diff --git a/backport-CVE-2021-4166.patch b/backport-CVE-2021-4166.patch new file mode 100644 index 0000000000000000000000000000000000000000..7de8faac7ad9a896232e26a28af1ce6c8664df6a --- /dev/null +++ b/backport-CVE-2021-4166.patch @@ -0,0 +1,61 @@ +From 6f98371532fcff911b462d51bc64f2ce8a6ae682 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 24 Dec 2021 18:11:27 +0000 +Subject: [PATCH] patch 8.2.3884: crash when clearing the argument list while + using it +Conflict:NA +Reference:https://github.com/vim/vim/commit/6f98371532fcff911b462d51bc64f2ce8a6ae682 + +Problem: Crash when clearing the argument list while using it. +Solution: Lock the argument list for ":all". +--- + src/arglist.c | 3 +++ + src/testdir/test_arglist.vim | 7 +++++++ + 2 files changed, 10 insertions(+) + +diff --git a/src/arglist.c b/src/arglist.c +index 21c38c1..cdd70ca 100644 +--- a/src/arglist.c ++++ b/src/arglist.c +@@ -902,6 +902,7 @@ do_arg_all( + tabpage_T *old_curtab, *last_curtab; + win_T *new_curwin = NULL; + tabpage_T *new_curtab = NULL; ++ int prev_arglist_locked = arglist_locked; + + if (ARGCOUNT <= 0) + { +@@ -921,6 +922,7 @@ do_arg_all( + // watch out for its size to be changed. + alist = curwin->w_alist; + ++alist->al_refcount; ++ arglist_locked = TRUE; + + old_curwin = curwin; + old_curtab = curtab; +@@ -1132,6 +1134,7 @@ do_arg_all( + + // Remove the "lock" on the argument list. + alist_unlink(alist); ++ arglist_locked = prev_arglist_locked; + + --autocmd_no_enter; + +diff --git a/src/testdir/test_arglist.vim b/src/testdir/test_arglist.vim +index c486b18..1c94fe9 100644 +--- a/src/testdir/test_arglist.vim ++++ b/src/testdir/test_arglist.vim +@@ -505,3 +505,10 @@ func Test_argdo() + call assert_equal(['Xa.c', 'Xb.c', 'Xc.c'], l) + bwipe Xa.c Xb.c Xc.c + endfunc ++ ++func Test_clear_arglist_in_all() ++ n 0 00 000 0000 00000 000000 ++ au! * 0 n 0 ++ all ++ au! * ++endfunc +-- +2.27.0 + diff --git a/backport-CVE-2021-4192.patch b/backport-CVE-2021-4192.patch new file mode 100644 index 0000000000000000000000000000000000000000..68231b30a5b59e966290ffd0f15190812d07fd4d --- /dev/null +++ b/backport-CVE-2021-4192.patch @@ -0,0 +1,65 @@ +From 4c13e5e6763c6eb36a343a2b8235ea227202e952 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 30 Dec 2021 14:49:43 +0000 +Subject: [PATCH] patch 8.2.3949: using freed memory with /\%V +Conflict:NA +Reference:https://github.com/vim/vim/commit/4c13e5e6763c6eb36a343a2b8235ea227202e952 + +Problem: Using freed memory with /\%V. +Solution: Get the line again after getvvcol(). +--- + src/regexp.c | 9 +++++++-- + src/testdir/test_regexp_latin.vim | 8 ++++++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/src/regexp.c b/src/regexp.c +index 2e94e5a..6849cba 100644 +--- a/src/regexp.c ++++ b/src/regexp.c +@@ -1276,9 +1276,9 @@ reg_match_visual(void) + if (lnum < top.lnum || lnum > bot.lnum) + return FALSE; + ++ col = (colnr_T)(rex.input - rex.line); + if (mode == 'v') + { +- col = (colnr_T)(rex.input - rex.line); + if ((lnum == top.lnum && col < top.col) + || (lnum == bot.lnum && col >= bot.col + (*p_sel != 'e'))) + return FALSE; +@@ -1293,7 +1293,12 @@ reg_match_visual(void) + end = end2; + if (top.col == MAXCOL || bot.col == MAXCOL) + end = MAXCOL; +- cols = win_linetabsize(wp, rex.line, (colnr_T)(rex.input - rex.line)); ++ ++ // getvvcol() flushes rex.line, need to get it again ++ rex.line = reg_getline(rex.lnum); ++ rex.input = rex.line + col; ++ ++ cols = win_linetabsize(wp, rex.line, col); + if (cols < start || cols > end - (*p_sel == 'e')) + return FALSE; + } +diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim +index 3168edc..044b678 100644 +--- a/src/testdir/test_regexp_latin.vim ++++ b/src/testdir/test_regexp_latin.vim +@@ -39,6 +39,14 @@ func Test_recursive_substitute() + bwipe! + endfunc + ++func Test_using_visual_position() ++ " this was using freed memory ++ new ++ exe "norm 0o\\k\o0" ++ /\%V ++ bwipe! ++endfunc ++ + func Test_nested_backrefs() + " Check example in change.txt. + new +-- +2.27.0 + diff --git a/backport-CVE-2021-4193.patch b/backport-CVE-2021-4193.patch new file mode 100644 index 0000000000000000000000000000000000000000..dbe489683195766079a242619ea092f93d7f9d46 --- /dev/null +++ b/backport-CVE-2021-4193.patch @@ -0,0 +1,58 @@ +From 94f3192b03ed27474db80b4d3a409e107140738b Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 30 Dec 2021 15:29:18 +0000 +Subject: [PATCH] patch 8.2.3950: going beyond the end of the line with /\%V +Conflict:NA +Reference:https://github.com/vim/vim/commit/94f3192b03ed27474db80b4d3a409e107140738b + +Problem: Going beyond the end of the line with /\%V. +Solution: Check for valid column in getvcol(). + +--- + src/charset.c | 13 +++++++++---- + src/testdir/test_regexp_latin.vim | 8 ++++++++ + 2 files changed, 17 insertions(+), 4 deletions(-) + +diff --git a/src/charset.c b/src/charset.c +index 7505fea..a768c17 100644 +--- a/src/charset.c ++++ b/src/charset.c +@@ -1226,10 +1226,15 @@ getvcol( + posptr = NULL; // continue until the NUL + else + { +- // Special check for an empty line, which can happen on exit, when +- // ml_get_buf() always returns an empty string. +- if (*ptr == NUL) +- pos->col = 0; ++ colnr_T i; ++ ++ // In a few cases the position can be beyond the end of the line. ++ for (i = 0; i < pos->col; ++i) ++ if (ptr[i] == NUL) ++ { ++ pos->col = i; ++ break; ++ } + posptr = ptr + pos->col; + if (has_mbyte) + // always start on the first byte +diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim +index 3168edc..4f52bac 100644 +--- a/src/testdir/test_regexp_latin.vim ++++ b/src/testdir/test_regexp_latin.vim +@@ -149,3 +149,11 @@ func Test_using_mark_position() + call assert_fails("s/\\%')", 'E486:') + bwipe! + endfunc ++ ++func Test_using_invalid_visual_position() ++ " this was going beyond the end of the line ++ new ++ exe "norm 0o000\0\$s0" ++ /\%V ++ bwipe! ++endfunc +-- +2.27.0 + diff --git a/backport-add-the-arglist_locked-flag.patch b/backport-add-the-arglist_locked-flag.patch new file mode 100644 index 0000000000000000000000000000000000000000..0560c1123119da695c11b9ae94b2adb56ed6dc16 --- /dev/null +++ b/backport-add-the-arglist_locked-flag.patch @@ -0,0 +1,173 @@ +From 5ed58c7b700fcb9fd03c418300145b616f4bdcdd Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 28 Jan 2021 14:24:55 +0100 +Subject: [PATCH] patch 8.2.2421: double free when using autocommand with + "argdel" +Conflict:NA +Reference:https://github.com/vim/vim/commit/5ed58c7b700fcb9fd03c418300145b616f4bdcdd + +Problem: Double free when using autocommand with "argdel". (Houyunsong) +Solution: Add the arglist_locked flag. + +--- + src/arglist.c | 47 +++++++++++++++++++++++++++++------- + src/testdir/test_autocmd.vim | 6 +++++ + 2 files changed, 44 insertions(+), 9 deletions(-) + +diff --git a/src/arglist.c b/src/arglist.c +index cab74f8..68befa4 100644 +--- a/src/arglist.c ++++ b/src/arglist.c +@@ -17,12 +17,29 @@ + #define AL_ADD 2 + #define AL_DEL 3 + ++// This flag is set whenever the argument list is being changed and calling a ++// function that might trigger an autocommand. ++static int arglist_locked = FALSE; ++ ++ static int ++check_arglist_locked(void) ++{ ++ if (arglist_locked) ++ { ++ emsg(_(e_cannot_change_arglist_recursively)); ++ return FAIL; ++ } ++ return OK; ++} ++ + /* + * Clear an argument list: free all file names and reset it to zero entries. + */ + void + alist_clear(alist_T *al) + { ++ if (check_arglist_locked() == FAIL) ++ return; + while (--al->al_ga.ga_len >= 0) + vim_free(AARGLIST(al)[al->al_ga.ga_len].ae_fname); + ga_clear(&al->al_ga); +@@ -126,14 +143,9 @@ alist_set( + int fnum_len) + { + int i; +- static int recursive = 0; + +- if (recursive) +- { +- emsg(_(e_au_recursive)); ++ if (check_arglist_locked() == FAIL) + return; +- } +- ++recursive; + + alist_clear(al); + if (ga_grow(&al->al_ga, count) == OK) +@@ -152,7 +164,11 @@ alist_set( + // May set buffer name of a buffer previously used for the + // argument list, so that it's re-used by alist_add. + if (fnum_list != NULL && i < fnum_len) ++ { ++ arglist_locked = TRUE; + buf_set_name(fnum_list[i], files[i]); ++ arglist_locked = FALSE; ++ } + + alist_add(al, files[i], use_curbuf ? 2 : 1); + ui_breakcheck(); +@@ -163,8 +179,6 @@ alist_set( + FreeWild(count, files); + if (al == &global_alist) + arg_had_last = FALSE; +- +- --recursive; + } + + /* +@@ -179,6 +193,10 @@ alist_add( + { + if (fname == NULL) // don't add NULL file names + return; ++ if (check_arglist_locked() == FAIL) ++ return; ++ arglist_locked = TRUE; ++ + #ifdef BACKSLASH_IN_FILENAME + slash_adjust(fname); + #endif +@@ -187,6 +205,8 @@ alist_add( + AARGLIST(al)[al->al_ga.ga_len].ae_fnum = + buflist_add(fname, BLN_LISTED | (set_fnum == 2 ? BLN_CURBUF : 0)); + ++al->al_ga.ga_len; ++ ++ arglist_locked = FALSE; + } + + #if defined(BACKSLASH_IN_FILENAME) || defined(PROTO) +@@ -334,7 +354,8 @@ alist_add_list( + int i; + int old_argcount = ARGCOUNT; + +- if (ga_grow(&ALIST(curwin)->al_ga, count) == OK) ++ if (check_arglist_locked() != FAIL ++ && ga_grow(&ALIST(curwin)->al_ga, count) == OK) + { + if (after < 0) + after = 0; +@@ -343,6 +364,7 @@ alist_add_list( + if (after < ARGCOUNT) + mch_memmove(&(ARGLIST[after + count]), &(ARGLIST[after]), + (ARGCOUNT - after) * sizeof(aentry_T)); ++ arglist_locked = TRUE; + for (i = 0; i < count; ++i) + { + int flags = BLN_LISTED | (will_edit ? BLN_CURBUF : 0); +@@ -350,6 +372,7 @@ alist_add_list( + ARGLIST[after + i].ae_fname = files[i]; + ARGLIST[after + i].ae_fnum = buflist_add(files[i], flags); + } ++ arglist_locked = FALSE; + ALIST(curwin)->al_ga.ga_len += count; + if (old_argcount > 0 && curwin->w_arg_idx >= after) + curwin->w_arg_idx += count; +@@ -382,6 +405,9 @@ do_arglist( + int match; + int arg_escaped = TRUE; + ++ if (check_arglist_locked() == FAIL) ++ return FAIL; ++ + // Set default argument for ":argadd" command. + if (what == AL_ADD && *str == NUL) + { +@@ -776,6 +802,9 @@ ex_argdelete(exarg_T *eap) + int i; + int n; + ++ if (check_arglist_locked() == FAIL) ++ return; ++ + if (eap->addr_count > 0 || *eap->arg == NUL) + { + // ":argdel" works like ":argdel" +diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim +index ab02402..4fa3b51 100755 +--- a/src/testdir/test_autocmd.vim ++++ b/src/testdir/test_autocmd.vim +@@ -147,6 +147,12 @@ func Test_autocmd_bufunload_with_tabnext() + quit + endfunc + ++func Test_argdelete_in_next() ++ au BufNew,BufEnter,BufLeave,BufWinEnter * argdel ++ call assert_fails('next a b', 'E1156:') ++ au! BufNew,BufEnter,BufLeave,BufWinEnter * ++endfunc ++ + func Test_autocmd_bufwinleave_with_tabfirst() + tabedit + augroup sample +-- +2.27.0 + diff --git a/backport-fix-arglist-test-fails.patch b/backport-fix-arglist-test-fails.patch new file mode 100644 index 0000000000000000000000000000000000000000..f14e49b7d9fd707dcd0e3b25891f0a6729085ad2 --- /dev/null +++ b/backport-fix-arglist-test-fails.patch @@ -0,0 +1,50 @@ +From 679140c56bbabf12a199d94f584b1b9dfc9809fd Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 24 Dec 2021 18:58:46 +0000 +Subject: [PATCH] patch 8.2.3885: arglist test fails +Conflict:Abridged some of the notes +Reference:https://github.com/vim/vim/commit/679140c56bbabf12a199d94f584b1b9dfc9809fd + +Problem: Arglist test fails. +Solution: Adjust for locking the arglist for ":all". + +--- + src/testdir/test_arglist.vim | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/src/testdir/test_arglist.vim b/src/testdir/test_arglist.vim +index 7ebe8a2..e5a5e89 100644 +--- a/src/testdir/test_arglist.vim ++++ b/src/testdir/test_arglist.vim +@@ -470,15 +470,14 @@ func Test_arglist_autocmd() + new + " redefine arglist; go to Xxx1 + next! Xxx1 Xxx2 Xxx3 +- " open window for all args +- all ++ " open window for all args; Reading Xxx2 will try to change the arglist and ++ " that will fail ++ call assert_fails("all", "E1156:") + call assert_equal('test file Xxx1', getline(1)) + wincmd w +- wincmd w +- call assert_equal('test file Xxx1', getline(1)) +- " should now be in Xxx2 +- rewind + call assert_equal('test file Xxx2', getline(1)) ++ wincmd w ++ call assert_equal('test file Xxx3', getline(1)) + + autocmd! BufReadPost Xxx2 + enew! | only +@@ -515,6 +514,6 @@ endfunc + func Test_clear_arglist_in_all() + n 0 00 000 0000 00000 000000 + au! * 0 n 0 +- all ++ call assert_fails("all", "E1156") + au! * + endfunc +-- +2.27.0 + diff --git a/backport-fix-giving-the-error-0-more-files-to-edit.patch b/backport-fix-giving-the-error-0-more-files-to-edit.patch new file mode 100644 index 0000000000000000000000000000000000000000..a98fc9eb8dc1fbf625cb55b97f249247e475149b --- /dev/null +++ b/backport-fix-giving-the-error-0-more-files-to-edit.patch @@ -0,0 +1,94 @@ +From 7b22117c4ecf383b6f35acef041773a83ec28220 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Mon, 17 Aug 2020 19:34:10 +0200 +Subject: [PATCH] patch 8.2.1472: ":argdel" does not work like ":.argdel" as + documented +Conflict:NA +Reference:https://github.com/vim/vim/commit/7b22117c4ecf383b6f35acef041773a83ec28220 + +Problem: ":argdel" does not work like ":.argdel" as documented. (Alexey + Demin) +Solution: Make ":argdel" work like ":.argdel". (closes #6727) + Also fix giving the error "0 more files to edit". + +--- + src/arglist.c | 18 +++++++++++++----- + src/ex_docmd.c | 2 +- + src/testdir/test_arglist.vim | 10 ++++++++-- + 3 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/src/arglist.c b/src/arglist.c +index b1a6a0b..cab74f8 100644 +--- a/src/arglist.c ++++ b/src/arglist.c +@@ -776,10 +776,20 @@ ex_argdelete(exarg_T *eap) + int i; + int n; + +- if (eap->addr_count > 0) ++ if (eap->addr_count > 0 || *eap->arg == NUL) + { +- // ":1,4argdel": Delete all arguments in the range. +- if (eap->line2 > ARGCOUNT) ++ // ":argdel" works like ":argdel" ++ if (eap->addr_count == 0) ++ { ++ if (curwin->w_arg_idx >= ARGCOUNT) ++ { ++ emsg(_("E610: No argument to delete")); ++ return; ++ } ++ eap->line1 = eap->line2 = curwin->w_arg_idx + 1; ++ } ++ else if (eap->line2 > ARGCOUNT) ++ // ":1,4argdel": Delete all arguments in the range. + eap->line2 = ARGCOUNT; + n = eap->line2 - eap->line1 + 1; + if (*eap->arg != NUL) +@@ -808,8 +818,6 @@ ex_argdelete(exarg_T *eap) + curwin->w_arg_idx = ARGCOUNT - 1; + } + } +- else if (*eap->arg == NUL) +- emsg(_(e_argreq)); + else + do_arglist(eap->arg, AL_DEL, 0, FALSE); + #ifdef FEAT_TITLE +diff --git a/src/ex_docmd.c b/src/ex_docmd.c +index cb6b64a..dfcbf37 100644 +--- a/src/ex_docmd.c ++++ b/src/ex_docmd.c +@@ -4719,7 +4719,7 @@ check_more( + int n = ARGCOUNT - curwin->w_arg_idx - 1; + + if (!forceit && only_one_window() +- && ARGCOUNT > 1 && !arg_had_last && n >= 0 && quitmore == 0) ++ && ARGCOUNT > 1 && !arg_had_last && n > 0 && quitmore == 0) + { + if (message) + { +diff --git a/src/testdir/test_arglist.vim b/src/testdir/test_arglist.vim +index c486b18..3e1e175 100644 +--- a/src/testdir/test_arglist.vim ++++ b/src/testdir/test_arglist.vim +@@ -416,9 +416,15 @@ func Test_argdelete() + last + argdelete % + call assert_equal(['b'], argv()) +- call assert_fails('argdelete', 'E471:') ++ call assert_fails('argdelete', 'E610:') + call assert_fails('1,100argdelete', 'E16:') +- %argd ++ ++ call Reset_arglist() ++ args a b c d ++ next ++ argdel ++ call Assert_argc(['a', 'c', 'd']) ++ %argdel + endfunc + + func Test_argdelete_completion() +-- +2.27.0 + diff --git a/backport-missing-error-message.patch b/backport-missing-error-message.patch new file mode 100644 index 0000000000000000000000000000000000000000..72719e5444e42ce9bb5875da176ca76a89050d68 --- /dev/null +++ b/backport-missing-error-message.patch @@ -0,0 +1,29 @@ +From 61015162ba834541c42da5db6f3fa0ebe1d40e87 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 28 Jan 2021 17:56:09 +0100 +Subject: [PATCH] patch 8.2.2423: missing error message +Conflict:add missing error message +Reference:https://github.com/vim/vim/commit/61015162ba834541c42da5db6f3fa0ebe1d40e87 + +Problem: Missing error message. +Solution: Add the error message. + +--- + src/globals.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/globals.h b/src/globals.h +index 009834c..872e895 100644 +--- a/src/globals.h ++++ b/src/globals.h +@@ -1451,6 +1451,7 @@ EXTERN int netbeansSuppressNoLines INIT(= 0); // skip "No lines in buffer" + */ + EXTERN char e_abort[] INIT(= N_("E470: Command aborted")); + EXTERN char e_argreq[] INIT(= N_("E471: Argument required")); ++EXTERN char e_cannot_change_arglist_recursively[] INIT(= N_("E1156: Cannot change the argument list recursively")); + EXTERN char e_backslash[] INIT(= N_("E10: \\ should be followed by /, ? or &")); + #ifdef FEAT_CMDWIN + EXTERN char e_cmdwin[] INIT(= N_("E11: Invalid in command-line window; executes, CTRL-C quits")); +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index 73f9e9bf34a079dde00edfbf97aec7983bb8ec98..39eb205af67a216175a416a1e8d7c29a8723a33a 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 19 +Release: 20 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -57,6 +57,14 @@ Patch6019: backport-no-early-check-if-find-and-sfind-have-an-argument.patch Patch6020: backport-CVE-2021-3984.patch Patch6021: backport-CVE-2021-4019.patch Patch6022: backport-CVE-2021-4069.patch +Patch6023: backport-missing-error-message.patch +Patch6024: backport-fix-giving-the-error-0-more-files-to-edit.patch +Patch6025: backport-add-the-arglist_locked-flag.patch +Patch6026: backport-CVE-2021-4166.patch +Patch6027: backport-fix-arglist-test-fails.patch +Patch6028: backport-CVE-2021-4192.patch +Patch6029: backport-CVE-2021-4193.patch + Patch9000: bugfix-rm-modify-info-version.patch @@ -445,6 +453,18 @@ popd %{_mandir}/man1/evim.* %changelog +* Mon Jan 17 2022 yuanxin - 2:8.2-21 +- Type:CVE +- ID:CVE-2021-4166 CVE-2021-4192 CVE-2021-4193 +- SUG:NA +- DESC:fix CVE-2021-4166 CVE-2021-4192 CVE-2021-4193 + +* Thu Jan 13 2022 shixuantong - 2:8.2-20 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix build fail + * Sat Dec 11 2021 yuanxin - 2:8.2-19 - Type:CVE - ID:CVE-2021-4069