master

分支 (14)

标签 (11)

管理

管理

master

openEuler-22.03-LTS-Next

virctest1

openEuler1.0

openEuler-20.03-LTS-SP1

openEuler-20.03-LTS-SP3

openEuler-22.03-LTS

openEuler-21.09

openEuler-20.03-LTS-SP2

openEuler-20.03-LTS

openEuler-20.03-LTS-Next

openEuler-21.03

openEuler-20.09

openEuler1.0-base

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

vim
/
backport-CVE-2022-0351.patch

From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 24 Jan 2022 18:16:12 +0000
Subject: [PATCH] patch 8.2.4206: condition with many "(" causes a crash

Problem:    Condition with many "(" causes a crash.
Solution:   Limit recursion to 1000.
---
 src/eval.c                      | 12 ++++++++++++
 src/globals.h                   |  2 ++
 src/testdir/test_eval_stuff.vim |  5 +++++
 3 files changed, 19 insertions(+)

diff --git a/src/eval.c b/src/eval.c
index 3b563f7..95dda90 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -2495,6 +2495,7 @@ eval7(
     char_u	*start_leader, *end_leader;
     int		ret = OK;
     char_u	*alias;
+    static	int recurse = 0;

     /*
      * Initialise variable so that clear_tv() can't mistake this for a
@@ -2521,6 +2522,15 @@ eval7(
 	return FAIL;
     }

+    // Limit recursion to 1000 levels.  At least at 10000 we run out of stack
+    // and crash.
+    if (recurse == 1000)
+    {
+	semsg(_(e_expression_too_recursive_str), *arg);
+	return FAIL;
+    }
+    ++recurse;
+
     switch (**arg)
     {
     /*
@@ -2761,6 +2771,8 @@ eval7(
      */
     if (ret == OK && evaluate && end_leader > start_leader)
 	ret = eval7_leader(rettv, start_leader, &end_leader);
+
+    --recurse;
     return ret;
 }

diff --git a/src/globals.h b/src/globals.h
index 75092b7..659bad6 100644
--- a/src/globals.h
+++ b/src/globals.h
@@ -1464,6 +1464,8 @@ EXTERN char e_endwhile[]	INIT(= N_("E170: Missing :endwhile"));
 EXTERN char e_endfor[]	INIT(= N_("E170: Missing :endfor"));
 EXTERN char e_while[]		INIT(= N_("E588: :endwhile without :while"));
 EXTERN char e_for[]		INIT(= N_("E588: :endfor without :for"));
+EXTERN char e_expression_too_recursive_str[]
+       INIT(= N_("E1169: Expression too recursive: %s"));
 #endif
 EXTERN char e_exists[]	INIT(= N_("E13: File exists (add ! to override)"));
 EXTERN char e_failed[]	INIT(= N_("E472: Command failed"));
diff --git a/src/testdir/test_eval_stuff.vim b/src/testdir/test_eval_stuff.vim
index ec566da..32a5411 100644
--- a/src/testdir/test_eval_stuff.vim
+++ b/src/testdir/test_eval_stuff.vim
@@ -216,3 +216,8 @@ func Test_scriptversion_fail()
   call assert_fails('source Xversionscript', 'E999:')
   call delete('Xversionscript')
 endfunc
+
+func Test_deep_recursion()
+  " this was running out of stack
+  call assert_fails("exe 'if ' .. repeat('(', 1002)", 'E1169: Expression too recursive: ((')+endfunc
+endfunc
--
1.8.3.1