diff options
author | Ross Burton <ross@burtonini.com> | 2021-11-09 23:13:07 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-11-10 19:27:28 +0000 |
commit | ce534e8e16f0d880aeae6477e57d1b7b86833a35 (patch) | |
tree | 6b1091b3da055c9302a5290999df201311c65eea /meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch | |
parent | 47b01a4ef31a9b3f27c968ff1ff564a8a83fa7ed (diff) | |
download | poky-ce534e8e16f0d880aeae6477e57d1b7b86833a35.tar.gz |
vim: fix CVE-2021-3796, CVE-2021-3872, and CVE-2021-3875
Backport patches from upstream to fix these CVEs.
(From OE-Core rev: b493eb4f9a6bb75a2f01a53b6c70762845bf79f9)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch')
-rw-r--r-- | meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch b/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch new file mode 100644 index 0000000000..576664f436 --- /dev/null +++ b/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch | |||
@@ -0,0 +1,86 @@ | |||
1 | CVE: CVE-2021-3872 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From 61629ea24a2fff1f89c37479d3fb52f17c3480fc Mon Sep 17 00:00:00 2001 | ||
6 | From: Bram Moolenaar <Bram@vim.org> | ||
7 | Date: Fri, 8 Oct 2021 18:39:28 +0100 | ||
8 | Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very | ||
9 | long | ||
10 | |||
11 | Problem: Illegal memory access if buffer name is very long. | ||
12 | Solution: Make sure not to go over the end of the buffer. | ||
13 | --- | ||
14 | src/drawscreen.c | 10 +++++----- | ||
15 | src/testdir/test_statusline.vim | 11 +++++++++++ | ||
16 | src/version.c | 2 ++ | ||
17 | 3 files changed, 18 insertions(+), 5 deletions(-) | ||
18 | |||
19 | diff --git a/src/drawscreen.c b/src/drawscreen.c | ||
20 | index 3a88ee979..9acb70552 100644 | ||
21 | --- a/src/drawscreen.c | ||
22 | +++ b/src/drawscreen.c | ||
23 | @@ -446,13 +446,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED) | ||
24 | *(p + len++) = ' '; | ||
25 | if (bt_help(wp->w_buffer)) | ||
26 | { | ||
27 | - STRCPY(p + len, _("[Help]")); | ||
28 | + vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]")); | ||
29 | len += (int)STRLEN(p + len); | ||
30 | } | ||
31 | #ifdef FEAT_QUICKFIX | ||
32 | if (wp->w_p_pvw) | ||
33 | { | ||
34 | - STRCPY(p + len, _("[Preview]")); | ||
35 | + vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]")); | ||
36 | len += (int)STRLEN(p + len); | ||
37 | } | ||
38 | #endif | ||
39 | @@ -462,12 +462,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED) | ||
40 | #endif | ||
41 | ) | ||
42 | { | ||
43 | - STRCPY(p + len, "[+]"); | ||
44 | - len += 3; | ||
45 | + vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]"); | ||
46 | + len += (int)STRLEN(p + len); | ||
47 | } | ||
48 | if (wp->w_buffer->b_p_ro) | ||
49 | { | ||
50 | - STRCPY(p + len, _("[RO]")); | ||
51 | + vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]")); | ||
52 | len += (int)STRLEN(p + len); | ||
53 | } | ||
54 | |||
55 | diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim | ||
56 | index 1f705b847..91bce1407 100644 | ||
57 | --- a/src/testdir/test_statusline.vim | ||
58 | +++ b/src/testdir/test_statusline.vim | ||
59 | @@ -393,3 +393,14 @@ func Test_statusline_visual() | ||
60 | bwipe! x1 | ||
61 | bwipe! x2 | ||
62 | endfunc | ||
63 | +" Used to write beyond allocated memory. This assumes MAXPATHL is 4096 bytes. | ||
64 | +func Test_statusline_verylong_filename() | ||
65 | + let fname = repeat('x', 4090) | ||
66 | + exe "new " .. fname | ||
67 | + set buftype=help | ||
68 | + set previewwindow | ||
69 | + redraw | ||
70 | + bwipe! | ||
71 | +endfunc | ||
72 | + | ||
73 | +" vim: shiftwidth=2 sts=2 expandtab | ||
74 | diff --git a/src/version.c b/src/version.c | ||
75 | index 1046993d6..2b5de5ccf 100644 | ||
76 | --- a/src/version.c | ||
77 | +++ b/src/version.c | ||
78 | @@ -742,6 +742,8 @@ static char *(features[]) = | ||
79 | |||
80 | static int included_patches[] = | ||
81 | { /* Add new patch number below this line */ | ||
82 | +/**/ | ||
83 | + 3487, | ||
84 | /**/ | ||
85 | 3428, | ||
86 | /**/ | ||