diff --git a/backport-CVE-2021-3973.patch b/backport-CVE-2021-3973.patch new file mode 100644 index 0000000000000000000000000000000000000000..cda4be3b14f600112c0321c1d519a47c3470d3b4 --- /dev/null +++ b/backport-CVE-2021-3973.patch @@ -0,0 +1,79 @@ +From 615ddd5342b50a6878a907062aa471740bd9a847 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 17 Nov 2021 18:00:31 +0000 +Subject: [PATCH] patch 8.2.3611: crash when using CTRL-W f without finding a + file name + +Problem: Crash when using CTRL-W f without finding a file name. +Solution: Bail out when the file name length is zero. + +Reference:https://github.com/vim/vim/commit/615ddd5342b50a6878a907062aa471740bd9a847 +--- + src/findfile.c | 8 ++++++++ + src/normal.c | 6 ++++-- + src/testdir/test_visual.vim | 8 ++++++++ + 3 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/src/findfile.c b/src/findfile.c +index ba996c4..7a4dfe5 100644 +--- a/src/findfile.c ++++ b/src/findfile.c +@@ -1727,6 +1727,9 @@ find_file_in_path_option( + proc->pr_WindowPtr = (APTR)-1L; + # endif + ++ if (len == 0) ++ return NULL; ++ + if (first == TRUE) + { + // copy file name into NameBuff, expanding environment variables +@@ -2103,7 +2106,12 @@ find_file_name_in_path( + int c; + # if defined(FEAT_FIND_ID) && defined(FEAT_EVAL) + char_u *tofree = NULL; ++# endif + ++ if (len == 0) ++ return NULL; ++ ++# if defined(FEAT_FIND_ID) && defined(FEAT_EVAL) + if ((options & FNAME_INCL) && *curbuf->b_p_inex != NUL) + { + tofree = eval_includeexpr(ptr, len); +diff --git a/src/normal.c b/src/normal.c +index d6333b9..e9e587d 100644 +--- a/src/normal.c ++++ b/src/normal.c +@@ -3778,8 +3778,10 @@ get_visual_text( + *pp = ml_get_pos(&VIsual); + *lenp = curwin->w_cursor.col - VIsual.col + 1; + } +- if (has_mbyte) +- // Correct the length to include the whole last character. ++ if (**pp == NUL) ++ *lenp = 0; ++ if (has_mbyte && *lenp > 0) ++ // Correct the length to include all bytes of the last character. + *lenp += (*mb_ptr2len)(*pp + (*lenp - 1)) - 1; + } + reset_VIsual_and_resel(); +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index ae28123..0705fdb 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -894,4 +894,12 @@ func Test_block_insert_replace_tabs() + bwipe! + endfunc + ++func Test_visual_block_ctrl_w_f() ++ " Emtpy block selected in new buffer should not result in an error. ++ au! BufNew foo sil norm f ++ edit foo ++ ++ au! BufNew ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.23.0 \ No newline at end of file diff --git a/backport-CVE-2021-3974.patch b/backport-CVE-2021-3974.patch new file mode 100644 index 0000000000000000000000000000000000000000..258270483e5a66c182bc88f4cc2a59cd836aa9f1 --- /dev/null +++ b/backport-CVE-2021-3974.patch @@ -0,0 +1,67 @@ +From 64066b9acd9f8cffdf4840f797748f938a13f2d6 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 17 Nov 2021 18:22:56 +0000 +Subject: [PATCH] patch 8.2.3612: using freed memory with regexp using a mark + +Problem: Using freed memory with regexp using a mark. +Solution: Get the line again after getting the mark position. + +Reference:https://github.com/vim/vim/commit/64066b9acd9f8cffdf4840f797748f938a13f2d6 +--- + src/regexp.c | 2 +- + src/regexp_nfa.c | 8 ++++++++ + src/testdir/test_regexp_latin.vim | 8 ++++++++ + 3 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/src/regexp.c b/src/regexp.c +index 112f753..2e94e5a 100644 +--- a/src/regexp.c ++++ b/src/regexp.c +@@ -1092,7 +1092,7 @@ typedef struct { + // The current match-position is stord in these variables: + linenr_T lnum; // line number, relative to first line + char_u *line; // start of current line +- char_u *input; // current input, points into "regline" ++ char_u *input; // current input, points into "line" + + int need_clear_subexpr; // subexpressions still need to be cleared + #ifdef FEAT_SYN_HL +diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c +index bc4a4b6..433523e 100644 +--- a/src/regexp_nfa.c ++++ b/src/regexp_nfa.c +@@ -6623,8 +6623,16 @@ nfa_regmatch( + case NFA_MARK_GT: + case NFA_MARK_LT: + { ++ size_t col = rex.input - rex.line; + pos_T *pos = getmark_buf(rex.reg_buf, t->state->val, FALSE); + ++ // Line may have been freed, get it again. ++ if (REG_MULTI) ++ { ++ rex.line = reg_getline(rex.lnum); ++ rex.input = rex.line + col; ++ } ++ + // Compare the mark position to the match position. + result = (pos != NULL // mark doesn't exist + && pos->lnum > 0 // mark isn't set in reg_buf +diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim +index 7a4d98f..3168edc 100644 +--- a/src/testdir/test_regexp_latin.vim ++++ b/src/testdir/test_regexp_latin.vim +@@ -141,3 +141,11 @@ func Test_pattern_compile_speed() + call assert_inrange(0.01, 10.0, reltimefloat(reltime(start))) + set spc= + endfunc ++ ++func Test_using_mark_position() ++ " this was using freed memory ++ new ++ norm O0 ++ call assert_fails("s/\\%')", 'E486:') ++ bwipe! ++endfunc +-- +2.23.0 \ No newline at end of file diff --git a/backport-find-test-fails.patch b/backport-find-test-fails.patch new file mode 100644 index 0000000000000000000000000000000000000000..ec8314f0795c82ba8ddf959b41024930f189d5a0 --- /dev/null +++ b/backport-find-test-fails.patch @@ -0,0 +1,34 @@ +From e015d99abb4276f47ce97bad1ad5ff0c658b1c8a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 17 Nov 2021 19:01:53 +0000 +Subject: [PATCH] patch 8.2.3613: :find test fails + +Problem: :find test fails. +Solution: Put length check inside if block. + +Reference:https://github.com/vim/vim/commit/e015d99abb4276f47ce97bad1ad5ff0c658b1c8a +--- + src/findfile.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/findfile.c b/src/findfile.c +index 7a4dfe5..b9a0e47 100644 +--- a/src/findfile.c ++++ b/src/findfile.c +@@ -1727,11 +1727,11 @@ find_file_in_path_option( + proc->pr_WindowPtr = (APTR)-1L; + # endif + +- if (len == 0) +- return NULL; +- + if (first == TRUE) + { ++ if (len == 0) ++ return NULL; ++ + // copy file name into NameBuff, expanding environment variables + save_char = ptr[len]; + ptr[len] = NUL; +-- +2.23.0 \ No newline at end of file diff --git a/backport-no-early-check-if-find-and-sfind-have-an-argument.patch b/backport-no-early-check-if-find-and-sfind-have-an-argument.patch new file mode 100644 index 0000000000000000000000000000000000000000..02934c578084bd63f76f6493f2e8902a8baf68e7 --- /dev/null +++ b/backport-no-early-check-if-find-and-sfind-have-an-argument.patch @@ -0,0 +1,70 @@ +From 2d10cd478047df8ba144d4b0fcc46480993af57f Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 19 Mar 2020 14:37:30 +0100 +Subject: [PATCH] patch 8.2.0407: no early check if :find and :sfind have an + argument + +Problem: No early check if :find and :sfind have an argument. +Solution: Add EX_NEEDARG. + +Reference:https://github.com/vim/vim/commit/2d10cd478047df8ba144d4b0fcc46480993af57f +--- + src/ex_cmds.h | 4 ++-- + src/testdir/test_find_complete.vim | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/ex_cmds.h b/src/ex_cmds.h +index 983378c..28ea6ee 100644 +--- a/src/ex_cmds.h ++++ b/src/ex_cmds.h +@@ -572,7 +572,7 @@ EXCMD(CMD_filter, "filter", ex_wrongmodifier, + EX_BANG|EX_NEEDARG|EX_EXTRA|EX_NOTRLCOM, + ADDR_NONE), + EXCMD(CMD_find, "find", ex_find, +- EX_RANGE|EX_BANG|EX_FILE1|EX_CMDARG|EX_ARGOPT|EX_TRLBAR, ++ EX_RANGE|EX_BANG|EX_FILE1|EX_CMDARG|EX_ARGOPT|EX_TRLBAR|EX_NEEDARG, + ADDR_OTHER), + EXCMD(CMD_finally, "finally", ex_finally, + EX_TRLBAR|EX_SBOXOK|EX_CMDWIN, +@@ -1319,7 +1319,7 @@ EXCMD(CMD_setlocal, "setlocal", ex_set, + EX_TRLBAR|EX_EXTRA|EX_CMDWIN|EX_SBOXOK, + ADDR_NONE), + EXCMD(CMD_sfind, "sfind", ex_splitview, +- EX_BANG|EX_FILE1|EX_RANGE|EX_CMDARG|EX_ARGOPT|EX_TRLBAR, ++ EX_BANG|EX_FILE1|EX_RANGE|EX_CMDARG|EX_ARGOPT|EX_TRLBAR|EX_NEEDARG, + ADDR_OTHER), + EXCMD(CMD_sfirst, "sfirst", ex_rewind, + EX_EXTRA|EX_BANG|EX_CMDARG|EX_ARGOPT|EX_TRLBAR, +diff --git a/src/testdir/test_find_complete.vim b/src/testdir/test_find_complete.vim +index 679bf3c..32ca967 100644 +--- a/src/testdir/test_find_complete.vim ++++ b/src/testdir/test_find_complete.vim +@@ -15,22 +15,22 @@ func Test_find_complete() + + new + set path= +- call assert_fails('call feedkeys(":find\t\n", "xt")', 'E345:') ++ call assert_fails('call feedkeys(":find \t\n", "xt")', 'E471:') + close + + new + set path=. +- call assert_fails('call feedkeys(":find\t\n", "xt")', 'E32:') ++ call assert_fails('call feedkeys(":find \t\n", "xt")', 'E471:') + close + + new + set path=.,, +- call assert_fails('call feedkeys(":find\t\n", "xt")', 'E32:') ++ call assert_fails('call feedkeys(":find \t\n", "xt")', 'E471:') + close + + new + set path=./** +- call assert_fails('call feedkeys(":find\t\n", "xt")', 'E32:') ++ call assert_fails('call feedkeys(":find \t\n", "xt")', 'E471:') + close + + " We shouldn't find any file till this point +-- +2.23.0 \ No newline at end of file diff --git a/vim.spec b/vim.spec index 5e0078168ac4e9fc3bfdc762c95062806f35b1f4..32d8e6b73f2823129da899de0b3f04df1cc53e15 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 15 +Release: 16 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -50,6 +50,10 @@ Patch6012: backport-linker-errors-when-building-with-dynamic-Python-3.9.pat Patch6013: backport-PyEval_InitThreads-is-deprecated-in-Python-3.9.patch Patch6014: backport-linker-errors-with-dynamic-Python-3.10.patch Patch6015: backport-configure-cannot-detect-Python-3.10.patch +Patch6016: backport-CVE-2021-3973.patch +Patch6017: backport-CVE-2021-3974.patch +Patch6018: backport-find-test-fails.patch +Patch6019: backport-no-early-check-if-find-and-sfind-have-an-argument.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -438,6 +442,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Tue Nov 30 2021 shixuantong - 2:8.2-16 +- Type:CVE +- ID:CVE-2021-3973 CVE-2021-3974 +- SUG:NA +- DESC:fix CVE-2021-3973 CVE-2021-3974 + * Sat Nov 27 2021 shixuantong - 2:8.2-15 - Type:bugfix - ID:NA