From 7f6b017ef13f8a2357438e6146dfe1372b535e0b Mon Sep 17 00:00:00 2001 From: shixuantong Date: Sat, 4 Dec 2021 14:11:19 +0800 Subject: [PATCH] fix CVE-2021-3984 (cherry picked from commit 2cffb8ca8e4d7d431f7a1ed8036257c302baff3a) --- backport-CVE-2021-3984.patch | 64 ++++++++++++++++++++++++++++++++++++ vim.spec | 21 ++++++++---- 2 files changed, 78 insertions(+), 7 deletions(-) create mode 100644 backport-CVE-2021-3984.patch diff --git a/backport-CVE-2021-3984.patch b/backport-CVE-2021-3984.patch new file mode 100644 index 0000000..cf8fd05 --- /dev/null +++ b/backport-CVE-2021-3984.patch @@ -0,0 +1,64 @@ +From 2de9b7c7c8791da8853a9a7ca9c467867465b655 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 19 Nov 2021 19:41:13 +0000 +Subject: [PATCH] patch 8.2.3625: illegal memory access when C-indenting + +Problem: Illegal memory access when C-indenting. +Solution: Also set the cursor column. +--- + src/cindent.c | 10 +++++----- + src/testdir/test_cindent.vim | 12 ++++++++++++ + 2 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/src/cindent.c b/src/cindent.c +index c7caed6..28d1558 100644 +--- a/src/cindent.c ++++ b/src/cindent.c +@@ -1635,10 +1635,10 @@ get_baseclass_amount(int col) + static pos_T * + find_start_brace(void) // XXX + { +- pos_T cursor_save; +- pos_T *trypos; +- pos_T *pos; +- static pos_T pos_copy; ++ pos_T cursor_save; ++ pos_T *trypos; ++ pos_T *pos; ++ static pos_T pos_copy; + + cursor_save = curwin->w_cursor; + while ((trypos = findmatchlimit(NULL, '{', FM_BLOCKSTOP, 0)) != NULL) +@@ -1652,7 +1652,7 @@ find_start_brace(void) // XXX + && (pos = ind_find_start_CORS(NULL)) == NULL) // XXX + break; + if (pos != NULL) +- curwin->w_cursor.lnum = pos->lnum; ++ curwin->w_cursor = *pos; + } + curwin->w_cursor = cursor_save; + return trypos; +diff --git a/src/testdir/test_cindent.vim b/src/testdir/test_cindent.vim +index 2cb3f24..2a87460 100644 +--- a/src/testdir/test_cindent.vim ++++ b/src/testdir/test_cindent.vim +@@ -5251,4 +5251,16 @@ func Test_cindent_56() + enew! | close + endfunc + ++func Test_find_brace_backwards() ++ " this was looking beyond the end of the line ++ new ++ norm R/* ++ norm o0{ ++ norm o// ++ norm V{= ++ call assert_equal(['/*', ' 0{', '//'], getline(1, 3)) ++ bwipe! ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index a2ef33c..092afca 100644 --- a/vim.spec +++ b/vim.spec @@ -11,7 +11,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 7 +Release: 8 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -44,6 +44,7 @@ Patch6010: backport-CVE-2021-3973.patch Patch6011: backport-CVE-2021-3974.patch Patch6012: backport-find-test-fails.patch Patch6013: backport-no-early-check-if-find-and-sfind-have-an-argument.patch +Patch6014: backport-CVE-2021-3984.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -432,37 +433,43 @@ popd %{_mandir}/man1/evim.* %changelog -* Tue Nov 30 2021 shixuantong - 2:8.2-7 +* Sat Dec 04 2021 shixuantong - 2:8.2-8 +- Type:CVE +- ID:CVE-2021-3984 +- SUG:NA +- DESC:fix CVE-2021-3984 + +* Tue Nov 30 2021 shixuantong - 2:8.2-7 - Type:CVE - ID:CVE-2021-3973 CVE-2021-3974 - SUG:NA - DESC:fix CVE-2021-3973 CVE-2021-3974 -* Sat Nov 13 2021 shixuantong - 2:8.2-6 +* Sat Nov 13 2021 shixuantong - 2:8.2-6 - Type:CVE - ID:CVE-2021-3927 CVE-2021-3927 - SUG:NA - DESC:fix CVE-2021-3927 CVE-2021-3928 -* Sat Oct 30 2021 shixuantong - 2:8.2-5 +* Sat Oct 30 2021 shixuantong - 2:8.2-5 - Type:CVE - ID:CVE-2021-3903 - SUG:NA - DESC:fix CVE-2021-3903 -* Sat Oct 23 2021 shixuantong - 2:8.2-4 +* Sat Oct 23 2021 shixuantong - 2:8.2-4 - Type:CVE - ID:CVE-2021-3872 CVE-2021-3875 - SUG:NA - DESC:fix CVE-2021-3872 CVE-2021-3875 -* Sun Sep 26 2021 shixuantong - 2:8.2-3 +* Sun Sep 26 2021 shixuantong - 2:8.2-3 - Type:CVE - ID:CVE-2021-3778 CVE-2021-3796 - SUG:NA - DESC:fix CVE-2021-3778 CVE-2021-3796 -* Sat Sep 11 2021 shixuantong - 2:8.2-2 +* Sat Sep 11 2021 shixuantong - 2:8.2-2 - Type:CVE - ID:NA - SUG:NA -- Gitee