diff --git a/backport-CVE-2021-3903.patch b/backport-CVE-2021-3903.patch new file mode 100644 index 0000000000000000000000000000000000000000..98f34c5fb3dd674e33e9e2e4fc85035c28ad6d1e --- /dev/null +++ b/backport-CVE-2021-3903.patch @@ -0,0 +1,78 @@ +From 777e7c21b7627be80961848ac560cb0a9978ff43 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Mon, 25 Oct 2021 17:07:04 +0100 +Subject: [PATCH] patch 8.2.3564: invalid memory access when scrolling without + valid screen + +Problem: Invalid memory access when scrolling without a valid screen. +Solution: Do not set VALID_BOTLINE in w_valid. +--- + src/move.c | 1 - + src/testdir/test_normal.vim | 22 +++++++++++++++++++--- + 2 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/src/move.c b/src/move.c +index 8e53d8b..10165ef 100644 +--- a/src/move.c ++++ b/src/move.c +@@ -198,7 +198,6 @@ update_topline(void) + { + curwin->w_topline = curwin->w_cursor.lnum; + curwin->w_botline = curwin->w_topline; +- curwin->w_valid |= VALID_BOTLINE|VALID_BOTLINE_AP; + curwin->w_scbind_pos = 1; + return; + } +diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim +index d45cf41..1f0088a 100644 +--- a/src/testdir/test_normal.vim ++++ b/src/testdir/test_normal.vim +@@ -33,14 +33,14 @@ func CountSpaces(type, ...) + else + silent exe "normal! `[v`]y" + endif +- let g:a=strlen(substitute(@@, '[^ ]', '', 'g')) ++ let g:a = strlen(substitute(@@, '[^ ]', '', 'g')) + let &selection = sel_save + let @@ = reg_save + endfunc + + func OpfuncDummy(type, ...) + " for testing operatorfunc +- let g:opt=&linebreak ++ let g:opt = &linebreak + + if a:0 " Invoked from Visual mode, use gv command. + silent exe "normal! gvy" +@@ -51,7 +51,7 @@ func OpfuncDummy(type, ...) + endif + " Create a new dummy window + new +- let g:bufnr=bufnr('%') ++ let g:bufnr = bufnr('%') + endfunc + + fun! Test_normal00_optrans() +@@ -2705,3 +2705,19 @@ func Test_normal_gk() + bw! + set cpoptions& number& numberwidth& + endfunc ++ ++func Test_scroll_in_ex_mode() ++ " This was using invalid memory because w_botline was invalid. ++ let lines =<< trim END ++ diffsplit ++ norm os00( ++ call writefile(['done'], 'Xdone') ++ qa! ++ END ++ call writefile(lines, 'Xscript') ++ call assert_equal(1, RunVim([], [], '--clean -X -Z -e -s -S Xscript')) ++ call assert_equal(['done'], readfile('Xdone')) ++ ++ call delete('Xscript') ++ call delete('Xdone') ++endfunc +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index b03d97126bf44fe0fe356bcffd54523b62c2b5d8..4753c8b6df872c5ef517cffd694ef340df1367b1 100644 --- a/vim.spec +++ b/vim.spec @@ -11,7 +11,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 4 +Release: 5 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -37,6 +37,7 @@ Patch6003: backport-CVE-2021-3778.patch Patch6004: backport-CVE-2021-3796.patch Patch6005: backport-CVE-2021-3872.patch Patch6006: backport-CVE-2021-3875.patch +Patch6007: backport-CVE-2021-3903.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -425,6 +426,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Sat Oct 30 2021 shixuantong - 2:8.2-5 +- Type:CVE +- ID:CVE-2021-3903 +- SUG:NA +- DESC:fix CVE-2021-3903 + * Sat Oct 23 2021 shixuantong - 2:8.2-4 - Type:CVE - ID:CVE-2021-3872 CVE-2021-3875