From 0b734ebbd8ac0db4d43e847168913a78e636f7d5 Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Mon, 17 Oct 2022 17:42:29 +0800 Subject: [PATCH] fix CVE-2022-3324 --- backport-CVE-2022-3324.patch | 70 ++++++++++++++++++++++++++++++++++++ vim.spec | 9 ++++- 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-3324.patch diff --git a/backport-CVE-2022-3324.patch b/backport-CVE-2022-3324.patch new file mode 100644 index 0000000..c188726 --- /dev/null +++ b/backport-CVE-2022-3324.patch @@ -0,0 +1,70 @@ +From 8279af514ca7e5fd3c31cf13b0864163d1a0bfeb Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Mon, 26 Sep 2022 23:08:22 +0100 +Subject: [PATCH] patch 9.0.0598: using negative array index with negative + width window + +Problem: Using negative array index with negative width window. +Solution: Make sure the window width does not become negative. +--- + src/testdir/test_cmdline.vim | 22 ++++++++++++++++++++++ + src/window.c | 5 ++++- + 2 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim +index c442d7f..0c8b3dd 100644 +--- a/src/testdir/test_cmdline.vim ++++ b/src/testdir/test_cmdline.vim +@@ -962,4 +962,26 @@ func Test_cmdwin_freed_buffer_ptr() + bwipe! + endfunc + ++" This was resulting in a window with negative width. ++" The test doesn't reproduce the illegal memory access though... ++func Test_cmdwin_split_often() ++ let lines = &lines ++ let columns = &columns ++ set t_WS= ++ ++ try ++ set encoding=iso8859 ++ set ruler ++ winsize 0 0 ++ noremap 0 H ++ sil norm 0000000q: ++ catch /E36:/ ++ endtry ++ ++ bwipe! ++ set encoding=utf8 ++ let &lines = lines ++ let &columns = columns ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/window.c b/src/window.c +index e0df540..42e2742 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -2045,6 +2045,8 @@ win_equal_rec( + if (hnc) // add next_curwin size + { + next_curwin_size -= p_wiw - (m - n); ++ if (next_curwin_size < 0) ++ next_curwin_size = 0; + new_size += next_curwin_size; + room -= new_size - next_curwin_size; + } +@@ -6180,7 +6182,8 @@ scroll_to_fraction(win_T *wp, int prev_height) + void + win_new_width(win_T *wp, int width) + { +- wp->w_width = width; ++ // Should we give an error if width < 0? ++ wp->w_width = width < 0 ? 0 : width; + wp->w_lines_valid = 0; + changed_line_abv_curs_win(wp); + invalidate_botline_win(wp); +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index 7fbeacf..0937b46 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 70 +Release: 71 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -192,6 +192,7 @@ Patch6150: backport-CVE-2022-3352.patch Patch6151: backport-CVE-2022-3296.patch Patch6152: backport-CVE-2022-3297.patch Patch6153: backport-9.0.0581-adding-a-character-for-incsearch-fails-at-end-of-line.patch +Patch6154: backport-CVE-2022-3324.patch BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc BuildRequires: perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file @@ -581,6 +582,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Mon Oct 17 2022 dongyuzhen - 2:8.2-71 +- Type:CVE +- ID:CVE-2022-3324 +- SUG:NA +- DESC:fix CVE-2022-3324 + * Fri Oct 14 2022 wangjiang - 2:8.2-70 - Type:CVE - ID:CVE-2022-3297 -- Gitee