From 2a31ef30c2de6e7116585a08c994f281ffb54cf1 Mon Sep 17 00:00:00 2001 From: wjiang Date: Thu, 17 Oct 2024 15:51:22 +0800 Subject: [PATCH] fix coredump in prop_add() with id>INT_MAX (cherry picked from commit fb704ad1de1f45b3bfa089e68168f8ee56cbe0de) --- ...with-large-id-in-text_prop-interface.patch | 116 ++++++++++++++++++ vim.spec | 9 +- 2 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 backport-patch-9.1.0722-crash-with-large-id-in-text_prop-interface.patch diff --git a/backport-patch-9.1.0722-crash-with-large-id-in-text_prop-interface.patch b/backport-patch-9.1.0722-crash-with-large-id-in-text_prop-interface.patch new file mode 100644 index 0000000..d43f68b --- /dev/null +++ b/backport-patch-9.1.0722-crash-with-large-id-in-text_prop-interface.patch @@ -0,0 +1,116 @@ +From 701c863e68fa24847100beef3c9008024615a081 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sun, 8 Sep 2024 20:05:23 +0200 +Subject: [PATCH] patch 9.1.0722: crash with large id in text_prop interface + +Problem: crash with large id in text_prop interface + prop_add()/prop_add_list() (cposture) +Solution: Error out if the id is > INT_MAX or <= INT_MIN + +fixes: #15637 +closes: #15638 + +Signed-off-by: Christian Brabandt +--- + runtime/doc/textprop.txt | 12 ++++++------ + src/testdir/test_textprop.vim | 4 ++++ + src/textprop.c | 22 ++++++++++++++++++++-- + 3 files changed, 30 insertions(+), 8 deletions(-) + +diff --git a/runtime/doc/textprop.txt b/runtime/doc/textprop.txt +index 6b46e06df9a20..0a04abbdb6d01 100644 +--- a/runtime/doc/textprop.txt ++++ b/runtime/doc/textprop.txt +@@ -1,4 +1,4 @@ +-*textprop.txt* For Vim version 9.0. Last change: 2023 Apr 23 ++*textprop.txt* For Vim version 9.1. Last change: 2024 Sep 08 + + + VIM REFERENCE MANUAL by Bram Moolenaar +@@ -138,10 +138,10 @@ prop_add({lnum}, {col}, {props}) + bufnr buffer to add the property to; when omitted + the current buffer is used + id user defined ID for the property; must be a +- number, should be positive; when using "text" +- then "id" must not be present and will be set +- automatically to a negative number; otherwise +- zero is used ++ number, should be positive |E1510|; ++ when using "text" then "id" must not be ++ present and will be set automatically to a ++ negative number; otherwise zero is used + *E1305* + text text to be displayed before {col}, or + above/below the line if {col} is zero; prepend +@@ -267,7 +267,7 @@ prop_add_list({props}, [{item}, ...]) + call prop_add_list(#{type: 'MyProp', id: 2}, + \ [[1, 4, 1, 7], + \ [1, 15, 1, 20], +- \ [2, 30, 3, 30]] ++ \ [2, 30, 3, 30]]) + < + Can also be used as a |method|: > + GetProp()->prop_add_list([[1, 1, 1, 2], [1, 4, 1, 8]]) +diff --git a/src/testdir/test_textprop.vim b/src/testdir/test_textprop.vim +index 57277f79e2506..bbb911f959305 100644 +--- a/src/testdir/test_textprop.vim ++++ b/src/testdir/test_textprop.vim +@@ -393,6 +393,8 @@ func Test_prop_add_list() + call assert_fails('call prop_add_list(test_null_dict(), [[2, 2, 2]])', 'E965:') + call assert_fails('call prop_add_list(#{type: "one"}, test_null_list())', 'E1298:') + call assert_fails('call prop_add_list(#{type: "one"}, [test_null_list()])', 'E714:') ++ call assert_fails('call prop_add_list(#{type: "one", id: 2147483648}, [[2, 2, 2, 2], [3, 20, 3, 22]])', 'E1510:') ++ call assert_fails('call prop_add_list(#{type: "one", id: -2147483648}, [[2, 2, 2, 2], [3, 20, 3, 22]])', 'E1510:') + + " only one error for multiple wrong values + call assert_fails('call prop_add_list(#{type: "one"}, [[{}, [], 0z00, 0.3]])', ['E728:', 'E728:']) +@@ -1743,6 +1745,8 @@ func Test_prop_func_invalid_args() + call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'length':-1})", 'E475:') + call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'end_col':0})", 'E475:') + call assert_fails("call prop_add(2, 3, {'length':1})", 'E965:') ++ call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'id': 2147483648})", 'E1510:') ++ call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'id': -2147483648})", 'E1510:') + + call prop_type_delete('xxx') + bwipe! +diff --git a/src/textprop.c b/src/textprop.c +index fe0c8d20cbd46..d16f8ecef3abe 100644 +--- a/src/textprop.c ++++ b/src/textprop.c +@@ -372,7 +372,16 @@ f_prop_add_list(typval_T *argvars, typval_T *rettv UNUSED) + type_name = dict_get_string(dict, "type", FALSE); + + if (dict_has_key(dict, "id")) +- id = dict_get_number(dict, "id"); ++ { ++ long long x; ++ x = dict_get_number(dict, "id"); ++ if (x > INT_MAX || x <= INT_MIN) ++ { ++ semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE)); ++ return; ++ } ++ id = (int)x; ++ } + + if (get_bufnr_from_arg(&argvars[0], &buf) == FAIL) + return; +@@ -497,7 +506,16 @@ prop_add_common( + end_col = 1; + + if (dict_has_key(dict, "id")) +- id = dict_get_number(dict, "id"); ++ { ++ long long x; ++ x = dict_get_number(dict, "id"); ++ if (x > INT_MAX || x <= INT_MIN) ++ { ++ semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE)); ++ goto theend; ++ } ++ id = (int)x; ++ } + + if (dict_has_key(dict, "text")) + { + diff --git a/vim.spec b/vim.spec index 8b015d6..88cb685 100644 --- a/vim.spec +++ b/vim.spec @@ -14,7 +14,7 @@ Name: vim Epoch: 2 Version: %{baseversion}.%{patchlevel} -Release: 12 +Release: 13 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -50,6 +50,7 @@ Patch6015: backport-patch-9.1.0554-bw-leaves-jumplist-and-tagstack-data-.pa Patch6016: backport-CVE-2024-41957.patch Patch6017: backport-CVE-2024-43374.patch Patch6018: backport-CVE-2024-43802.patch +Patch6019: backport-patch-9.1.0722-crash-with-large-id-in-text_prop-interface.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: fix-CVE-2024-47814.patch @@ -458,6 +459,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests." %{_mandir}/man1/evim.* %changelog +* Thu Oct 17 2024 wangjiang - 2:9.0.2092-13 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix coredump in prop_add() with id>INT_MAX + * Tue Oct 08 2024 changtao - 2:9.0.2092-12 - Type:CVE - ID:CVE-2024-47814 -- Gitee