vim: fix CVE-2021-3875

Backport a patch to fix CVE-2021-3875. (From OE-Core rev: de2493aac4f8ea9d8e4e59efa1359567fa186319) Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Mingli Yu <mingli.yu@windriver.com> 2021-11-17 17:18:24 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-11-24 21:12:46 +0000
commit: e2480fc60c49c28c32476c8f91478bab68a11724 (patch)
tree: e43af0c65924900c883ffe50a7b6b5ed82167f91
parent: 4c5d6076492cebd5d56403e2f74dd51d58555e53 (diff)
download: poky-e2480fc60c49c28c32476c8f91478bab68a11724.tar.gz
2 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-support/vim/files/CVE-2021-3875.patch b/meta/recipes-support/vim/files/CVE-2021-3875.patch
new file mode 100644
index 0000000000..d62d875f8e
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2021-3875.patch
@@ -0,0 +1,37 @@
+From 40aa9802ef56d3cdbe256b4c9e58049953051a2d Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 15 Nov 2021 14:34:50 +0800
+Subject: [PATCH] patch 8.2.3489: ml_get error after search with range
+Problem:    ml_get error after search with range.
+Solution:   Limit the line number to the buffer line count.
+CVE: CVE-2021-3875
+Upstream-Status: Backport [https://github.com/vim/vim/commit/35a319b77f897744eec1155b736e9372c9c5575f]
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ src/ex_docmd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index fb07450f8..89d33ba90 100644
+--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
+@@ -3586,8 +3586,10 @@ get_address(
+ 
+                    // When '/' or '?' follows another address, start from
+                    // there.
+-                   if (lnum != MAXLNUM)
+-                       curwin->w_cursor.lnum = lnum;
+                   if (lnum > 0 && lnum != MAXLNUM)
+                       curwin->w_cursor.lnum =
+                               lnum > curbuf->b_ml.ml_line_count
+                                          ? curbuf->b_ml.ml_line_count : lnum;
+ 
+                    // Start a forward search at the end of the line (unless
+                    // before the first line).
+-- 
+2.17.1
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 1841498b74..65b0b2e330 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -22,6 +22,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
           file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
           file://CVE-2021-3903.patch \
           file://CVE-2021-3872.patch \
+           file://CVE-2021-3875.patch \
 "
 SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
author	Mingli Yu <mingli.yu@windriver.com>	2021-11-17 17:18:24 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-11-24 21:12:46 +0000
commit	e2480fc60c49c28c32476c8f91478bab68a11724 (patch)
tree	e43af0c65924900c883ffe50a7b6b5ed82167f91
parent	4c5d6076492cebd5d56403e2f74dd51d58555e53 (diff)
download	poky-e2480fc60c49c28c32476c8f91478bab68a11724.tar.gz

diff --git a/meta/recipes-support/vim/files/CVE-2021-3875.patch b/meta/recipes-support/vim/files/CVE-2021-3875.patch new file mode 100644 index 0000000000..d62d875f8e --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2021-3875.patch
@@ -0,0 +1,37 @@
		1	From 40aa9802ef56d3cdbe256b4c9e58049953051a2d Mon Sep 17 00:00:00 2001
		2	From: Bram Moolenaar <Bram@vim.org>
		3	Date: Mon, 15 Nov 2021 14:34:50 +0800
		4	Subject: [PATCH] patch 8.2.3489: ml_get error after search with range
		5
		6	Problem: ml_get error after search with range.
		7	Solution: Limit the line number to the buffer line count.
		8
		9	CVE: CVE-2021-3875
		10
		11	Upstream-Status: Backport [https://github.com/vim/vim/commit/35a319b77f897744eec1155b736e9372c9c5575f]
		12
		13	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		14	---
		15	src/ex_docmd.c \| 6 ++++--
		16	1 file changed, 4 insertions(+), 2 deletions(-)
		17
		18	diff --git a/src/ex_docmd.c b/src/ex_docmd.c
		19	index fb07450f8..89d33ba90 100644
		20	--- a/src/ex_docmd.c
		21	+++ b/src/ex_docmd.c
		22	@@ -3586,8 +3586,10 @@ get_address(
		23
		24	// When '/' or '?' follows another address, start from
		25	// there.
		26	- if (lnum != MAXLNUM)
		27	- curwin->w_cursor.lnum = lnum;
		28	+ if (lnum > 0 && lnum != MAXLNUM)
		29	+ curwin->w_cursor.lnum =
		30	+ lnum > curbuf->b_ml.ml_line_count
		31	+ ? curbuf->b_ml.ml_line_count : lnum;
		32
		33	// Start a forward search at the end of the line (unless
		34	// before the first line).
		35	--
		36	2.17.1
		37


diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 1841498b74..65b0b2e330 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc
@@ -22,6 +22,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
22	file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \	22	file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
23	file://CVE-2021-3903.patch \	23	file://CVE-2021-3903.patch \
24	file://CVE-2021-3872.patch \	24	file://CVE-2021-3872.patch \
		25	file://CVE-2021-3875.patch \
25	"	26	"
26		27
27	SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"	28	SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"