From 7d62e822b17030f030fd04b62be8cf7448e350de Mon Sep 17 00:00:00 2001 From: shixuantong Date: Sat, 27 Aug 2022 16:20:33 +0800 Subject: [PATCH] fix CVE-2022-2980 (cherry picked from commit 98d2e27586303dfe9d3a6038ead96d08f22f2d1c) --- backport-CVE-2022-2980.patch | 171 +++++++++++++++++++++++++++++++++++ vim.spec | 9 +- 2 files changed, 179 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-2980.patch diff --git a/backport-CVE-2022-2980.patch b/backport-CVE-2022-2980.patch new file mode 100644 index 0000000..894a189 --- /dev/null +++ b/backport-CVE-2022-2980.patch @@ -0,0 +1,171 @@ +From 80525751c5ce9ed82c41d83faf9ef38667bf61b1 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 24 Aug 2022 19:27:45 +0100 +Subject: [PATCH] patch 9.0.0259: crash with mouse click when not initialized + +Problem: Crash with mouse click when not initialized. +Solution: Check TabPageIdxs[] is not NULL. +--- + src/mouse.c | 107 ++++++++++++++++++----------------- + src/testdir/test_tabline.vim | 14 +++++ + 2 files changed, 69 insertions(+), 52 deletions(-) + +diff --git a/src/mouse.c b/src/mouse.c +index c94f322..4fdbdbd 100644 +--- a/src/mouse.c ++++ b/src/mouse.c +@@ -448,74 +448,77 @@ do_mouse( + + start_visual.lnum = 0; + +- // Check for clicking in the tab page line. +- if (mouse_row == 0 && firstwin->w_winrow > 0) ++ if (TabPageIdxs != NULL) // only when initialized + { +- if (is_drag) ++ // Check for clicking in the tab page line. ++ if (mouse_row == 0 && firstwin->w_winrow > 0) + { +- if (in_tab_line) ++ if (is_drag) + { +- c1 = TabPageIdxs[mouse_col]; +- tabpage_move(c1 <= 0 ? 9999 : c1 < tabpage_index(curtab) +- ? c1 - 1 : c1); ++ if (in_tab_line) ++ { ++ c1 = TabPageIdxs[mouse_col]; ++ tabpage_move(c1 <= 0 ? 9999 : c1 < tabpage_index(curtab) ++ ? c1 - 1 : c1); ++ } ++ return FALSE; + } +- return FALSE; +- } + +- // click in a tab selects that tab page +- if (is_click ++ // click in a tab selects that tab page ++ if (is_click + # ifdef FEAT_CMDWIN +- && cmdwin_type == 0 ++ && cmdwin_type == 0 + # endif +- && mouse_col < Columns) +- { +- in_tab_line = TRUE; +- c1 = TabPageIdxs[mouse_col]; +- if (c1 >= 0) ++ && mouse_col < Columns) + { +- if ((mod_mask & MOD_MASK_MULTI_CLICK) == MOD_MASK_2CLICK) +- { +- // double click opens new page +- end_visual_mode(); +- tabpage_new(); +- tabpage_move(c1 == 0 ? 9999 : c1 - 1); +- } +- else ++ in_tab_line = TRUE; ++ c1 = TabPageIdxs[mouse_col]; ++ if (c1 >= 0) + { +- // Go to specified tab page, or next one if not clicking +- // on a label. +- goto_tabpage(c1); +- +- // It's like clicking on the status line of a window. +- if (curwin != old_curwin) ++ if ((mod_mask & MOD_MASK_MULTI_CLICK) == MOD_MASK_2CLICK) ++ { ++ // double click opens new page + end_visual_mode(); +- } +- } +- else +- { +- tabpage_T *tp; ++ tabpage_new(); ++ tabpage_move(c1 == 0 ? 9999 : c1 - 1); ++ } ++ else ++ { ++ // Go to specified tab page, or next one if not clicking ++ // on a label. ++ goto_tabpage(c1); + +- // Close the current or specified tab page. +- if (c1 == -999) +- tp = curtab; ++ // It's like clicking on the status line of a window. ++ if (curwin != old_curwin) ++ end_visual_mode(); ++ } ++ } + else +- tp = find_tabpage(-c1); +- if (tp == curtab) + { +- if (first_tabpage->tp_next != NULL) +- tabpage_close(FALSE); ++ tabpage_T *tp; ++ ++ // Close the current or specified tab page. ++ if (c1 == -999) ++ tp = curtab; ++ else ++ tp = find_tabpage(-c1); ++ if (tp == curtab) ++ { ++ if (first_tabpage->tp_next != NULL) ++ tabpage_close(FALSE); ++ } ++ else if (tp != NULL) ++ tabpage_close_other(tp, FALSE); + } +- else if (tp != NULL) +- tabpage_close_other(tp, FALSE); + } ++ return TRUE; ++ } ++ else if (is_drag && in_tab_line) ++ { ++ c1 = TabPageIdxs[mouse_col]; ++ tabpage_move(c1 <= 0 ? 9999 : c1 - 1); ++ return FALSE; + } +- return TRUE; +- } +- else if (is_drag && in_tab_line) +- { +- c1 = TabPageIdxs[mouse_col]; +- tabpage_move(c1 <= 0 ? 9999 : c1 - 1); +- return FALSE; + } + + // When 'mousemodel' is "popup" or "popup_setpos", translate mouse events: +diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim +index 383d239..d615429 100644 +--- a/src/testdir/test_tabline.vim ++++ b/src/testdir/test_tabline.vim +@@ -70,3 +70,17 @@ func Test_redrawtabline() + let &showtabline = showtabline_save + au! Bufadd + endfunc ++ ++func Test_mouse_click_in_tab() ++ " This used to crash because TabPageIdxs[] was not initialized ++ let lines =<< trim END ++ tabnew ++ set mouse=a ++ exe "norm \" ++ END ++ call writefile(lines, 'Xclickscript') ++ call RunVim([], [], "-e -s -S Xclickscript -c qa") ++ ++ call delete('Xclickscript') ++endfunc ++ +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index 40c07f9..80eff2f 100644 --- a/vim.spec +++ b/vim.spec @@ -11,7 +11,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 52 +Release: 53 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -154,6 +154,7 @@ Patch6120: backport-CVE-2022-1725.patch Patch6121: backport-CVE-2022-2845.patch Patch6122: backport-CVE-2022-2923.patch Patch6123: backport-CVE-2022-2946.patch +Patch6124: backport-CVE-2022-2980.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: remove-failed-tests-due-to-patch.patch @@ -556,6 +557,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Sat Aug 27 2022 shixuantong - 2:8.2-53 +- Type:CVE +- ID:CVE-2022-2980 +- SUG:NA +- DESC:fix CVE-2022-2980 + * Mon Aug 22 2022 shixuantong - 2:8.2-52 - Type:CVE - ID:CVE-2022-2923 CVE-2022-2946 -- Gitee