From 46a58eeb77bf23067ba77d9e66102a8987aa9322 Mon Sep 17 00:00:00 2001 From: wangjiang Date: Thu, 4 May 2023 16:33:53 +0800 Subject: [PATCH] fix CVE-2023-2426 --- backport-CVE-2023-2426.patch | 133 +++++++++++++++++++++++++++++++++++ vim.spec | 9 ++- 2 files changed, 141 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-2426.patch diff --git a/backport-CVE-2023-2426.patch b/backport-CVE-2023-2426.patch new file mode 100644 index 0000000..57819cf --- /dev/null +++ b/backport-CVE-2023-2426.patch @@ -0,0 +1,133 @@ +From caf642c25de526229264cab9425e7c9979f3509b Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 29 Apr 2023 21:38:04 +0100 +Subject: [PATCH] patch 9.0.1499: using uninitialized memory with fuzzy + matching + +Problem: Using uninitialized memory with fuzzy matching. +Solution: Initialize the arrays used to store match positions. +--- + src/quickfix.c | 5 ++++- + src/search.c | 17 +++++++---------- + src/testdir/test_matchfuzzy.vim | 27 +++++++++++++++++++++++++++ + 3 files changed, 38 insertions(+), 11 deletions(-) + +diff --git a/src/quickfix.c b/src/quickfix.c +index 13292e2f7515..553ad457880a 100644 +--- a/src/quickfix.c ++++ b/src/quickfix.c +@@ -6005,6 +6005,8 @@ vgr_match_buflines( + long lnum; + colnr_T col; + int pat_len = (int)STRLEN(spat); ++ if (pat_len > MAX_FUZZY_MATCHES) ++ pat_len = MAX_FUZZY_MATCHES; + + for (lnum = 1; lnum <= buf->b_ml.ml_line_count && *tomatch > 0; ++lnum) + { +@@ -6013,7 +6015,7 @@ vgr_match_buflines( + { + // Regular expression match + while (vim_regexec_multi(regmatch, curwin, buf, lnum, +- col, NULL) > 0) ++ col, NULL) > 0) + { + // Pass the buffer number so that it gets used even for a + // dummy buffer, unless duplicate_name is set, then the +@@ -6059,6 +6061,7 @@ vgr_match_buflines( + int_u sz = ARRAY_LENGTH(matches); + + // Fuzzy string match ++ CLEAR_FIELD(matches); + while (fuzzy_match(str + col, spat, FALSE, &score, matches, sz) > 0) + { + // Pass the buffer number so that it gets used even for a +diff --git a/src/search.c b/src/search.c +index 74ca8fefb2c5..5e3857078031 100644 +--- a/src/search.c ++++ b/src/search.c +@@ -4407,14 +4407,14 @@ fuzzy_match_recursive( + // Found match + if (vim_tolower(c1) == vim_tolower(c2)) + { +- int_u recursiveMatches[MAX_FUZZY_MATCHES]; +- int recursiveScore = 0; +- char_u *next_char; +- + // Supplied matches buffer was too short + if (nextMatch >= maxMatches) + return 0; + ++ int recursiveScore = 0; ++ int_u recursiveMatches[MAX_FUZZY_MATCHES]; ++ CLEAR_FIELD(recursiveMatches); ++ + // "Copy-on-Write" srcMatches into matches + if (first_match && srcMatches) + { +@@ -4423,10 +4423,7 @@ fuzzy_match_recursive( + } + + // Recursive call that "skips" this match +- if (has_mbyte) +- next_char = str + (*mb_ptr2len)(str); +- else +- next_char = str + 1; ++ char_u *next_char = str + (has_mbyte ? (*mb_ptr2len)(str) : 1); + if (fuzzy_match_recursive(fuzpat, next_char, strIdx + 1, + &recursiveScore, strBegin, strLen, matches, + recursiveMatches, +@@ -4491,8 +4488,8 @@ fuzzy_match_recursive( + * Uses char_u for match indices. Therefore patterns are limited to + * MAX_FUZZY_MATCHES characters. + * +- * Returns TRUE if 'pat_arg' matches 'str'. Also returns the match score in +- * 'outScore' and the matching character positions in 'matches'. ++ * Returns TRUE if "pat_arg" matches "str". Also returns the match score in ++ * "outScore" and the matching character positions in "matches". + */ + int + fuzzy_match( +diff --git a/src/testdir/test_matchfuzzy.vim b/src/testdir/test_matchfuzzy.vim +index 502d136ccf2a..43eca8ff08af 100644 +--- a/src/testdir/test_matchfuzzy.vim ++++ b/src/testdir/test_matchfuzzy.vim +@@ -2,6 +2,7 @@ + + source shared.vim + source check.vim ++source term_util.vim + + " Test for matchfuzzy() + func Test_matchfuzzy() +@@ -253,4 +254,30 @@ func Test_matchfuzzy_limit() + call assert_equal([{'id': 5, 'val': 'crayon'}], l->matchfuzzy('c', #{key: 'val', limit: 1})) + endfunc + ++" This was using uninitialized memory ++func Test_matchfuzzy_initialized() ++ CheckRunVimInTerminal ++ ++ " This can take a very long time (esp. when using valgrind). Run in a ++ " separate Vim instance and kill it after two seconds. We only check for ++ " memory errors. ++ let lines =<< trim END ++ lvimgrep [ss [fg* ++ END ++ call writefile(lines, 'XTest_matchfuzzy', 'D') ++ ++ let buf = RunVimInTerminal('-u NONE -X -Z', {}) ++ call term_sendkeys(buf, ":source XTest_matchfuzzy\n") ++ call TermWait(buf, 2000) ++ ++ let job = term_getjob(buf) ++ if job_status(job) == "run" ++ call job_stop(job, "int") ++ call TermWait(buf, 50) ++ endif ++ ++ " clean up ++ call StopVimInTerminal(buf) ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/vim.spec b/vim.spec index e3d684f..be4c1fc 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 31 +Release: 32 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -94,6 +94,7 @@ Patch6063: backport-CVE-2023-1170.patch Patch6064: backport-CVE-2023-1175.patch Patch6065: backport-CVE-2023-1264.patch Patch6066: backport-vim-7.0-rclocation.patch +Patch6067: backport-CVE-2023-2426.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -501,6 +502,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Thu May 04 2023 wangjiang - 2:9.0-32 +- Type:CVE +- ID:CVE-2023-2426 +- SUG:NA +- DESC:CVE-2023-2426 + * Fri Mar 24 2023 wangjiang - 2:9.0-31 - Type:bugfix - ID:NA -- Gitee