Projects
Mega:23.09
vim
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 3
View file
_service:tar_scm:vim.spec
Changed
@@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 36 +Release: 42 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -108,6 +108,19 @@ Patch6078: backport-CVE-2023-4750.patch Patch6079: backport-CVE-2023-4752.patch Patch6080: backport-CVE-2023-4781.patch +Patch6081: backport-CVE-2023-5344.patch +Patch6082: backport-CVE-2023-5441.patch +Patch6083: backport-CVE-2023-5535.patch +Patch6084: backport-CVE-2023-46246.patch +Patch6085: backport-patch-improve-the-error-detection.patch +patch6086: backport-CVE-2023-48231.patch +patch6087: backport-CVE-2023-48233.patch +patch6088: backport-CVE-2023-48234.patch +patch6089: backport-CVE-2023-48235.patch +patch6090: backport-CVE-2023-48236.patch +patch6091: backport-CVE-2023-48237.patch +patch6092: backport-patch-9.0.2114-overflow-detection-not-accurate-when-adding-digits.patch +Patch6093: backport-CVE-2023-48706.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -515,6 +528,42 @@ %{_mandir}/man1/evim.* %changelog +* Tue Nov 28 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-42 +- Type:CVE +- ID:CVE-2023-48706 +- SUG:NA +- DESC:fix CVE-2023-48706 + +* Wed Nov 22 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-41 +- Type:CVE +- ID:CVE-2023-48231 CVE-2023-48233 CVE-2023-48234 CVE-2023-48235 CVE-2023-48236 CVE-2023-48237 +- SUG:NA +- DESC:fix CVE-2023-48231 CVE-2023-48233 CVE-2023-48234 CVE-2023-48235 CVE-2023-48236 CVE-2023-48237 + +* Mon Nov 06 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-40 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix garbled characters display with keywords of filename + +* Wed Nov 01 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-39 +- Type:CVE +- ID:CVE-2023-46246 +- SUG:NA +- DESC:fix CVE-2023-46246 + +* Mon Oct 16 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-38 +- Type:CVE +- ID:CVE-2023-5441 CVE-2023-5535 +- SUG:NA +- DESC:fix CVE-2023-5441 CVE-2023-5535 + +* Tue Oct 10 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-37 +- Type:CVE +- ID:CVE-2023-5344 +- SUG:NA +- DESC:fix CVE-2023-5344 + * Tue Sep 12 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-36 - Type:CVE - ID:CVE-2023-4738 CVE-2023-4750 CVE-2023-4752 CVE-2023-4781
View file
_service:tar_scm:backport-CVE-2023-46246.patch
Added
@@ -0,0 +1,102 @@ +From 9198c1f2b1ddecde22af918541e0de2a32f0f45a Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Thu, 26 Oct 2023 21:29:32 +0200 +Subject: PATCH patch 9.0.2068: security overflow in :history + +Problem: security overflow in :history +Solution: Check that value fits into int + +The get_list_range() function, used to parse numbers for the :history +and :clist command internally uses long variables to store the numbers. +However function arguments are integer pointers, which can then +overflow. + +Check that the return value from the vim_str2nr() function is not larger +than INT_MAX and if yes, bail out with an error. I guess nobody uses a +cmdline/clist history that needs so many entries... (famous last words). + +It is only a moderate vulnerability, so impact should be low. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm + +Signed-off-by: Christian Brabandt <cb@256bit.org> +--- + src/cmdhist.c | 5 ++++- + src/errors.h | 2 ++ + src/ex_getln.c | 10 +++++++++- + src/testdir/test_history.vim | 8 ++++++++ + 4 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/src/cmdhist.c b/src/cmdhist.c +index d398ca7a687b5..96a9b3e95b86f 100644 +--- a/src/cmdhist.c ++++ b/src/cmdhist.c +@@ -740,7 +740,10 @@ ex_history(exarg_T *eap) + end = arg; + if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL) + { +- semsg(_(e_trailing_characters_str), end); ++ if (*end != NUL) ++ semsg(_(e_trailing_characters_str), end); ++ else ++ semsg(_(e_val_too_large), arg); + return; + } + +diff --git a/src/errors.h b/src/errors.h +index 79a785e1e2953..72957d8b93bdc 100644 +--- a/src/errors.h ++++ b/src/errors.h +@@ -3306,3 +3306,5 @@ EXTERN char e_substitute_nesting_too_deep + #endif + EXTERN char e_window_unexpectedly_close_while_searching_for_tags + INIT(= N_("E1299: Window unexpectedly closed while searching for tags")); ++EXTERN char e_val_too_large ++ INIT(= N_("E1510: Value too large: %s")); +diff --git a/src/ex_getln.c b/src/ex_getln.c +index 9683e2ebd5af5..8f0be520886be 100644 +--- a/src/ex_getln.c ++++ b/src/ex_getln.c +@@ -4326,6 +4326,10 @@ get_list_range(char_u **str, int *num1, int *num2) + { + vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE); + *str += len; ++ // overflow ++ if (num > INT_MAX) ++ return FAIL; ++ + *num1 = (int)num; + first = TRUE; + } +@@ -4336,8 +4340,12 @@ get_list_range(char_u **str, int *num1, int *num2) + vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE); + if (len > 0) + { +- *num2 = (int)num; + *str = skipwhite(*str + len); ++ // overflow ++ if (num > INT_MAX) ++ return FAIL; ++ ++ *num2 = (int)num; + } + else if (!first) // no number given at all + return FAIL; +diff --git a/src/testdir/test_history.vim b/src/testdir/test_history.vim +index bb6d67172585e..482328ab4aaef 100644 +--- a/src/testdir/test_history.vim ++++ b/src/testdir/test_history.vim +@@ -249,4 +249,12 @@ func Test_history_crypt_key() + set key& bs& ts& + endfunc + ++" The following used to overflow and causing an use-after-free ++func Test_history_max_val() ++ ++ set history=10 ++ call assert_fails(':history 2147483648', 'E1510:') ++ set history& ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab
View file
_service:tar_scm:backport-CVE-2023-4781.patch
Changed
@@ -31,7 +31,7 @@ index 1af2395df..f77ede330 100644 --- a/src/window.c +++ b/src/window.c -@@ -1738,6 +1738,11 @@ win_exchange(long Prenum) +@@ -1646,6 +1646,11 @@ win_exchange(long Prenum) beep_flush(); return; }
View file
_service:tar_scm:backport-CVE-2023-48231.patch
Added
@@ -0,0 +1,32 @@ +From 25aabc2b8ee1e19ced6f4da9d866cf9378fc4c5a Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Tue, 14 Nov 2023 19:31:34 +0100 +Subject: PATCH patch 9.0.2106: security: Use-after-free in win_close() + +Problem: security: Use-after-free in win_close() +Solution: Check window is valid, before accessing it + +If the current window structure is no longer valid (because a previous +autocommand has already freed this window), fail and return before +attempting to set win->w_closing variable. + +Add a test to trigger ASAN in CI + +Signed-off-by: Christian Brabandt <cb@256bit.org> +--- + src/window.c | 2 ++ + 1 files changed, 2 insertions(+) + +diff --git a/src/window.c b/src/window.c +index f77ede330d304..55ce31c886437 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -2606,6 +2606,8 @@ win_close(win_T *win, int free_buf) + reset_VIsual_and_resel(); // stop Visual mode + + other_buffer = TRUE; ++ if (!win_valid(win)) ++ return FAIL; + win->w_closing = TRUE; + apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, FALSE, curbuf); + if (!win_valid(win))
View file
_service:tar_scm:backport-CVE-2023-48233.patch
Added
@@ -0,0 +1,112 @@ +From ac63787734fda2e294e477af52b3bd601517fa78 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Tue, 14 Nov 2023 20:45:48 +0100 +Subject: PATCH patch 9.0.2108: security: overflow with count for :s + command + +Problem: security: overflow with count for :s command +Solution: Abort the :s command if the count is too large + +If the count after the :s command is larger than what fits into a +(signed) long variable, abort with e_value_too_large. + +Adds a test with INT_MAX as count and verify it correctly fails. + +It seems the return value on Windows using mingw compiler wraps around, +so the initial test using :s/./b/9999999999999999999999999990 doesn't +fail there, since the count is wrapping around several times and finally +is no longer larger than 2147483647. So let's just use 2147483647 in the +test, which hopefully will always cause a failure + +Signed-off-by: Christian Brabandt <cb@256bit.org> +--- + runtime/doc/change.txt | 8 ++++---- + runtime/doc/cmdline.txt | 3 ++- + runtime/doc/tags | 1 + + src/ex_cmds.c | 7 +++++++ + src/testdir/test_substitute.vim | 1 + + 5 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/runtime/doc/change.txt b/runtime/doc/change.txt +index 65da9a7c6b92b..dccaa44c89922 100644 +--- a/runtime/doc/change.txt ++++ b/runtime/doc/change.txt +@@ -1,4 +1,4 @@ +-*change.txt* For Vim version 9.0. Last change: 2022 May 26 ++*change.txt* For Vim version 9.0. Last change: 2023 Nov 15 + + + VIM REFERENCE MANUAL by Bram Moolenaar +@@ -635,9 +635,9 @@ For other systems the tmpnam() library function is used. + current line only. When count is given, replace in + count lines, starting with the last line in range. + When range is omitted start in the current line. +- *E939* +- count must be a positive number. Also see +- |cmdline-ranges|. ++ *E939* *E1510* ++ count must be a positive number (max 2147483647) ++ Also see |cmdline-ranges|. + + See |:s_flags| for flags. + The delimiter doesn't need to be /, see +diff --git a/runtime/doc/cmdline.txt b/runtime/doc/cmdline.txt +index c5d0096ddb74c..cbcf0ad274fe2 100644 +--- a/runtime/doc/cmdline.txt ++++ b/runtime/doc/cmdline.txt +@@ -1,4 +1,4 @@ +-*cmdline.txt* For Vim version 9.0. Last change: 2022 Jun 16 ++*cmdline.txt* For Vim version 9.0. Last change: 2023 Nov 15 + + + VIM REFERENCE MANUAL by Bram Moolenaar +@@ -359,6 +359,7 @@ terminals) + A positive number represents the absolute index of an entry + as it is given in the first column of a :history listing. + This number remains fixed even if other entries are deleted. ++ (see |E1510|) + + A negative number means the relative position of an entry, + counted from the newest entry (which has index -1) backwards. +diff --git a/runtime/doc/tags b/runtime/doc/tags +index f49061aa21064..0021ddb127793 100644 +--- a/runtime/doc/tags ++++ b/runtime/doc/tags +@@ -4300,6 +4300,7 @@ E149 helphelp.txt /*E149* + E15 eval.txt /*E15* + E150 helphelp.txt /*E150* + E151 helphelp.txt /*E151* ++E1510 change.txt /*E1510* + E152 helphelp.txt /*E152* + E153 helphelp.txt /*E153* + E154 helphelp.txt /*E154* +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index 3544092d65b11..c5f912e7ee57f 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -3940,6 +3940,13 @@ ex_substitute(exarg_T *eap) + emsg(_(e_positive_count_required)); + return; + } ++ else if (i >= INT_MAX) ++ { ++ char buf20; ++ vim_snprintf(buf, sizeof(buf), "%ld", i); ++ semsg(_(e_val_too_large), buf); ++ return; ++ } + eap->line1 = eap->line2; + eap->line2 += i - 1; + if (eap->line2 > curbuf->b_ml.ml_line_count) +diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim +index b99d0e0058270..3ed159799f5cc 100644 +--- a/src/testdir/test_substitute.vim ++++ b/src/testdir/test_substitute.vim +@@ -205,6 +205,7 @@ func Test_substitute_count() + call assert_equal('foo foo', 'foo foo', 'foo foo', 'bar foo', 'bar foo', + \ getline(1, '$')) + ++ call assert_fails('s/./b/2147483647', 'E1510:') + bwipe! + endfunc +
View file
_service:tar_scm:backport-CVE-2023-48234.patch
Added
@@ -0,0 +1,50 @@ +From 58f9befca1fa172068effad7f2ea5a9d6a7b0cca Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Tue, 14 Nov 2023 21:02:30 +0100 +Subject: PATCH patch 9.0.2109: security: overflow in nv_z_get_count + +Problem: security: overflow in nv_z_get_count +Solution: break out, if count is too large + +When getting the count for a normal z command, it may overflow for large +counts given. So verify, that we can safely store the result in a long. + +Signed-off-by: Christian Brabandt <cb@256bit.org> +--- + src/normal.c | 7 +++++++ + src/testdir/test_normal.vim | 5 +++++ + 2 files changed, 12 insertions(+) + +diff --git a/src/normal.c b/src/normal.c +index a06d61e6fce7d..16b4b45069329 100644 +--- a/src/normal.c ++++ b/src/normal.c +@@ -2567,7 +2567,14 @@ nv_z_get_count(cmdarg_T *cap, int *nchar_arg) + if (nchar == K_DEL || nchar == K_KDEL) + n /= 10; + else if (VIM_ISDIGIT(nchar)) ++ { ++ if (n > LONG_MAX / 10) ++ { ++ clearopbeep(cap->oap); ++ break; ++ } + n = n * 10 + (nchar - '0'); ++ } + else if (nchar == CAR) + { + #ifdef FEAT_GUI +diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim +index c7d37f066f208..6b889f46b3dd7 100644 +--- a/src/testdir/test_normal.vim ++++ b/src/testdir/test_normal.vim +@@ -3757,4 +3757,9 @@ func Test_normal33_g_cmd_nonblank() + bwipe! + endfunc + ++func Test_normal34_zet_large() ++ " shouldn't cause overflow ++ norm! z9765405999999999999 ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab
View file
_service:tar_scm:backport-CVE-2023-48235.patch
Added
@@ -0,0 +1,50 @@ +From 060623e4a3bc72b011e7cd92bedb3bfb64e06200 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Tue, 14 Nov 2023 21:33:29 +0100 +Subject: PATCH patch 9.0.2110: security: overflow in ex address parsing + +Problem: security: overflow in ex address parsing +Solution: Verify that lnum is positive, before substracting from + LONG_MAX + +security: overflow in ex address parsing + +When parsing relative ex addresses one may unintentionally cause an +overflow (because LONG_MAX - lnum will overflow for negative addresses). + +So verify that lnum is actually positive before doing the overflow +check. + +Signed-off-by: Christian Brabandt <cb@256bit.org> +--- + src/ex_docmd.c | 2 +- + src/testdir/test_excmd.vim | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/ex_docmd.c b/src/ex_docmd.c +index 06837ac92c55c..01d411a632ccf 100644 +--- a/src/ex_docmd.c ++++ b/src/ex_docmd.c +@@ -4603,7 +4603,7 @@ get_address( + lnum -= n; + else + { +- if (n >= LONG_MAX - lnum) ++ if (lnum >= 0 && n >= LONG_MAX - lnum) + { + emsg(_(e_line_number_out_of_range)); + goto error; +diff --git a/src/testdir/test_excmd.vim b/src/testdir/test_excmd.vim +index 3637351f636c0..47fc26726d5e6 100644 +--- a/src/testdir/test_excmd.vim ++++ b/src/testdir/test_excmd.vim +@@ -725,5 +725,9 @@ func Test_write_after_rename() + bwipe! + endfunc + ++" catch address lines overflow ++func Test_ex_address_range_overflow() ++ call assert_fails(':--+foobar', 'E492:') ++endfunc + + " vim: shiftwidth=2 sts=2 expandtab
View file
_service:tar_scm:backport-CVE-2023-48236.patch
Added
@@ -0,0 +1,53 @@ +From 73b2d3790cad5694fc0ed0db2926e4220c48d968 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Tue, 14 Nov 2023 21:58:26 +0100 +Subject: PATCH patch 9.0.2111: security: overflow in get_number + +Problem: security: overflow in get_number +Solution: Return 0 when the count gets too large + +security: overflow in get_number + +When using the z= command, we may overflow the count with values larger +than MAX_INT. So verify that we do not overflow and in case when an +overflow is detected, simply return 0 + +Signed-off-by: Christian Brabandt <cb@256bit.org> +--- + src/misc1.c | 2 ++ + src/testdir/test_spell.vim | 9 +++++++++ + 2 files changed, 11 insertions(+) + +diff --git a/src/misc1.c b/src/misc1.c +index 5b008c614a9bb..5f9828ebe9544 100644 +--- a/src/misc1.c ++++ b/src/misc1.c +@@ -951,6 +951,8 @@ get_number( + c = safe_vgetc(); + if (VIM_ISDIGIT(c)) + { ++ if (n > INT_MAX / 10) ++ return 0; + n = n * 10 + c - '0'; + msg_putchar(c); + ++typed; +diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim +index be0bc55810f0e..1ddcd83d5117e 100644 +--- a/src/testdir/test_spell.vim ++++ b/src/testdir/test_spell.vim +@@ -965,6 +965,15 @@ func Test_spell_screendump() + call delete('XtestSpell') + endfunc + ++func Test_z_equal_with_large_count() ++ split ++ set spell ++ call setline(1, "ff") ++ norm 0z=337203685477580 ++ set nospell ++ bwipe! ++endfunc ++ + let g:test_data_aff1 = + \"SET ISO8859-1", + \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",
View file
_service:tar_scm:backport-CVE-2023-48237.patch
Added
@@ -0,0 +1,97 @@ +From 6bf131888a3d1de62bbfa8a7ea03c0ddccfd496e Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Tue, 14 Nov 2023 22:42:59 +0100 +Subject: PATCH patch 9.0.2112: security: overflow in shift_line + +Problem: security: overflow in shift_line +Solution: allow a max indent of INT_MAX + +security: overflow in shift_line + +When shifting lines in operator pending mode and using a very large +value, we may overflow the size of integer. Fix this by using a long +variable, testing if the result would be larger than INT_MAX and if so, +indent by INT_MAX value. + +Special case: We cannot use long here, since on 32bit architectures (or +on Windows?), it typically cannot take larger values than a plain int, +so we have to use long long count, decide whether the resulting +multiplication of the shiftwidth value * amount is larger than INT_MAX +and if so, we will store INT_MAX as possible larges value in the long +long count variable. + +Then we can safely cast it back to int when calling the functions to set +the indent (set_indent() or change_indent()). So this should be safe. + +Add a test that when using a huge value in operator pending mode for +shifting, we will shift by INT_MAX + +closes: #13535 + +Signed-off-by: Christian Brabandt <cb@256bit.org> +--- + src/ops.c | 15 ++++++++++----- + src/testdir/test_indent.vim | 11 +++++++++++ + 2 files changed, 21 insertions(+), 5 deletions(-) + +diff --git a/src/ops.c b/src/ops.c +index c0a2981d68770..ecd7fc2170c58 100644 +--- a/src/ops.c ++++ b/src/ops.c +@@ -226,11 +226,11 @@ shift_line( + int amount, + int call_changed_bytes) // call changed_bytes() + { +- int count; ++ long long count; + int i, j; + int sw_val = (int)get_sw_value_indent(curbuf); + +- count = get_indent(); // get current indent ++ count = (long long)get_indent(); // get current indent + + if (round) // round off indent + { +@@ -257,14 +257,19 @@ shift_line( + count = 0; + } + else +- count += sw_val * amount; ++ { ++ if ((long long)sw_val * (long long)amount > INT_MAX - count) ++ count = INT_MAX; ++ else ++ count += (long long)sw_val * (long long)amount; ++ } + } + + // Set new indent + if (State & VREPLACE_FLAG) +- change_indent(INDENT_SET, count, FALSE, NUL, call_changed_bytes); ++ change_indent(INDENT_SET, (int)count, FALSE, NUL, call_changed_bytes); + else +- (void)set_indent(count, call_changed_bytes ? SIN_CHANGED : 0); ++ (void)set_indent((int)count, call_changed_bytes ? SIN_CHANGED : 0); + } + + /* +diff --git a/src/testdir/test_indent.vim b/src/testdir/test_indent.vim +index 96e9d2300883c..217a7ae625072 100644 +--- a/src/testdir/test_indent.vim ++++ b/src/testdir/test_indent.vim +@@ -276,4 +276,15 @@ func Test_formatting_keeps_first_line_indent() + bwipe! + endfunc + ++" Test for indenting with large amount, causes overflow ++func Test_indent_overflow_count() ++ new ++ setl sw=8 ++ call setline(1, "abc") ++ norm! V2147483647> ++ " indents by INT_MAX ++ call assert_equal(2147483647, indent(1)) ++ close! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab
View file
_service:tar_scm:backport-CVE-2023-48706.patch
Added
@@ -0,0 +1,287 @@ +From 26c11c56888d01e298cd8044caf860f3c26f57bb Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Wed, 22 Nov 2023 21:26:41 +0100 +Subject: PATCH patch 9.0.2121: security: use-after-free in ex_substitute + +Problem: security: use-after-free in ex_substitute +Solution: always allocate memory + +closes: #13552 + +A recursive :substitute command could cause a heap-use-after free in Vim +(CVE-2023-48706). + +The whole reproducible test is a bit tricky, I can only reproduce this +reliably when no previous substitution command has been used yet +(which is the reason, the test needs to run as first one in the +test_substitute.vim file) and as a combination of the `:~` command +together with a :s command that contains the special substitution atom `~\=` +which will make use of a sub-replace special atom and calls a vim script +function. + +There was a comment in the existing :s code, that already makes the +`sub` variable allocate memory so that a recursive :s call won't be able +to cause any issues here, so this was known as a potential problem +already. But for the current test-case that one does not work, because +the substitution does not start with `\=` but with `~\=` (and since +there does not yet exist a previous substitution atom, Vim will simply +increment the `sub` pointer (which then was not allocated dynamically) +and later one happily use a sub-replace special expression (which could +then free the `sub` var). + +The following commit fixes this, by making the sub var always using +allocated memory, which also means we need to free the pointer whenever +we leave the function. Since sub is now always an allocated variable, +we also do no longer need the sub_copy variable anymore, since this one +was used to indicated when sub pointed to allocated memory (and had +therefore to be freed on exit) and when not. + +Github Security Advisory: +https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q + +Signed-off-by: Christian Brabandt <cb@256bit.org> +--- + src/ex_cmds.c | 50 ++++++++++++++++++++++++--------- + src/testdir/test_substitute.vim | 48 +++++++++++++++++++++++++++++-- + 2 files changed, 83 insertions(+), 15 deletions(-) + +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index c5f912e7ee57f..a08682b071fb5 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -3686,7 +3686,6 @@ ex_substitute(exarg_T *eap) + int save_do_all; // remember user specified 'g' flag + int save_do_ask; // remember user specified 'c' flag + char_u *pat = NULL, *sub = NULL; // init for GCC +- char_u *sub_copy = NULL; + int delimiter; + int sublen; + int got_quit = FALSE; +@@ -3694,6 +3693,7 @@ ex_substitute(exarg_T *eap) + int temp; + int which_pat; + char_u *cmd; ++ char_u *p; + int save_State; + linenr_T first_line = 0; // first changed line + linenr_T last_line= 0; // below last changed line AFTER the +@@ -3774,8 +3774,12 @@ ex_substitute(exarg_T *eap) + * Small incompatibility: vi sees '\n' as end of the command, but in + * Vim we want to use '\n' to find/substitute a NUL. + */ +- sub = cmd; // remember the start of the substitution ++ p = cmd; // remember the start of the substitution + cmd = skip_substitute(cmd, delimiter); ++ sub = vim_strsave(p); ++ if (sub == NULL) ++ // out of memory ++ return; + + if (!eap->skip) + { +@@ -3786,14 +3790,22 @@ ex_substitute(exarg_T *eap) + if (old_sub == NULL) // there is no previous command + { + emsg(_(e_no_previous_substitute_regular_expression)); ++ vim_free(sub); + return; + } +- sub = old_sub; ++ vim_free(sub); ++ sub = vim_strsave(old_sub); ++ if (sub == NULL) ++ // out of memory ++ return; + } + else + { + vim_free(old_sub); + old_sub = vim_strsave(sub); ++ if (old_sub == NULL) ++ // out of memory ++ return; + } + } + } +@@ -3805,7 +3817,7 @@ ex_substitute(exarg_T *eap) + return; + } + pat = NULL; // search_regcomp() will use previous pattern +- sub = old_sub; ++ sub = vim_strsave(old_sub); + + // Vi compatibility quirk: repeating with ":s" keeps the cursor in the + // last column after using "$". +@@ -3824,7 +3836,10 @@ ex_substitute(exarg_T *eap) + linenr_T joined_lines_count; + + if (eap->skip) ++ { ++ vim_free(sub); + return; ++ } + curwin->w_cursor.lnum = eap->line1; + if (*cmd == 'l') + eap->flags = EXFLAG_LIST; +@@ -3851,6 +3866,7 @@ ex_substitute(exarg_T *eap) + save_re_pat(RE_SUBST, pat, magic_isset()); + // put pattern in history + add_to_history(HIST_SEARCH, pat, TRUE, NUL); ++ vim_free(sub); + + return; + } +@@ -3938,6 +3954,7 @@ ex_substitute(exarg_T *eap) + if (i <= 0 && !eap->skip && subflags.do_error) + { + emsg(_(e_positive_count_required)); ++ vim_free(sub); + return; + } + else if (i >= INT_MAX) +@@ -3945,6 +3962,7 @@ ex_substitute(exarg_T *eap) + char buf20; + vim_snprintf(buf, sizeof(buf), "%ld", i); + semsg(_(e_val_too_large), buf); ++ vim_free(sub); + return; + } + eap->line1 = eap->line2; +@@ -3963,17 +3981,22 @@ ex_substitute(exarg_T *eap) + if (eap->nextcmd == NULL) + { + semsg(_(e_trailing_characters_str), cmd); ++ vim_free(sub); + return; + } + } + + if (eap->skip) // not executing commands, only parsing ++ { ++ vim_free(sub); + return; ++ } + + if (!subflags.do_count && !curbuf->b_p_ma) + { + // Substitution is not allowed in non-'modifiable' buffer + emsg(_(e_cannot_make_changes_modifiable_is_off)); ++ vim_free(sub); + return; + } + +@@ -3981,6 +4004,7 @@ ex_substitute(exarg_T *eap) + { + if (subflags.do_error) + emsg(_(e_invalid_command)); ++ vim_free(sub); + return; + } + +@@ -4001,20 +4025,20 @@ ex_substitute(exarg_T *eap) + */ + if (sub0 == '\\' && sub1 == '=') + { +- sub = vim_strsave(sub); +- if (sub == NULL) ++ p = vim_strsave(sub); ++ vim_free(sub); ++ if (p == NULL) + return; +- sub_copy = sub; ++ sub = p; + } + else + { +- char_u *newsub = regtilde(sub, magic_isset()); ++ p = regtilde(sub, magic_isset()); + +- if (newsub != sub)
View file
_service:tar_scm:backport-CVE-2023-5344.patch
Added
@@ -0,0 +1,47 @@ +From 3bd7fa12e146c6051490d048a4acbfba974eeb04 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Mon, 2 Oct 2023 20:59:08 +0200 +Subject: PATCH 2156/2205 patch 9.0.1969: security buffer-overflow in + trunc_string() + +Problem: buffer-overflow in trunc_string() +Solution: Add NULL at end of buffer + +Currently trunc_string() assumes that when the string is too long, +bufe-1 will always be writeable. But that assumption may not always be +true. The condition currently looks like this + + else if (e + 3 < buflen) + ... + else + { + // can't fit in the "...", just truncate it + bufe - 1 = NUL; + } + +but this means, we may run into the last else clause with e still being +larger than buflen. So a buffer overflow occurs. + +So instead of using `bufe - 1`, let's just always +truncate at `bufbuflen - 1` which should always be writable. + +Signed-off-by: Christian Brabandt <cb@256bit.org> +--- + src/message.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletion(-) + +diff --git a/src/message.c b/src/message.c +index 2fc6cefa9..83c8b4f4a 100644 +--- a/src/message.c ++++ b/src/message.c +@@ -353,7 +353,7 @@ trunc_string( + else + { + // can't fit in the "...", just truncate it +- bufe - 1 = NUL; ++ bufbuflen - 1 = NUL; + } + } + +-- +2.27.0
View file
_service:tar_scm:backport-CVE-2023-5441.patch
Added
@@ -0,0 +1,35 @@ +From 20d161ace307e28690229b68584f2d84556f8960 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Thu, 5 Oct 2023 22:08:30 +0200 +Subject: PATCH patch 9.0.1992: security segfault in exmode + +Problem: segfault in exmode when redrawing +Solution: skip gui_scroll when exmode_active + +Signed-off-by: Christian Brabandt <cb@256bit.org> +--- + src/gui.c | 4 ++++ + 1 files changed, 4 insertions(+) + +diff --git a/src/gui.c b/src/gui.c +index 1f546b2a75b57..9c9aa3cbecdcf 100644 +--- a/src/gui.c ++++ b/src/gui.c +@@ -4436,6 +4436,7 @@ gui_do_scrollbar( + * Scroll a window according to the values set in the globals current_scrollbar + * and scrollbar_value. Return TRUE if the cursor in the current window moved + * or FALSE otherwise. ++ * may eventually cause a redraw using updateWindow + */ + int + gui_do_scroll(void) +@@ -4455,6 +4456,9 @@ gui_do_scroll(void) + if (wp == NULL) + // Couldn't find window + return FALSE; ++ // don't redraw, LineOffset and similar are not valid! ++ if (exmode_active) ++ return FALSE; + + /* + * Compute number of lines to scroll. If zero, nothing to do.
View file
_service:tar_scm:backport-CVE-2023-5535.patch
Added
@@ -0,0 +1,37 @@ +From 41e6f7d6ba67b61d911f9b1d76325cd79224753d Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Wed, 11 Oct 2023 21:08:13 +0200 +Subject: PATCH patch 9.0.2010: security use-after-free from + buf_contents_changed() + +Problem: security use-after-free from buf_contents_changed() +Solution: block autocommands + +Signed-off-by: Christian Brabandt <cb@256bit.org> +--- + src/buffer.c | 5 +++++ + 1 files changed, 5 insertions(+) + +diff --git a/src/buffer.c b/src/buffer.c +index 93f9245f27f9d..9ee74f54dd6fd 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -5902,6 +5902,9 @@ buf_contents_changed(buf_T *buf) + // set curwin/curbuf to buf and save a few things + aucmd_prepbuf(&aco, newbuf); + ++ // We don't want to trigger autocommands now, they may have nasty ++ // side-effects like wiping buffers ++ block_autocmds(); + if (ml_open(curbuf) == OK + && readfile(buf->b_ffname, buf->b_fname, + (linenr_T)0, (linenr_T)0, (linenr_T)MAXLNUM, +@@ -5927,6 +5930,8 @@ buf_contents_changed(buf_T *buf) + if (curbuf != newbuf) // safety check + wipe_buffer(newbuf, FALSE); + ++ unblock_autocmds(); ++ + return differ; + } +
View file
_service:tar_scm:backport-patch-9.0.2114-overflow-detection-not-accurate-when-adding-digits.patch
Added
@@ -0,0 +1,94 @@ +From 22cbc8a4e17ce61aa460c451a26e1bff2c3d2af9 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Sun, 19 Nov 2023 10:47:21 +0100 +Subject: PATCH patch 9.0.2114: overflow detection not accurate when adding + digits + +Problem: overflow detection not accurate when adding digits +Solution: Use a helper function + +Use a helper function to better detect overflows before adding integer +digits to a long or an integer variable respectively. Signal the +overflow to the caller function. + +closes: #13539 + +Signed-off-by: Christian Brabandt <cb@256bit.org> +Signed-off-by: Michael Henry <vim@drmikehenry.com> +Signed-off-by: Ernie Rael <errael@raelity.com> +--- + src/misc1.c | 25 +++++++++++++++++++++++-- + src/normal.c | 3 +-- + src/proto/misc1.pro | 2 ++ + 3 files changed, 26 insertions(+), 4 deletions(-) + +diff --git a/src/misc1.c b/src/misc1.c +index 5f9828ebe9544..dc0deae67af93 100644 +--- a/src/misc1.c ++++ b/src/misc1.c +@@ -951,9 +951,8 @@ get_number( + c = safe_vgetc(); + if (VIM_ISDIGIT(c)) + { +- if (n > INT_MAX / 10) ++ if (vim_append_digit_int(&n, c - '0') == FAIL) + return 0; +- n = n * 10 + c - '0'; + msg_putchar(c); + ++typed; + } +@@ -2755,3 +2754,25 @@ may_trigger_modechanged(void) + restore_v_event(v_event, &save_v_event); + #endif + } ++ ++// For overflow detection, add a digit safely to an int value. ++ int ++vim_append_digit_int(int *value, int digit) ++{ ++ int x = *value; ++ if (x > ((INT_MAX - digit) / 10)) ++ return FAIL; ++ *value = x * 10 + digit; ++ return OK; ++} ++ ++// For overflow detection, add a digit safely to a long value. ++ int ++vim_append_digit_long(long *value, int digit) ++{ ++ long x = *value; ++ if (x > ((LONG_MAX - (long)digit) / 10)) ++ return FAIL; ++ *value = x * 10 + (long)digit; ++ return OK; ++} +diff --git a/src/normal.c b/src/normal.c +index 16b4b45069329..61a19c13a43c9 100644 +--- a/src/normal.c ++++ b/src/normal.c +@@ -2568,12 +2568,11 @@ nv_z_get_count(cmdarg_T *cap, int *nchar_arg) + n /= 10; + else if (VIM_ISDIGIT(nchar)) + { +- if (n > LONG_MAX / 10) ++ if (vim_append_digit_long(&n, nchar - '0') == FAIL) + { + clearopbeep(cap->oap); + break; + } +- n = n * 10 + (nchar - '0'); + } + else if (nchar == CAR) + { +diff --git a/src/proto/misc1.pro b/src/proto/misc1.pro +index b87b7ea747576..2b8e9d8f264cb 100644 +--- a/src/proto/misc1.pro ++++ b/src/proto/misc1.pro +@@ -52,4 +52,6 @@ int path_with_url(char_u *fname); + dict_T *get_v_event(save_v_event_T *sve); + void restore_v_event(dict_T *v_event, save_v_event_T *sve); + void may_trigger_modechanged(void); ++int vim_append_digit_int(int *value, int digit); ++int vim_append_digit_long(long *value, int digit); + /* vim: set ft=c : */
View file
_service:tar_scm:backport-patch-improve-the-error-detection.patch
Added
@@ -0,0 +1,71 @@ +From 3d37231437fc0f761664a7cabc8f7b927b468767 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Sun, 5 Nov 2023 17:44:05 +0100 +Subject: PATCH runtime(tar): improve the error detection + +Do not rely on the fact, that the last line matches warning, error, +inappropriate or unrecognized to determine if an error occurred. It +could also be a file, contains such a keyword. + +So make the error detection slightly more strict and only assume an +error occured, if in addition to those 4 keywords, also a space matches +(this assumes the error message contains a space), which luckily on Unix +not many files match by default. + +The whole if condition seems however slightly dubious. In case an error +happened, this would probably already be caught in the previous if +statement, since this checks for the return code of the tar program. + +There may however be tar implementations, that do not set the exit code +for some kind of error (but print an error message)? But let's keep this +check for now, not many people have noticed this behaviour until now, so +it seems to work reasonably well anyhow. + +related: #6425 +fixes: #13489 +Signed-off-by: Christian Brabandt <cb@256bit.org> +--- + runtime/autoload/tar.vim | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim +index e495e8262a93f..52369a42c1c1b 100644 +--- a/runtime/autoload/tar.vim ++++ b/runtime/autoload/tar.vim +@@ -1,7 +1,7 @@ + " tar.vim: Handles browsing tarfiles + " AUTOLOAD PORTION +-" Date: Jan 07, 2020 +-" Version: 32 ++" Date: Nov 05, 2023 ++" Version: 32a (with modifications from the Vim Project) + " Maintainer: Charles E Campbell <NcampObell@SdrPchip.AorgM-NOSPAM> + " License: Vim License (see vim's :help license) + " +@@ -22,7 +22,7 @@ + if &cp || exists("g:loaded_tar") + finish + endif +-let g:loaded_tar= "v32" ++let g:loaded_tar= "v32a" + if v:version < 702 + echohl WarningMsg + echo "***warning*** this version of tar needs vim 7.2" +@@ -208,7 +208,16 @@ fun! tar#Browse(tarfile) + " call Dret("tar#Browse : a:tarfile<".a:tarfile.">") + return + endif +- if line("$") == curlast || ( line("$") == (curlast + 1) && getline("$") =~# '\c\%(warning\|error\|inappropriate\|unrecognized\)') ++ " If there was an error message, the last line probably matches some keywords but ++ " should also contain whitespace for readability. Make sure not to match a ++ " filename that contains the keyword (error/warning/unrecognized/inappropriate, etc) ++ " ++ " FIXME:is this actually necessary? In case of an error, we should probably ++ " have noticed in the if statement above since tar should have exited ++ " with a non-zero exit code. ++ if line("$") == curlast || ( line("$") == (curlast + 1) && ++ \ getline("$") =~# '\c\<\%(warning\|error\|inappropriate\|unrecognized\)\>' && ++ \ getline("$") =~ '\s' ) + redraw! + echohl WarningMsg | echo "***warning*** (tar#Browse) ".a:tarfile." doesn't appear to be a tar file" | echohl None + keepj sil! %d
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="url">git@gitee.com:src-openeuler/vim.git</param> <param name="scm">git</param> - <param name="revision">openEuler-23.09</param> + <param name="revision">master</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2