ // word. + // Don't use keep-case words in the fold-case tree, + // they will appear in the keep-case tree. + // Only use the word when the region matches. +diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim +index d3f56d8..a291eb5 100644 +--- a/src/testdir/test_spell.vim ++++ b/src/testdir/test_spell.vim +@@ -285,6 +285,18 @@ func Test_spellreall() + bwipe! + endfunc + ++func Test_spell_dump_word_length() ++ " this was running over MAXWLEN ++ new ++ noremap 0 0a0zW0000000 ++ sil! norm 0z=0 ++ sil norm 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ++ sil! norm 0z=0 ++ ++ bwipe! ++ nunmap 0 ++endfunc ++ + " Test spellsuggest({word} [, {max} [, {capital}]]) + func Test_spellsuggest() + " Verify suggestions are given even when spell checking is not enabled. +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2343.patch b/backport-CVE-2022-2343.patch new file mode 100644 index 0000000000000000000000000000000000000000..3830771f5b72c24c1a547e2b0a4e87364579ee01 --- /dev/null +++ b/backport-CVE-2022-2343.patch @@ -0,0 +1,235 @@ +FROM CAEA66442D86E7BBBA3BF3DC202C3C0D549B9853 MON SEP 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 7 Jul 2022 19:42:04 +0100 +Subject: [PATCH] patch 9.0.0045: reading past end of completion with a + long line + +Problem: Reading past end of completion with a long line and 'infercase' +set. +Solution: Allocate the string if needed. +--- + src/insexpand.c | 94 ++++++++++++++++++++++--------- + src/testdir/test_ins_complete.vim | 16 ++++++ + 2 files changed, 82 insertions(+), 28 deletions(-) + +diff --git a/src/insexpand.c b/src/insexpand.c +index 734550f..0ecb656 100644 +--- a/src/insexpand.c ++++ b/src/insexpand.c +@@ -524,29 +524,32 @@ ins_compl_accept_char(int c) + + /* + * Get the completed text by inferring the case of the originally typed text. ++ * If the result is in allocated memory "tofree" is set to it. + */ + static char_u * + ins_compl_infercase_gettext( + char_u *str, +- int actual_len, +- int actual_compl_length, +- int min_len) ++ int char_len, ++ int compl_char_len, ++ int min_len, ++ char_u **tofree) + { + int *wca; // Wide character array. + char_u *p; + int i, c; + int has_lower = FALSE; + int was_letter = FALSE; ++ garray_T gap; + + IObuff[0] = NUL; + + // Allocate wide character array for the completion and fill it. +- wca = ALLOC_MULT(int, actual_len); ++ wca = ALLOC_MULT(int, char_len); + if (wca == NULL) + return IObuff; + + p = str; +- for (i = 0; i < actual_len; ++i) ++ for (i = 0; i < char_len; ++i) + if (has_mbyte) + wca[i] = mb_ptr2char_adv(&p); + else +@@ -566,7 +569,7 @@ ins_compl_infercase_gettext( + if (MB_ISUPPER(wca[i])) + { + // Rule 1 is satisfied. +- for (i = actual_compl_length; i < actual_len; ++i) ++ for (i = compl_char_len; i < char_len; ++i) + wca[i] = MB_TOLOWER(wca[i]); + break; + } +@@ -587,7 +590,7 @@ ins_compl_infercase_gettext( + if (was_letter && MB_ISUPPER(c) && MB_ISLOWER(wca[i])) + { + // Rule 2 is satisfied. +- for (i = actual_compl_length; i < actual_len; ++i) ++ for (i = compl_char_len; i < char_len; ++i) + wca[i] = MB_TOUPPER(wca[i]); + break; + } +@@ -610,20 +613,52 @@ ins_compl_infercase_gettext( + } + + // Generate encoding specific output from wide character array. +- // Multi-byte characters can occupy up to five bytes more than +- // ASCII characters, and we also need one byte for NUL, so stay +- // six bytes away from the edge of IObuff. + p = IObuff; + i = 0; +- while (i < actual_len && (p - IObuff + 6) < IOSIZE) +- if (has_mbyte) ++ ga_init2(&gap, 1, 500); ++ while (i < char_len) ++ { ++ if (gap.ga_data != NULL) ++ { ++ if (ga_grow(&gap, 10) == FAIL) ++ { ++ ga_clear(&gap); ++ return (char_u *)"[failed]"; ++ } ++ p = (char_u *)gap.ga_data + gap.ga_len; ++ if (has_mbyte) ++ gap.ga_len += (*mb_char2bytes)(wca[i++], p); ++ else ++ { ++ *p = wca[i++]; ++ ++gap.ga_len; ++ } ++ } ++ else if ((p - IObuff) + 6 >= IOSIZE) ++ { ++ // Multi-byte characters can occupy up to five bytes more than ++ // ASCII characters, and we also need one byte for NUL, so when ++ // getting to six bytes from the edge of IObuff switch to using a ++ // growarray. Add the character in the next round. ++ if (ga_grow(&gap, IOSIZE) == FAIL) ++ return (char_u *)"[failed]"; ++ STRCPY(gap.ga_data, IObuff); ++ gap.ga_len = STRLEN(IObuff); ++ } ++ else if (has_mbyte) + p += (*mb_char2bytes)(wca[i++], p); + else + *(p++) = wca[i++]; +- *p = NUL; +- ++ } + vim_free(wca); + ++ if (gap.ga_data != NULL) ++ { ++ *tofree = gap.ga_data; ++ return gap.ga_data; ++ } ++ ++ *p = NUL; + return IObuff; + } + +@@ -644,10 +679,12 @@ ins_compl_add_infercase( + { + char_u *str = str_arg; + char_u *p; +- int actual_len; // Take multi-byte characters +- int actual_compl_length; // into account. ++ int char_len; // count multi-byte characters ++ int compl_char_len; + int min_len; + int flags = 0; ++ int res; ++ char_u *tofree = NULL; + + if (p_ic && curbuf->b_p_inf && len > 0) + { +@@ -657,44 +694,45 @@ ins_compl_add_infercase( + if (has_mbyte) + { + p = str; +- actual_len = 0; ++ char_len = 0; + while (*p != NUL) + { + MB_PTR_ADV(p); +- ++actual_len; ++ ++char_len; + } + } + else +- actual_len = len; ++ char_len = len; + + // Find actual length of original text. + if (has_mbyte) + { + p = compl_orig_text; +- actual_compl_length = 0; ++ compl_char_len = 0; + while (*p != NUL) + { + MB_PTR_ADV(p); +- ++actual_compl_length; ++ ++compl_char_len; + } + } + else +- actual_compl_length = compl_length; ++ compl_char_len = compl_length; + +- // "actual_len" may be smaller than "actual_compl_length" when using ++ // "char_len" may be smaller than "compl_char_len" when using + // thesaurus, only use the minimum when comparing. +- min_len = actual_len < actual_compl_length +- ? actual_len : actual_compl_length; ++ min_len = char_len < compl_char_len ? char_len : compl_char_len; + +- str = ins_compl_infercase_gettext(str, actual_len, actual_compl_length, +- min_len); ++ str = ins_compl_infercase_gettext(str, char_len, ++ compl_char_len, min_len, &tofree); + } + if (cont_s_ipos) + flags |= CP_CONT_S_IPOS; + if (icase) + flags |= CP_ICASE; + +- return ins_compl_add(str, len, fname, NULL, NULL, dir, flags, FALSE); ++ res = ins_compl_add(str, len, fname, NULL, NULL, dir, flags, FALSE); ++ vim_free(tofree); ++ return res; + } + + /* +diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim +index 20c2b4f..f2daa02 100644 +--- a/src/testdir/test_ins_complete.vim ++++ b/src/testdir/test_ins_complete.vim +@@ -2192,4 +2192,20 @@ func Test_complete_overrun() + endfunc + + ++func Test_infercase_very_long_line() ++ " this was truncating the line when inferring case ++ new ++ let longLine = "blah "->repeat(300) ++ let verylongLine = "blah "->repeat(400) ++ call setline(1, verylongLine) ++ call setline(2, longLine) ++ set ic infercase ++ exe "normal 2Go\\\" ++ call assert_equal(longLine, getline(3)) ++ ++ bwipe! ++ set noic noinfercase ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.36.1 + diff --git a/backport-CVE-2022-2344.patch b/backport-CVE-2022-2344.patch new file mode 100644 index 0000000000000000000000000000000000000000..fa51605286f05c975c0343e50beb5293156f8ad5 --- /dev/null +++ b/backport-CVE-2022-2344.patch @@ -0,0 +1,50 @@ +From baefde14550231f6468ac2ed2ed495bc381c0c92 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 7 Jul 2022 19:59:49 +0100 +Subject: [PATCH] patch 9.0.0046: reading past end of completion with + duplicate match + +Problem: Reading past end of completion with duplicate match. +Solution: Check string length +--- + src/insexpand.c | 3 ++- + src/testdir/test_ins_complete.vim | 10 ++++++++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/insexpand.c b/src/insexpand.c +index 0ecb656..9c598a8 100644 +--- a/src/insexpand.c ++++ b/src/insexpand.c +@@ -786,7 +786,8 @@ ins_compl_add( + { + if (!match_at_original_text(match) + && STRNCMP(match->cp_str, str, len) == 0 +- && match->cp_str[len] == NUL) ++ && ((int)STRLEN(match->cp_str) <= len ++ || match->cp_str[len] == NUL)) + return NOTDONE; + match = match->cp_next; + } while (match != NULL && !is_first_match(match)); +diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim +index 5e5b1bb..2be6d06 100644 +--- a/src/testdir/test_ins_complete.vim ++++ b/src/testdir/test_ins_complete.vim +@@ -2112,5 +2112,15 @@ func Test_infercase_very_long_line() + set noic noinfercase + endfunc + ++func Test_ins_complete_add() ++ " this was reading past the end of allocated memory ++ new ++ norm o ++ norm 7o€€ ++ sil! norm o ++ ++ bwipe! ++endfunc ++ + + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2345.patch b/backport-CVE-2022-2345.patch new file mode 100644 index 0000000000000000000000000000000000000000..affe513187bb05ceb1f5b8e3468bbbe5a9c5a7fb --- /dev/null +++ b/backport-CVE-2022-2345.patch @@ -0,0 +1,79 @@ +From 32acf1f1a72ebb9d8942b9c9d80023bf1bb668ea Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 7 Jul 2022 22:20:31 +0100 +Subject: [PATCH] patch 9.0.0047: using freed memory with recursive + substitute + +Problem: Using freed memory with recursive substitute. +Solution: Always make a copy for reg_prev_sub. +--- + src/ex_cmds.c | 11 ++++++++++- + src/regexp.c | 8 ++++---- + src/testdir/test_regexp_latin.vim | 11 +++++++++++ + 3 files changed, 25 insertions(+), 5 deletions(-) + +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index eb3016f..5253863 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -3994,7 +3994,16 @@ ex_substitute(exarg_T *eap) + sub_copy = sub; + } + else +- sub = regtilde(sub, magic_isset()); ++ { ++ char_u *newsub = regtilde(sub, magic_isset()); ++ ++ if (newsub != sub) ++ { ++ // newsub was allocated, free it later. ++ sub_copy = newsub; ++ sub = newsub; ++ } ++ } + + /* + * Check for a match on each line. +diff --git a/src/regexp.c b/src/regexp.c +index 2cbe64e..f35a5e8 100644 +--- a/src/regexp.c ++++ b/src/regexp.c +@@ -1766,11 +1766,11 @@ regtilde(char_u *source, int magic) + } + } + ++ // Store a copy of newsub in reg_prev_sub. It is always allocated, ++ // because recursive calls may make the returned string invalid. + vim_free(reg_prev_sub); +- if (newsub != source) // newsub was allocated, just keep it +- reg_prev_sub = newsub; +- else // no ~ found, need to save newsub +- reg_prev_sub = vim_strsave(newsub); ++ reg_prev_sub = vim_strsave(newsub); ++ + return newsub; + } + +diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim +index 1fe4699..dce6709 100644 +--- a/src/testdir/test_regexp_latin.vim ++++ b/src/testdir/test_regexp_latin.vim +@@ -1114,4 +1114,15 @@ func Test_using_two_engines_pattern() + bwipe! + endfunc + ++func Test_recursive_substitute_expr() ++ new ++ func Repl() ++ s ++ endfunc ++ silent! s/\%')/~\=Repl() ++ ++ bwipe! ++ delfunc Repl ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2522.patch b/backport-CVE-2022-2522.patch new file mode 100644 index 0000000000000000000000000000000000000000..f17c4aa7e19be8c2fdca83f7af162935fda14a1e --- /dev/null +++ b/backport-CVE-2022-2522.patch @@ -0,0 +1,46 @@ +From b9e717367c395490149495cf375911b5d9de889e Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 23 Jul 2022 06:53:08 +0100 +Subject: [PATCH] patch 9.0.0060: accessing uninitialized memory when + completing long line + +Problem: Accessing uninitialized memory when completing long line. +Solution: Terminate string with NUL. +--- + src/insexpand.c | 1 + + src/testdir/test_ins_complete.vim | 7 +++++++ + 2 files changed, 8 insertions(+) + +diff --git a/src/insexpand.c b/src/insexpand.c +index b49a631..c505158 100644 +--- a/src/insexpand.c ++++ b/src/insexpand.c +@@ -642,6 +642,7 @@ ins_compl_infercase_gettext( + // growarray. Add the character in the next round. + if (ga_grow(&gap, IOSIZE) == FAIL) + return (char_u *)"[failed]"; ++ *p = NUL; + STRCPY(gap.ga_data, IObuff); + gap.ga_len = (int)STRLEN(IObuff); + } +diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim +index 2be6d06..7bebc5d 100644 +--- a/src/testdir/test_ins_complete.vim ++++ b/src/testdir/test_ins_complete.vim +@@ -2108,6 +2108,13 @@ func Test_infercase_very_long_line() + exe "normal 2Go\\\" + call assert_equal(longLine, getline(3)) + ++ " check that the too long text is NUL terminated ++ %del ++ norm o ++ norm 1987ax ++ exec "norm ox\\" ++ call assert_equal(repeat('x', 1987), getline(3)) ++ + bwipe! + set noic noinfercase + endfunc +-- +1.8.3.1 + diff --git a/backport-patch-9.0.0022-spell-test-fails.patch b/backport-patch-9.0.0022-spell-test-fails.patch new file mode 100644 index 0000000000000000000000000000000000000000..8670fa9d8b1ae99535020334d585ea9cfb147ee7 --- /dev/null +++ b/backport-patch-9.0.0022-spell-test-fails.patch @@ -0,0 +1,32 @@ +From 95afae6d1760b2efcc4968dbd3784799d24e9fdf Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 1 Jul 2022 22:44:19 +0100 +Subject: [PATCH] patch 9.0.0022: spell test fails + +Problem: Spell test fails. +Solution: Expect new error is given. +--- + src/testdir/test_spell_utf8.vim | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim +index fe80689..c71308b 100644 +--- a/src/testdir/test_spell_utf8.vim ++++ b/src/testdir/test_spell_utf8.vim +@@ -779,7 +779,12 @@ func Test_no_crash_with_weird_text() + € + END + call setline(1, lines) +- exe "%norm \ez=>\wzG" ++ try ++ exe "%norm \ez=>\wzG" ++ catch /E1280:/ ++ let caught = 'yes' ++ endtry ++ call assert_equal('yes', caught) + + bwipe! + endfunc +-- +1.8.3.1 + diff --git a/backport-patch-9.0.0054-compiler-warning-for-size_t-to-int-co.patch b/backport-patch-9.0.0054-compiler-warning-for-size_t-to-int-co.patch new file mode 100644 index 0000000000000000000000000000000000000000..f7b0a6eee40b82c6ab80d54a7e5d66c531d487bb --- /dev/null +++ b/backport-patch-9.0.0054-compiler-warning-for-size_t-to-int-co.patch @@ -0,0 +1,27 @@ +From c7bd2f08e531f08723cdc677212a3633d11c9a97 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 15 Jul 2022 20:45:20 +0100 +Subject: [PATCH] patch 9.0.0054: compiler warning for size_t to int conversion + +Problem: Compiler warning for size_t to int conversion. +Solution: Add type cast. (Mike Williams, closes #10741) +--- + src/insexpand.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletion(-) + +diff --git a/src/insexpand.c b/src/insexpand.c +index 9c598a8..b49a631 100644 +--- a/src/insexpand.c ++++ b/src/insexpand.c +@@ -643,7 +643,7 @@ ins_compl_infercase_gettext( + if (ga_grow(&gap, IOSIZE) == FAIL) + return (char_u *)"[failed]"; + STRCPY(gap.ga_data, IObuff); +- gap.ga_len = STRLEN(IObuff); ++ gap.ga_len = (int)STRLEN(IObuff); + } + else if (has_mbyte) + p += (*mb_char2bytes)(wca[i++], p); +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index 83a4f2687b706773f1e89c509b40d64ab9dc458e..60bf542da98d0f377ca51afc594a49d1a89db545 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 1 +Release: 2 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -27,6 +27,22 @@ Patch0009: vim-7.4-globalsyntax.patch Patch0011: vim-8.0-copy-paste.patch Patch0012: vim-python3-tests.patch +Patch6000: backport-CVE-2022-2257.patch +Patch6001: backport-CVE-2022-2264.patch +Patch6002: backport-CVE-2022-2284.patch +Patch6003: backport-CVE-2022-2285.patch +Patch6004: backport-CVE-2022-2286.patch +Patch6005: backport-CVE-2022-2287.patch +Patch6006: backport-CVE-2022-2288.patch +Patch6007: backport-patch-9.0.0022-spell-test-fails.patch +Patch6008: backport-CVE-2022-2289.patch +Patch6009: backport-CVE-2022-2304.patch +Patch6010: backport-CVE-2022-2343.patch +Patch6011: backport-CVE-2022-2344.patch +Patch6012: backport-CVE-2022-2345.patch +Patch6013: backport-patch-9.0.0054-compiler-warning-for-size_t-to-int-co.patch +Patch6014: backport-CVE-2022-2522.patch + Patch9000: bugfix-rm-modify-info-version.patch BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc @@ -418,6 +434,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Sat Jul 30 2022 shixuantong - 2:9.0-2 +- Type:CVE +- ID:CVE-2022-2257 CVE-2022-2264 CVE-2022-2284 CVE-2022-2285 CVE-2022-2286 CVE-2022-2287 CVE-2022-2288 CVE-2022-2289 CVE-2022-2304 CVE-2022-2343 CVE-2022-2344 CVE-2022-2345 CVE-2022-2522 +- SUG:NA +- DESC:fix CVE-2022-2257 CVE-2022-2264 CVE-2022-2284 CVE-2022-2285 CVE-2022-2286 CVE-2022-2287 CVE-2022-2288 CVE-2022-2289 CVE-2022-2304 CVE-2022-2343 CVE-2022-2344 CVE-2022-2345 CVE-2022-2522 + * Tue Jul 05 2022 shixuantong - 2:9.0-1 - Type:enhancement - ID:NA