diff --git a/backport-CVE-2022-0351.patch b/backport-CVE-2022-0351.patch index a9096830b8ed7a9fed026e25661da94c3dc972d9..fdda8ed5ccb5466b5ef2e88e891313b74d9ce653 100644 --- a/backport-CVE-2022-0351.patch +++ b/backport-CVE-2022-0351.patch @@ -71,7 +71,7 @@ index ec566da..32a5411 100644 + +func Test_deep_recursion() + " this was running out of stack -+ call assert_fails("exe 'if ' .. repeat('(', 1002)", 'E1169: Expression too recursive: ((')+endfunc ++ call assert_fails("exe 'if ' .. repeat('(', 1002)", 'E1169: Expression too recursive: ((') +endfunc -- 1.8.3.1 diff --git a/backport-CVE-2022-3099.patch b/backport-CVE-2022-3099.patch new file mode 100644 index 0000000000000000000000000000000000000000..ff420a428d421de2608d3f2aa46f895e5283c988 --- /dev/null +++ b/backport-CVE-2022-3099.patch @@ -0,0 +1,57 @@ +From 35d21c6830fc2d68aca838424a0e786821c5891c Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 2 Sep 2022 16:47:16 +0100 +Subject: [PATCH] patch 9.0.0360: crash when invalid line number on :for is + ignored + +Problem: Crash when invalid line number on :for is ignored. +Solution: Do not check breakpoint for non-existing line. +--- + src/ex_docmd.c | 2 +- + src/testdir/test_eval_stuff.vim | 13 +++++++++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/ex_docmd.c b/src/ex_docmd.c +index ae1f195..0b6b217 100644 +--- a/src/ex_docmd.c ++++ b/src/ex_docmd.c +@@ -1068,7 +1068,7 @@ do_cmdline( + + // Check for the next breakpoint at or after the ":while" + // or ":for". +- if (breakpoint != NULL) ++ if (breakpoint != NULL && lines_ga.ga_len > current_line) + { + *breakpoint = dbg_find_breakpoint( + getline_equal(fgetline, cookie, getsourceline), +diff --git a/src/testdir/test_eval_stuff.vim b/src/testdir/test_eval_stuff.vim +index 313d791..934286b 100644 +--- a/src/testdir/test_eval_stuff.vim ++++ b/src/testdir/test_eval_stuff.vim +@@ -1,5 +1,7 @@ + " Tests for various eval things. + ++source shared.vim ++ + function s:foo() abort + try + return [] == 0 +@@ -221,3 +223,15 @@ func Test_deep_recursion() + " this was running out of stack + call assert_fails("exe 'if ' .. repeat('(', 1002)", 'E1169: Expression too recursive: ((') + endfunc ++ ++func Test_for_invalid_line_count() ++ let lines =<< trim END ++ 111111111111111111111111 for line in ['one'] ++ endfor ++ END ++ call writefile(lines, 'XinvalidFor') ++ " only test that this doesn't crash ++ call RunVim([], [], '-u NONE -e -s -S XinvalidFor -c qa') ++ ++ call delete('XinvalidFor') ++endfunc +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index 917b6048be28bcbaf0228d2721fc9089302fba62..19a6e0f013bb84116bc62b2d22e3601337abbbc0 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 62 +Release: 63 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -169,6 +169,7 @@ Patch6132: backport-CVE-2022-2946.patch Patch6133: backport-CVE-2022-2980.patch Patch6134: backport-patch-8.2.1677-memory-access-errors-when-calling-set.patch Patch6135: backport-CVE-2022-3016.patch +Patch6136: backport-CVE-2022-3099.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -557,6 +558,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Thu Sep 08 2022 renhongxun - 2:8.2-63 +- Type:CVE +- ID:CVE-2022-3099 +- SUG:NA +- DESC:fix CVE-2022-3099 + * Mon Aug 29 2022 shixuantong - 2:8.2-62 - Type:CVE - ID:CVE-2022-3016