From 79f2104080674872a77920ae3c35e3a1d4dabb43 Mon Sep 17 00:00:00 2001 From: wangjiang Date: Thu, 8 Dec 2022 10:36:27 +0800 Subject: [PATCH] fix CVE-2022-4292 CVE-2022-4293 --- backport-CVE-2022-4292.patch | 55 +++++++ backport-CVE-2022-4293.patch | 55 +++++++ ...n-calling-setcursorch-with-zero-lnum.patch | 137 ++++++++++++++++++ vim.spec | 11 +- 4 files changed, 257 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-4292.patch create mode 100644 backport-CVE-2022-4293.patch create mode 100644 backport-patch-9.0.0712-wrong-column-when-calling-setcursorch-with-zero-lnum.patch diff --git a/backport-CVE-2022-4292.patch b/backport-CVE-2022-4292.patch new file mode 100644 index 0000000..8d3458a --- /dev/null +++ b/backport-CVE-2022-4292.patch @@ -0,0 +1,55 @@ +From c3d27ada14acd02db357f2d16347acc22cb17e93 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Mon, 14 Nov 2022 20:52:14 +0000 +Subject: [PATCH] patch 9.0.0882: using freed memory after SpellFileMissing + autocmd uses bwipe + +Problem: Using freed memory after SpellFileMissing autocmd uses bwipe. +Solution: Bail out if the window no longer exists. +--- + src/spell.c | 4 ++-- + src/testdir/test_spell.vim | 13 +++++++++++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/src/spell.c b/src/spell.c +index 3664425..d204a95 100644 +--- a/src/spell.c ++++ b/src/spell.c +@@ -2101,8 +2101,8 @@ did_set_spelllang(win_T *wp) + { + spell_load_lang(lang); + // SpellFileMissing autocommands may do anything, including +- // destroying the buffer we are using... +- if (!bufref_valid(&bufref)) ++ // destroying the buffer we are using or closing the window. ++ if (!bufref_valid(&bufref) || !win_valid_any_tab(wp)) + { + ret_msg = N_(e_spellfilemising_autocommand_deleted_buffer); + goto theend; +diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim +index bc948b0..33f0931 100644 +--- a/src/testdir/test_spell.vim ++++ b/src/testdir/test_spell.vim +@@ -157,6 +157,19 @@ func Test_spell_file_missing() + %bwipe! + endfunc + ++func Test_spell_file_missing_bwipe() ++ " this was using a window that was wiped out in a SpellFileMissing autocmd ++ set spelllang=xy ++ au SpellFileMissing * n0 ++ set spell ++ au SpellFileMissing * bw ++ snext somefile ++ ++ au! SpellFileMissing ++ bwipe! ++ set nospell spelllang=en ++endfunc ++ + func Test_spelldump() + " In case the spell file is not found avoid getting the download dialog, we + " would get stuck at the prompt. +-- +2.33.0 + diff --git a/backport-CVE-2022-4293.patch b/backport-CVE-2022-4293.patch new file mode 100644 index 0000000..5d28c6c --- /dev/null +++ b/backport-CVE-2022-4293.patch @@ -0,0 +1,55 @@ +From cdef1cefa2a440911c727558562f83ed9b00e16b Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 20 Oct 2022 14:17:18 +0100 +Subject: [PATCH] patch 9.0.0804: crash when trying to divide a number by -1 + +Problem: Crash when trying to divice the largest negative number by -1. +Solution: Handle this case specifically. +--- + src/eval.c | 8 +++++++- + src/testdir/test_expr.vim | 6 ++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/eval.c b/src/eval.c +index 1652fcb4ae48..062fab0ac949 100644 +--- a/src/eval.c ++++ b/src/eval.c +@@ -82,6 +82,12 @@ num_divide(varnumber_T n1, varnumber_T n2, int *failed) + else + result = VARNUM_MAX; + } ++ else if (n1 == VARNUM_MIN && n2 == -1) ++ { ++ // specific case: trying to do VARNUM_MIN / -1 results in a positive ++ // number that doesn't fit in varnumber_T and causes an FPE ++ result = VARNUM_MAX; ++ } + else + result = n1 / n2; + +@@ -5906,7 +5912,7 @@ var2fpos( + } + + /* +- * Convert list in "arg" into position "psop" and optional file number "fnump". ++ * Convert list in "arg" into position "posp" and optional file number "fnump". + * When "fnump" is NULL there is no file number, only 3 items: [lnum, col, off] + * Note that the column is passed on as-is, the caller may want to decrement + * it to use 1 for the first column. +diff --git a/src/testdir/test_expr.vim b/src/testdir/test_expr.vim +index b47896340f60..e1fed369b747 100644 +--- a/src/testdir/test_expr.vim ++++ b/src/testdir/test_expr.vim +@@ -764,6 +764,12 @@ func Test_eval_after_if() + call assert_equal('b', s:val) + endfunc + ++func Test_divide_by_zero() ++ " only tests that this doesn't crash, the result is not important ++ echo 0 / 0 ++ echo 0 / 0 / -1 ++endfunc ++ + " Test for command-line completion of expressions + func Test_expr_completion() + CheckFeature cmdline_compl diff --git a/backport-patch-9.0.0712-wrong-column-when-calling-setcursorch-with-zero-lnum.patch b/backport-patch-9.0.0712-wrong-column-when-calling-setcursorch-with-zero-lnum.patch new file mode 100644 index 0000000..91faeb4 --- /dev/null +++ b/backport-patch-9.0.0712-wrong-column-when-calling-setcursorch-with-zero-lnum.patch @@ -0,0 +1,137 @@ +From 79f234499b6692cc16970b7455bc9b002242632f Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Mon, 10 Oct 2022 12:42:57 +0100 +Subject: [PATCH] patch 9.0.0712: wrong column when calling setcursorcharpos() + with zero lnum + +Problem: Wrong column when calling setcursorcharpos() with zero lnum. +Solution: Set the line number before calling buf_charidx_to_byteidx(). + (closes #11329) +--- + src/eval.c | 10 +++++++--- + src/evalfunc.c | 26 ++++++++++++++------------ + src/testdir/test_cursor_func.vim | 6 ++++++ + 3 files changed, 27 insertions(+), 15 deletions(-) + +diff --git a/src/eval.c b/src/eval.c +index 8df374a..cbd4740 100644 +--- a/src/eval.c ++++ b/src/eval.c +@@ -5906,10 +5906,12 @@ var2fpos( + } + + /* +- * Convert list in "arg" into a position and optional file number. +- * When "fnump" is NULL there is no file number, only 3 items. ++ * Convert list in "arg" into position "psop" and optional file number "fnump". ++ * When "fnump" is NULL there is no file number, only 3 items: [lnum, col, off] + * Note that the column is passed on as-is, the caller may want to decrement + * it to use 1 for the first column. ++ * If "charcol" is TRUE use the column as the character index instead of the ++ * byte index. + * Return FAIL when conversion is not possible, doesn't check the position for + * validity. + */ +@@ -5952,6 +5954,7 @@ list2fpos( + if (n < 0) + return FAIL; + // If character position is specified, then convert to byte position ++ // If the line number is zero use the cursor line. + if (charcol) + { + buf_T *buf; +@@ -5961,7 +5964,8 @@ list2fpos( + if (buf == NULL || buf->b_ml.ml_mfp == NULL) + return FAIL; + +- n = buf_charidx_to_byteidx(buf, posp->lnum, n) + 1; ++ n = buf_charidx_to_byteidx(buf, ++ posp->lnum == 0 ? curwin->w_cursor.lnum : posp->lnum, n) + 1; + } + posp->col = n; + +diff --git a/src/evalfunc.c b/src/evalfunc.c +index cb12a46..2703865 100644 +--- a/src/evalfunc.c ++++ b/src/evalfunc.c +@@ -3484,7 +3484,7 @@ f_copy(typval_T *argvars, typval_T *rettv) + static void + set_cursorpos(typval_T *argvars, typval_T *rettv, int charcol) + { +- long line, col; ++ long lnum, col; + long coladd = 0; + int set_curswant = TRUE; + +@@ -3506,7 +3506,7 @@ set_cursorpos(typval_T *argvars, typval_T *rettv, int charcol) + emsg(_(e_invalid_argument)); + return; + } +- line = pos.lnum; ++ lnum = pos.lnum; + col = pos.col; + coladd = pos.coladd; + if (curswant >= 0) +@@ -3515,17 +3515,19 @@ set_cursorpos(typval_T *argvars, typval_T *rettv, int charcol) + set_curswant = FALSE; + } + } +- else if ((argvars[0].v_type == VAR_NUMBER || +- argvars[0].v_type == VAR_STRING) +- && (argvars[1].v_type == VAR_NUMBER || +- argvars[1].v_type == VAR_STRING)) ++ else if ((argvars[0].v_type == VAR_NUMBER ++ || argvars[0].v_type == VAR_STRING) ++ && (argvars[1].v_type == VAR_NUMBER ++ || argvars[1].v_type == VAR_STRING)) + { +- line = tv_get_lnum(argvars); +- if (line < 0) ++ lnum = tv_get_lnum(argvars); ++ if (lnum < 0) + semsg(_(e_invalid_argument_str), tv_get_string(&argvars[0])); ++ else if (lnum == 0) ++ lnum = curwin->w_cursor.lnum; + col = (long)tv_get_number_chk(&argvars[1], NULL); + if (charcol) +- col = buf_charidx_to_byteidx(curbuf, line, col) + 1; ++ col = buf_charidx_to_byteidx(curbuf, lnum, col) + 1; + if (argvars[2].v_type != VAR_UNKNOWN) + coladd = (long)tv_get_number_chk(&argvars[2], NULL); + } +@@ -3534,10 +3536,10 @@ set_cursorpos(typval_T *argvars, typval_T *rettv, int charcol) + emsg(_(e_invalid_argument)); + return; + } +- if (line < 0 || col < 0 || coladd < 0) ++ if (lnum < 0 || col < 0 || coladd < 0) + return; // type error; errmsg already given +- if (line > 0) +- curwin->w_cursor.lnum = line; ++ if (lnum > 0) ++ curwin->w_cursor.lnum = lnum; + if (col > 0) + curwin->w_cursor.col = col - 1; + curwin->w_cursor.coladd = coladd; +diff --git a/src/testdir/test_cursor_func.vim b/src/testdir/test_cursor_func.vim +index d5f0ac7..d2685ed 100644 +--- a/src/testdir/test_cursor_func.vim ++++ b/src/testdir/test_cursor_func.vim +@@ -399,8 +399,14 @@ func Test_setcursorcharpos() + normal G + call setcursorcharpos([1, 1]) + call assert_equal([1, 1], [line('.'), col('.')]) ++ + call setcursorcharpos([2, 7, 0]) + call assert_equal([2, 9], [line('.'), col('.')]) ++ call setcursorcharpos([0, 7, 0]) ++ call assert_equal([2, 9], [line('.'), col('.')]) ++ call setcursorcharpos(0, 7, 0) ++ call assert_equal([2, 9], [line('.'), col('.')]) ++ + call setcursorcharpos(3, 4) + call assert_equal([3, 1], [line('.'), col('.')]) + call setcursorcharpos([3, 1]) +-- +2.33.0 + diff --git a/vim.spec b/vim.spec index 58ccc4e..14c19b3 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 4 +Release: 5 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -78,6 +78,9 @@ Patch6048: backport-CVE-2022-3491.patch Patch6049: backport-CVE-2022-3520.patch Patch6050: backport-CVE-2022-3591.patch Patch6051: backport-patch-9.0.0790-test-for-dummy-buffer-does-not-always.patch +Patch6052: backport-CVE-2022-4292.patch +Patch6053: backport-patch-9.0.0712-wrong-column-when-calling-setcursorch-with-zero-lnum.patch +Patch6054: backport-CVE-2022-4293.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: vim-Add-sw64-architecture.patch @@ -478,6 +481,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Thu Dec 08 2022 wangjiang - 2:9.0-5 +- Type:CVE +- ID:CVE-2022-4292 CVE-2022-4293 +- SUG:NA +- DESC:fix CVE-2022-4292 CVE-2022-4293 + * Tue Dec 06 2022 wangjiang - 2:9.0-4 - Type:CVE - ID:CVE-2022-3491 CVE-2022-3520 CVE-2022-3591 -- Gitee