diff --git a/backport-CVE-2022-2980.patch b/backport-CVE-2022-2980.patch new file mode 100644 index 0000000000000000000000000000000000000000..318ae89526436b10dc9c0be69b8fc7f265ef51b4 --- /dev/null +++ b/backport-CVE-2022-2980.patch @@ -0,0 +1,172 @@ +From 80525751c5ce9ed82c41d83faf9ef38667bf61b1 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 24 Aug 2022 19:27:45 +0100 +Subject: [PATCH] patch 9.0.0259: crash with mouse click when not initialized + +Problem: Crash with mouse click when not initialized. +Solution: Check TabPageIdxs[] is not NULL. +--- + src/mouse.c | 107 ++++++++++++++++++++++--------------------- + src/testdir/test_tabline.vim | 14 ++++++ + 2 files changed, 69 insertions(+), 52 deletions(-) + +diff --git a/src/mouse.c b/src/mouse.c +index c39f614..12895f8 100644 +--- a/src/mouse.c ++++ b/src/mouse.c +@@ -471,74 +471,77 @@ do_mouse( + + start_visual.lnum = 0; + +- // Check for clicking in the tab page line. +- if (mouse_row == 0 && firstwin->w_winrow > 0) ++ if (TabPageIdxs != NULL) // only when initialized + { +- if (is_drag) ++ // Check for clicking in the tab page line. ++ if (mouse_row == 0 && firstwin->w_winrow > 0) + { +- if (in_tab_line) ++ if (is_drag) + { +- c1 = TabPageIdxs[mouse_col]; +- tabpage_move(c1 <= 0 ? 9999 : c1 < tabpage_index(curtab) +- ? c1 - 1 : c1); ++ if (in_tab_line) ++ { ++ c1 = TabPageIdxs[mouse_col]; ++ tabpage_move(c1 <= 0 ? 9999 : c1 < tabpage_index(curtab) ++ ? c1 - 1 : c1); ++ } ++ return FALSE; + } +- return FALSE; +- } + +- // click in a tab selects that tab page +- if (is_click ++ // click in a tab selects that tab page ++ if (is_click + # ifdef FEAT_CMDWIN +- && cmdwin_type == 0 ++ && cmdwin_type == 0 + # endif +- && mouse_col < Columns) +- { +- in_tab_line = TRUE; +- c1 = TabPageIdxs[mouse_col]; +- if (c1 >= 0) ++ && mouse_col < Columns) + { +- if ((mod_mask & MOD_MASK_MULTI_CLICK) == MOD_MASK_2CLICK) +- { +- // double click opens new page +- end_visual_mode_keep_button(); +- tabpage_new(); +- tabpage_move(c1 == 0 ? 9999 : c1 - 1); +- } +- else ++ in_tab_line = TRUE; ++ c1 = TabPageIdxs[mouse_col]; ++ if (c1 >= 0) + { +- // Go to specified tab page, or next one if not clicking +- // on a label. +- goto_tabpage(c1); +- +- // It's like clicking on the status line of a window. +- if (curwin != old_curwin) ++ if ((mod_mask & MOD_MASK_MULTI_CLICK) == MOD_MASK_2CLICK) ++ { ++ // double click opens new page + end_visual_mode_keep_button(); +- } +- } +- else +- { +- tabpage_T *tp; ++ tabpage_new(); ++ tabpage_move(c1 == 0 ? 9999 : c1 - 1); ++ } ++ else ++ { ++ // Go to specified tab page, or next one if not clicking ++ // on a label. ++ goto_tabpage(c1); + +- // Close the current or specified tab page. +- if (c1 == -999) +- tp = curtab; ++ // It's like clicking on the status line of a window. ++ if (curwin != old_curwin) ++ end_visual_mode_keep_button(); ++ } ++ } + else +- tp = find_tabpage(-c1); +- if (tp == curtab) + { +- if (first_tabpage->tp_next != NULL) +- tabpage_close(FALSE); ++ tabpage_T *tp; ++ ++ // Close the current or specified tab page. ++ if (c1 == -999) ++ tp = curtab; ++ else ++ tp = find_tabpage(-c1); ++ if (tp == curtab) ++ { ++ if (first_tabpage->tp_next != NULL) ++ tabpage_close(FALSE); ++ } ++ else if (tp != NULL) ++ tabpage_close_other(tp, FALSE); + } +- else if (tp != NULL) +- tabpage_close_other(tp, FALSE); + } ++ return TRUE; ++ } ++ else if (is_drag && in_tab_line) ++ { ++ c1 = TabPageIdxs[mouse_col]; ++ tabpage_move(c1 <= 0 ? 9999 : c1 - 1); ++ return FALSE; + } +- return TRUE; +- } +- else if (is_drag && in_tab_line) +- { +- c1 = TabPageIdxs[mouse_col]; +- tabpage_move(c1 <= 0 ? 9999 : c1 - 1); +- return FALSE; + } + + // When 'mousemodel' is "popup" or "popup_setpos", translate mouse events: +diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim +index e58a412..556b859 100644 +--- a/src/testdir/test_tabline.vim ++++ b/src/testdir/test_tabline.vim +@@ -147,4 +147,18 @@ func Test_tabline_20_format_items_no_overrun() + set showtabline& tabline& + endfunc + ++func Test_mouse_click_in_tab() ++ " This used to crash because TabPageIdxs[] was not initialized ++ let lines =<< trim END ++ tabnew ++ set mouse=a ++ exe "norm \" ++ END ++ call writefile(lines, 'Xclickscript') ++ call RunVim([], [], "-e -s -S Xclickscript -c qa") ++ ++ call delete('Xclickscript') ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2982.patch b/backport-CVE-2022-2982.patch new file mode 100644 index 0000000000000000000000000000000000000000..70ddb8af304943f43528b337fb1b5251ccf03dc4 --- /dev/null +++ b/backport-CVE-2022-2982.patch @@ -0,0 +1,73 @@ +From d6c67629ed05aae436164eec474832daf8ba7420 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 24 Aug 2022 20:07:22 +0100 +Subject: [PATCH] patch 9.0.0260: using freed memory when usinger + 'quickfixtextfunc' recursivelyxe + +Problem: Using freed memory when using 'quickfixtextfunc' recursively. +Solution: Do not allow for recursion. +--- + src/quickfix.c | 9 +++++++++ + src/testdir/test_quickfix.vim | 13 +++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/src/quickfix.c b/src/quickfix.c +index c37caa5..5547233 100644 +--- a/src/quickfix.c ++++ b/src/quickfix.c +@@ -4656,6 +4656,11 @@ call_qftf_func(qf_list_T *qfl, int qf_winid, long start_idx, long end_idx) + { + callback_T *cb = &qftf_cb; + list_T *qftf_list = NULL; ++ static int recursive = FALSE; ++ ++ if (recursive) ++ return NULL; // this doesn't work properly recursively ++ recursive = TRUE; + + // If 'quickfixtextfunc' is set, then use the user-supplied function to get + // the text to display. Use the local value of 'quickfixtextfunc' if it is +@@ -4670,7 +4675,10 @@ call_qftf_func(qf_list_T *qfl, int qf_winid, long start_idx, long end_idx) + + // create the dict argument + if ((d = dict_alloc_lock(VAR_FIXED)) == NULL) ++ { ++ recursive = FALSE; + return NULL; ++ } + dict_add_number(d, "quickfix", (long)IS_QF_LIST(qfl)); + dict_add_number(d, "winid", (long)qf_winid); + dict_add_number(d, "id", (long)qfl->qf_id); +@@ -4693,6 +4701,7 @@ call_qftf_func(qf_list_T *qfl, int qf_winid, long start_idx, long end_idx) + dict_unref(d); + } + ++ recursive = FALSE; + return qftf_list; + } + +diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim +index 182d570..46b2cb6 100644 +--- a/src/testdir/test_quickfix.vim ++++ b/src/testdir/test_quickfix.vim +@@ -6334,4 +6334,17 @@ func Test_qflist_statusmsg() + %bw! + endfunc + ++func Test_quickfixtextfunc_recursive() ++ func s:QFTfunc(o) ++ cgete '0' ++ endfunc ++ copen ++ let &quickfixtextfunc = 's:QFTfunc' ++ cex "" ++ ++ let &quickfixtextfunc = '' ++ cclose ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.36.1 + diff --git a/vim.spec b/vim.spec index 9d16f304494ba6a1dc562c3c7376537b55cb9b59..23a6c6c788f7494086d859af44b5ba29e8cbfb1a 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 8 +Release: 9 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -56,6 +56,8 @@ Patch6025: backport-CVE-2022-2874.patch Patch6026: backport-CVE-2022-2889.patch Patch6027: backport-CVE-2022-2923.patch Patch6028: backport-CVE-2022-2946.patch +Patch6029: backport-CVE-2022-2980.patch +Patch6030: backport-CVE-2022-2982.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -454,6 +456,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Sat Aug 27 2022 shixuantong - 2:9.0-9 +- Type:CVE +- ID:CVE-2022-2980 CVE-2022-2982 +- SUG:NA +- DESC:fix CVE-2022-2980 CVE-2022-2982 + * Sat Aug 27 2022 shixuantong - 2:9.0-8 - Type:enhancement - ID:NA