diff --git a/backport-CVE-2022-2816.patch b/backport-CVE-2022-2816.patch new file mode 100644 index 0000000000000000000000000000000000000000..9359583ae0a477a10f85ad1c84ebd3392be9b966 --- /dev/null +++ b/backport-CVE-2022-2816.patch @@ -0,0 +1,58 @@ +From dbdd16b62560413abcc3c8e893cc3010ccf31666 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sun, 14 Aug 2022 21:46:07 +0100 +Subject: [PATCH] patch 9.0.0212: invalid memory access when compiling :unlet + +Problem: Invalid memory access when compiling :unlet. +Solution: Don't read past the end of the line. +--- + src/testdir/test_vim9_cmd.vim | 11 +++++++++-- + src/vim9cmds.c | 6 ++++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/src/testdir/test_vim9_cmd.vim b/src/testdir/test_vim9_cmd.vim +index 16f534e..a40f261 100644 +--- a/src/testdir/test_vim9_cmd.vim ++++ b/src/testdir/test_vim9_cmd.vim +@@ -1704,12 +1704,19 @@ def Test_lockvar() + + lines =<< trim END + def _() +- s:0([], s:0) + lockv + enddef + defcomp + END +- v9.CheckScriptFailure(lines, 'E179', 2) ++ v9.CheckScriptFailure(lines, 'E179', 1) ++ ++ lines =<< trim END ++ def T() ++ unlet ++ enddef ++ defcomp ++ END ++ v9.CheckScriptFailure(lines, 'E179', 1) + enddef + + def Test_substitute_expr() +diff --git a/src/vim9cmds.c b/src/vim9cmds.c +index 35a3821..93032d6 100644 +--- a/src/vim9cmds.c ++++ b/src/vim9cmds.c +@@ -92,6 +92,12 @@ free_locals(cctx_T *cctx) + int + check_vim9_unlet(char_u *name) + { ++ if (*name == NUL) ++ { ++ semsg(_(e_argument_required_for_str), "unlet"); ++ return FAIL; ++ } ++ + if (name[1] != ':' || vim_strchr((char_u *)"gwtb", *name) == NULL) + { + // "unlet s:var" is allowed in legacy script. +-- +2.36.1 + diff --git a/backport-CVE-2022-2817.patch b/backport-CVE-2022-2817.patch new file mode 100644 index 0000000000000000000000000000000000000000..440500321446c7d3b015f573e2c5a160ff125fa6 --- /dev/null +++ b/backport-CVE-2022-2817.patch @@ -0,0 +1,75 @@ +From 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sun, 14 Aug 2022 22:23:02 +0100 +Subject: [PATCH] patch 9.0.0213: using freed memory with error in assert + argument + +Problem: Using freed memory with error in assert argument. +Solution: Make a copy of the error. +--- + src/testdir/test_assert.vim | 4 ++++ + src/testing.c | 18 ++++++++++++------ + 2 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim +index 27b2d73..7c9d090 100644 +--- a/src/testdir/test_assert.vim ++++ b/src/testdir/test_assert.vim +@@ -291,6 +291,10 @@ func Test_assert_fail_fails() + let exp = v:exception + endtry + call assert_match("E1174: String required for argument 5", exp) ++ ++ call assert_equal(1, assert_fails('c0', ['', '\1'])) ++ call assert_match("Expected '\\\\\\\\1' but got 'E939: Positive count required: c0': c0", v:errors[0]) ++ call remove(v:errors, 0) + endfunc + + func Test_assert_fails_in_try_block() +diff --git a/src/testing.c b/src/testing.c +index c49df4b..43b8d20 100644 +--- a/src/testing.c ++++ b/src/testing.c +@@ -597,6 +597,7 @@ f_assert_fails(typval_T *argvars, typval_T *rettv) + int save_trylevel = trylevel; + int called_emsg_before = called_emsg; + char *wrong_arg_msg = NULL; ++ char_u *tofree = NULL; + + if (check_for_string_or_number_arg(argvars, 0) == FAIL + || check_for_opt_string_or_list_arg(argvars, 1) == FAIL +@@ -660,13 +661,17 @@ f_assert_fails(typval_T *argvars, typval_T *rettv) + } + else if (list->lv_len == 2) + { +- tv = &list->lv_u.mat.lv_last->li_tv; +- actual = get_vim_var_str(VV_ERRMSG); +- expected = tv_get_string_buf_chk(tv, buf); +- if (!pattern_match(expected, actual, FALSE)) ++ // make a copy, an error in pattern_match() may free it ++ tofree = actual = vim_strsave(get_vim_var_str(VV_ERRMSG)); ++ if (actual != NULL) + { +- error_found = TRUE; +- expected_str = expected; ++ tv = &list->lv_u.mat.lv_last->li_tv; ++ expected = tv_get_string_buf_chk(tv, buf); ++ if (!pattern_match(expected, actual, FALSE)) ++ { ++ error_found = TRUE; ++ expected_str = expected; ++ } + } + } + } +@@ -749,6 +754,7 @@ theend: + msg_scrolled = 0; + lines_left = Rows; + VIM_CLEAR(emsg_assert_fails_msg); ++ vim_free(tofree); + set_vim_var_string(VV_ERRMSG, NULL, 0); + if (wrong_arg_msg != NULL) + emsg(_(wrong_arg_msg)); +-- +2.36.1 + diff --git a/backport-CVE-2022-2819.patch b/backport-CVE-2022-2819.patch new file mode 100644 index 0000000000000000000000000000000000000000..72f9f57a1f67d1f2d51d29a1b6574dae307f612b --- /dev/null +++ b/backport-CVE-2022-2819.patch @@ -0,0 +1,66 @@ +From d1d8f6bacb489036d0fd479c9dd3c0102c988889 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sun, 14 Aug 2022 21:28:32 +0100 +Subject: [PATCH] patch 9.0.0211: invalid memory access when compiling :lockvar + +Problem: Invalid memory access when compiling :lockvar. +Solution: Don't read past the end of the line. +--- + src/testdir/test_vim9_cmd.vim | 9 +++++++++ + src/vim9cmds.c | 9 +++++++-- + 2 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/src/testdir/test_vim9_cmd.vim b/src/testdir/test_vim9_cmd.vim +index 7db8e50..16f534e 100644 +--- a/src/testdir/test_vim9_cmd.vim ++++ b/src/testdir/test_vim9_cmd.vim +@@ -1701,6 +1701,15 @@ def Test_lockvar() + UnLockIt() + END + v9.CheckScriptFailure(lines, 'E46', 1) ++ ++ lines =<< trim END ++ def _() ++ s:0([], s:0) ++ lockv ++ enddef ++ defcomp ++ END ++ v9.CheckScriptFailure(lines, 'E179', 2) + enddef + + def Test_substitute_expr() +diff --git a/src/vim9cmds.c b/src/vim9cmds.c +index ad32c32..35a3821 100644 +--- a/src/vim9cmds.c ++++ b/src/vim9cmds.c +@@ -188,10 +188,17 @@ compile_lock_unlock( + size_t len; + char_u *buf; + isntype_T isn = ISN_EXEC; ++ char *cmd = eap->cmdidx == CMD_lockvar ? "lockvar" : "unlockvar"; + + if (cctx->ctx_skip == SKIP_YES) + return OK; + ++ if (*p == NUL) ++ { ++ semsg(_(e_argument_required_for_str), cmd); ++ return FAIL; ++ } ++ + // Cannot use :lockvar and :unlockvar on local variables. + if (p[1] != ':') + { +@@ -223,8 +230,6 @@ compile_lock_unlock( + ret = FAIL; + else + { +- char *cmd = eap->cmdidx == CMD_lockvar ? "lockvar" : "unlockvar"; +- + if (deep < 0) + vim_snprintf((char *)buf, len, "%s! %s", cmd, p); + else +-- +2.36.1 + diff --git a/backport-CVE-2022-2845.patch b/backport-CVE-2022-2845.patch new file mode 100644 index 0000000000000000000000000000000000000000..262d3d78c6225e37e9c7f7cafa12bdba9cb7c854 --- /dev/null +++ b/backport-CVE-2022-2845.patch @@ -0,0 +1,61 @@ +From e98c88c44c308edaea5994b8ad4363e65030968c Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 16 Aug 2022 14:51:53 +0100 +Subject: [PATCH] patch 9.0.0218: reading before the start of the line + +Problem: Reading before the start of the line. +Solution: When displaying "$" check the column is not negative. +--- + src/edit.c | 3 ++- + src/proto/edit.pro | 2 +- + src/testdir/test_cmdline.vim | 8 ++++++++ + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/src/edit.c b/src/edit.c +index a8e695c..96f47bd 100644 +--- a/src/edit.c ++++ b/src/edit.c +@@ -1741,8 +1741,9 @@ edit_unputchar(void) + * Only works when cursor is in the line that changes. + */ + void +-display_dollar(colnr_T col) ++display_dollar(colnr_T col_arg) + { ++ colnr_T col = col_arg < 0 ? 0 : col_arg; + colnr_T save_col; + + if (!redrawing()) +diff --git a/src/proto/edit.pro b/src/proto/edit.pro +index a233e40..f35ec1e 100644 +--- a/src/proto/edit.pro ++++ b/src/proto/edit.pro +@@ -5,7 +5,7 @@ void ins_redraw(int ready); + void edit_putchar(int c, int highlight); + void set_insstart(linenr_T lnum, int col); + void edit_unputchar(void); +-void display_dollar(colnr_T col); ++void display_dollar(colnr_T col_arg); + void undisplay_dollar(void); + void truncate_spaces(char_u *line); + void backspace_until_column(int col); +diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim +index f0498a1..08e2de7 100644 +--- a/src/testdir/test_cmdline.vim ++++ b/src/testdir/test_cmdline.vim +@@ -3439,4 +3439,12 @@ func Test_long_error_message() + silent! norm Q00000000000000     000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000                                                                                                                                                                                                                         + endfunc + ++func Test_cmdwin_virtual_edit() ++ enew! ++ set ve=all cpo+=$ ++ silent normal q/s ++ ++ set ve= cpo-=$ ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.36.1 + diff --git a/backport-CVE-2022-2849.patch b/backport-CVE-2022-2849.patch new file mode 100644 index 0000000000000000000000000000000000000000..27adc77d906f87b4d86bd4615e5fa4387f24bc70 --- /dev/null +++ b/backport-CVE-2022-2849.patch @@ -0,0 +1,103 @@ +From f6d39c31d2177549a986d170e192d8351bd571e2 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 16 Aug 2022 17:50:38 +0100 +Subject: [PATCH] patch 9.0.0220: invalid memory access with for loop over NULL + string + +Problem: Invalid memory access with for loop over NULL string. +Solution: Make sure mb_ptr2len() consistently returns zero for NUL. +--- + src/globals.h | 3 ++- + src/mbyte.c | 21 +++++++++++++-------- + src/testdir/test_eval_stuff.vim | 12 ++++++++++++ + 3 files changed, 27 insertions(+), 9 deletions(-) + +diff --git a/src/globals.h b/src/globals.h +index 888f6e9..9b40be4 100644 +--- a/src/globals.h ++++ b/src/globals.h +@@ -1033,7 +1033,8 @@ EXTERN vimconv_T output_conv; // type of output conversion + * (DBCS). + * The value is set in mb_init(); + */ +-// length of char in bytes, including following composing chars ++// Length of char in bytes, including any following composing chars. ++// NUL has length zero. + EXTERN int (*mb_ptr2len)(char_u *p) INIT(= latin_ptr2len); + + // idem, with limit on string length +diff --git a/src/mbyte.c b/src/mbyte.c +index 3656880..782a7ad 100644 +--- a/src/mbyte.c ++++ b/src/mbyte.c +@@ -1077,24 +1077,28 @@ dbcs_char2bytes(int c, char_u *buf) + } + + /* +- * mb_ptr2len() function pointer. +- * Get byte length of character at "*p" but stop at a NUL. +- * For UTF-8 this includes following composing characters. +- * Returns 0 when *p is NUL. ++ * Get byte length of character at "*p". Returns zero when "*p" is NUL. ++ * Used for mb_ptr2len() when 'encoding' latin. + */ + int + latin_ptr2len(char_u *p) + { +- return MB_BYTE2LEN(*p); ++ return *p == NUL ? 0 : 1; + } + ++/* ++ * Get byte length of character at "*p". Returns zero when "*p" is NUL. ++ * Used for mb_ptr2len() when 'encoding' DBCS. ++ */ + static int +-dbcs_ptr2len( +- char_u *p) ++dbcs_ptr2len(char_u *p) + { + int len; + +- // Check if second byte is not missing. ++ if (*p == NUL) ++ return 0; ++ ++ // if the second byte is missing the length is 1 + len = MB_BYTE2LEN(*p); + if (len == 2 && p[1] == NUL) + len = 1; +@@ -2105,6 +2109,7 @@ utf_ptr2len_len(char_u *p, int size) + /* + * Return the number of bytes the UTF-8 encoding of the character at "p" takes. + * This includes following composing characters. ++ * Returns zero for NUL. + */ + int + utfc_ptr2len(char_u *p) +diff --git a/src/testdir/test_eval_stuff.vim b/src/testdir/test_eval_stuff.vim +index c63082e..313d791 100644 +--- a/src/testdir/test_eval_stuff.vim ++++ b/src/testdir/test_eval_stuff.vim +@@ -75,6 +75,18 @@ func Test_for_invalid() + redraw + endfunc + ++func Test_for_over_null_string() ++ let save_enc = &enc ++ set enc=iso8859 ++ let cnt = 0 ++ for c in test_null_string() ++ let cnt += 1 ++ endfor ++ call assert_equal(0, cnt) ++ ++ let &enc = save_enc ++endfunc ++ + func Test_readfile_binary() + new + call setline(1, ['one', 'two', 'three']) +-- +2.36.1 + diff --git a/backport-CVE-2022-2862.patch b/backport-CVE-2022-2862.patch new file mode 100644 index 0000000000000000000000000000000000000000..672f9bfda13000a575ac8bd7deb4f8b69f0108c6 --- /dev/null +++ b/backport-CVE-2022-2862.patch @@ -0,0 +1,72 @@ +From 1889f499a4f248cd84e0e0bf6d0d820016774494 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 16 Aug 2022 19:34:44 +0100 +Subject: [PATCH] patch 9.0.0221: accessing freed memory if compiling nested + function fails + +Problem: Accessing freed memory if compiling nested function fails. +Solution: Mess up the variable name so that it won't be found. +--- + src/testdir/test_vim9_func.vim | 12 ++++++++++++ + src/vim9compile.c | 7 +++++-- + 2 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/src/testdir/test_vim9_func.vim b/src/testdir/test_vim9_func.vim +index 33a6615..426fde4 100644 +--- a/src/testdir/test_vim9_func.vim ++++ b/src/testdir/test_vim9_func.vim +@@ -907,6 +907,18 @@ def Test_nested_function() + v9.CheckScriptFailure(lines, 'E1173: Text found after enddef: burp', 3) + enddef + ++def Test_nested_function_fails() ++ var lines =<< trim END ++ def T() ++ def Func(g: string):string ++ enddef ++ Func() ++ enddef ++ silent! defcompile ++ END ++ v9.CheckScriptFailure(lines, 'E1069:') ++enddef ++ + def Test_not_nested_function() + echo printf('%d', + function('len')('xxx')) +diff --git a/src/vim9compile.c b/src/vim9compile.c +index b7f590e..fb39997 100644 +--- a/src/vim9compile.c ++++ b/src/vim9compile.c +@@ -822,6 +822,7 @@ compile_nested_function(exarg_T *eap, cctx_T *cctx, garray_T *lines_to_free) + int r = FAIL; + compiletype_T compile_type; + isn_T *funcref_isn = NULL; ++ lvar_T *lvar = NULL; + + if (eap->forceit) + { +@@ -928,9 +929,8 @@ compile_nested_function(exarg_T *eap, cctx_T *cctx, garray_T *lines_to_free) + else + { + // Define a local variable for the function reference. +- lvar_T *lvar = reserve_local(cctx, func_name, name_end - name_start, ++ lvar = reserve_local(cctx, func_name, name_end - name_start, + TRUE, ufunc->uf_func_type); +- + if (lvar == NULL) + goto theend; + if (generate_FUNCREF(cctx, ufunc, &funcref_isn) == FAIL) +@@ -949,6 +949,9 @@ compile_nested_function(exarg_T *eap, cctx_T *cctx, garray_T *lines_to_free) + && compile_def_function(ufunc, TRUE, compile_type, cctx) == FAIL) + { + func_ptr_unref(ufunc); ++ if (lvar != NULL) ++ // Now the local variable can't be used. ++ *lvar->lv_name = '/'; // impossible value + goto theend; + } + +-- +2.36.1 + diff --git a/backport-CVE-2022-2874.patch b/backport-CVE-2022-2874.patch new file mode 100644 index 0000000000000000000000000000000000000000..c7f89ad6d6f4ebcff9ca1c5f091e2061ea0b2079 --- /dev/null +++ b/backport-CVE-2022-2874.patch @@ -0,0 +1,73 @@ +From 4875d6ab068f09df88d24d81de40dcd8d56e243d Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 17 Aug 2022 15:55:51 +0100 +Subject: [PATCH] patch 9.0.0224: Using NULL pointer when skipping compiled + code + +Problem: Using NULL pointer when skipping compiled code. +Solution: Check for skipping. +--- + src/testdir/test_vim9_script.vim | 13 +++++++++++++ + src/vim9compile.c | 14 ++++++++++---- + 2 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/src/testdir/test_vim9_script.vim b/src/testdir/test_vim9_script.vim +index fc0ef15..75b3e9c 100644 +--- a/src/testdir/test_vim9_script.vim ++++ b/src/testdir/test_vim9_script.vim +@@ -2097,6 +2097,19 @@ def Test_for_skipped_block() + v9.CheckDefAndScriptSuccess(lines) + enddef + ++def Test_skipped_redir() ++ var lines =<< trim END ++ def T() ++ if 0 ++ redir =>l[0] ++ redir END ++ endif ++ enddef ++ defcompile ++ END ++ v9.CheckScriptSuccess(lines) ++enddef ++ + def Test_for_loop() + var lines =<< trim END + var result = '' +diff --git a/src/vim9compile.c b/src/vim9compile.c +index fb39997..a8fa5dc 100644 +--- a/src/vim9compile.c ++++ b/src/vim9compile.c +@@ -1157,11 +1157,14 @@ generate_loadvar( + generate_LOADV(cctx, name + 2); + break; + case dest_local: +- if (lvar->lv_from_outer > 0) +- generate_LOADOUTER(cctx, lvar->lv_idx, lvar->lv_from_outer, ++ if (cctx->ctx_skip != SKIP_YES) ++ { ++ if (lvar->lv_from_outer > 0) ++ generate_LOADOUTER(cctx, lvar->lv_idx, lvar->lv_from_outer, + type); +- else +- generate_LOAD(cctx, ISN_LOAD, lvar->lv_idx, NULL, type); ++ else ++ generate_LOAD(cctx, ISN_LOAD, lvar->lv_idx, NULL, type); ++ } + break; + case dest_expr: + // list or dict value should already be on the stack. +@@ -1944,6 +1947,9 @@ compile_assign_unlet( + } + } + ++ if (cctx->ctx_skip == SKIP_YES) ++ return OK; ++ + // Load the dict or list. On the stack we then have: + // - value (for assignment, not for :unlet) + // - index +-- +2.36.1 + diff --git a/vim.spec b/vim.spec index a269076d3eb84ff7c97617bf81d5d9cd7fa3baf5..c15321b18c84a0fd133a801426c2d343cb0f5dba 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 5 +Release: 6 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -46,6 +46,13 @@ Patch6015: backport-CVE-2022-2598.patch Patch6016: backport-CVE-2022-2571.patch Patch6017: backport-CVE-2022-2580.patch Patch6018: backport-CVE-2022-2581.patch +Patch6019: backport-CVE-2022-2819.patch +Patch6020: backport-CVE-2022-2816.patch +Patch6021: backport-CVE-2022-2817.patch +Patch6022: backport-CVE-2022-2845.patch +Patch6023: backport-CVE-2022-2849.patch +Patch6024: backport-CVE-2022-2862.patch +Patch6025: backport-CVE-2022-2874.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -439,6 +446,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Thu Aug 18 2022 shixuantong - 2:9.0-6 +- Type:CVE +- ID:CVE-2022-2816 CVE-2022-2817 CVE-2022-2819 CVE-2022-2845 CVE-2022-2849 CVE-2022-2862 CVE-2022-2874 +- SUG:NA +- DESC:fix CVE-2022-2816 CVE-2022-2817 CVE-2022-2819 CVE-2022-2845 CVE-2022-2849 CVE-2022-2862 CVE-2022-2874 + * Wed Aug 17 2022 wangjiang - 2:9.0-5 - Type:bugfix - ID:CVE-2022-2580 CVE-2022-2581