summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support/vim/files
diff options
context:
space:
mode:
authorRoss Burton <ross@burtonini.com>2021-11-09 23:13:07 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-11-10 19:27:28 +0000
commitce534e8e16f0d880aeae6477e57d1b7b86833a35 (patch)
tree6b1091b3da055c9302a5290999df201311c65eea /meta/recipes-support/vim/files
parent47b01a4ef31a9b3f27c968ff1ff564a8a83fa7ed (diff)
downloadpoky-ce534e8e16f0d880aeae6477e57d1b7b86833a35.tar.gz
vim: fix CVE-2021-3796, CVE-2021-3872, and CVE-2021-3875
Backport patches from upstream to fix these CVEs. (From OE-Core rev: b493eb4f9a6bb75a2f01a53b6c70762845bf79f9) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support/vim/files')
-rw-r--r--meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch83
-rw-r--r--meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch86
-rw-r--r--meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch72
-rw-r--r--meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch97
4 files changed, 338 insertions, 0 deletions
diff --git a/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch b/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch
new file mode 100644
index 0000000000..ecfae0301e
--- /dev/null
+++ b/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch
@@ -0,0 +1,83 @@
1CVE: CVE-2021-3796
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From 1160e5f74b229336502fc376416f21108d36cfc2 Mon Sep 17 00:00:00 2001
6From: Bram Moolenaar <Bram@vim.org>
7Date: Sat, 11 Sep 2021 21:14:20 +0200
8Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
9
10Problem: Using freed memory when replacing. (Dhiraj Mishra)
11Solution: Get the line pointer after calling ins_copychar().
12---
13 src/normal.c | 10 +++++++---
14 src/testdir/test_edit.vim | 14 ++++++++++++++
15 src/version.c | 2 ++
16 3 files changed, 23 insertions(+), 3 deletions(-)
17
18diff --git a/src/normal.c b/src/normal.c
19index c4963e621..d6333b948 100644
20--- a/src/normal.c
21+++ b/src/normal.c
22@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap)
23 {
24 /*
25 * Get ptr again, because u_save and/or showmatch() will have
26- * released the line. At the same time we let know that the
27- * line will be changed.
28+ * released the line. This may also happen in ins_copychar().
29+ * At the same time we let know that the line will be changed.
30 */
31- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
32 if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
33 {
34 int c = ins_copychar(curwin->w_cursor.lnum
35 + (cap->nchar == Ctrl_Y ? -1 : 1));
36+
37+ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
38 if (c != NUL)
39 ptr[curwin->w_cursor.col] = c;
40 }
41 else
42+ {
43+ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
44 ptr[curwin->w_cursor.col] = cap->nchar;
45+ }
46 if (p_sm && msg_silent == 0)
47 showmatch(cap->nchar);
48 ++curwin->w_cursor.col;
49diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
50index 4e29e7fe1..f94e6c181 100644
51--- a/src/testdir/test_edit.vim
52+++ b/src/testdir/test_edit.vim
53@@ -1519,3 +1519,17 @@ func Test_edit_noesckeys()
54 bwipe!
55 set esckeys
56 endfunc
57+
58+" Test for getting the character of the line below after "p"
59+func Test_edit_put_CTRL_E()
60+ set encoding=latin1
61+ new
62+ let @" = ''
63+ sil! norm orggRx
64+ sil! norm pr
65+ call assert_equal(['r', 'r'], getline(1, 2))
66+ bwipe!
67+ set encoding=utf-8
68+endfunc
69+
70+" vim: shiftwidth=2 sts=2 expandtab
71diff --git a/src/version.c b/src/version.c
72index 85bdfc601..1046993d6 100644
73--- a/src/version.c
74+++ b/src/version.c
75@@ -742,6 +742,8 @@ static char *(features[]) =
76
77 static int included_patches[] =
78 { /* Add new patch number below this line */
79+/**/
80+ 3428,
81 /**/
82 3409,
83 /**/
diff --git a/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch b/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
new file mode 100644
index 0000000000..576664f436
--- /dev/null
+++ b/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
@@ -0,0 +1,86 @@
1CVE: CVE-2021-3872
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From 61629ea24a2fff1f89c37479d3fb52f17c3480fc Mon Sep 17 00:00:00 2001
6From: Bram Moolenaar <Bram@vim.org>
7Date: Fri, 8 Oct 2021 18:39:28 +0100
8Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very
9 long
10
11Problem: Illegal memory access if buffer name is very long.
12Solution: Make sure not to go over the end of the buffer.
13---
14 src/drawscreen.c | 10 +++++-----
15 src/testdir/test_statusline.vim | 11 +++++++++++
16 src/version.c | 2 ++
17 3 files changed, 18 insertions(+), 5 deletions(-)
18
19diff --git a/src/drawscreen.c b/src/drawscreen.c
20index 3a88ee979..9acb70552 100644
21--- a/src/drawscreen.c
22+++ b/src/drawscreen.c
23@@ -446,13 +446,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
24 *(p + len++) = ' ';
25 if (bt_help(wp->w_buffer))
26 {
27- STRCPY(p + len, _("[Help]"));
28+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
29 len += (int)STRLEN(p + len);
30 }
31 #ifdef FEAT_QUICKFIX
32 if (wp->w_p_pvw)
33 {
34- STRCPY(p + len, _("[Preview]"));
35+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
36 len += (int)STRLEN(p + len);
37 }
38 #endif
39@@ -462,12 +462,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
40 #endif
41 )
42 {
43- STRCPY(p + len, "[+]");
44- len += 3;
45+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
46+ len += (int)STRLEN(p + len);
47 }
48 if (wp->w_buffer->b_p_ro)
49 {
50- STRCPY(p + len, _("[RO]"));
51+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
52 len += (int)STRLEN(p + len);
53 }
54
55diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim
56index 1f705b847..91bce1407 100644
57--- a/src/testdir/test_statusline.vim
58+++ b/src/testdir/test_statusline.vim
59@@ -393,3 +393,14 @@ func Test_statusline_visual()
60 bwipe! x1
61 bwipe! x2
62 endfunc
63+" Used to write beyond allocated memory. This assumes MAXPATHL is 4096 bytes.
64+func Test_statusline_verylong_filename()
65+ let fname = repeat('x', 4090)
66+ exe "new " .. fname
67+ set buftype=help
68+ set previewwindow
69+ redraw
70+ bwipe!
71+endfunc
72+
73+" vim: shiftwidth=2 sts=2 expandtab
74diff --git a/src/version.c b/src/version.c
75index 1046993d6..2b5de5ccf 100644
76--- a/src/version.c
77+++ b/src/version.c
78@@ -742,6 +742,8 @@ static char *(features[]) =
79
80 static int included_patches[] =
81 { /* Add new patch number below this line */
82+/**/
83+ 3487,
84 /**/
85 3428,
86 /**/
diff --git a/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch b/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch
new file mode 100644
index 0000000000..045081579c
--- /dev/null
+++ b/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch
@@ -0,0 +1,72 @@
1CVE: CVE-2021-3875
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From b8968e26d7508e7d64bfc86808142818b0a9288c Mon Sep 17 00:00:00 2001
6From: Bram Moolenaar <Bram@vim.org>
7Date: Sat, 9 Oct 2021 13:58:55 +0100
8Subject: [PATCH] patch 8.2.3489: ml_get error after search with range
9
10Problem: ml_get error after search with range.
11Solution: Limit the line number to the buffer line count.
12---
13 src/ex_docmd.c | 6 ++++--
14 src/testdir/test_search.vim | 17 +++++++++++++++++
15 src/version.c | 2 ++
16 3 files changed, 23 insertions(+), 2 deletions(-)
17
18diff --git a/src/ex_docmd.c b/src/ex_docmd.c
19index fb07450f8..fde726477 100644
20--- a/src/ex_docmd.c
21+++ b/src/ex_docmd.c
22@@ -3586,8 +3586,10 @@ get_address(
23
24 // When '/' or '?' follows another address, start from
25 // there.
26- if (lnum != MAXLNUM)
27- curwin->w_cursor.lnum = lnum;
28+ if (lnum > 0 && lnum != MAXLNUM)
29+ curwin->w_cursor.lnum =
30+ lnum > curbuf->b_ml.ml_line_count
31+ ? curbuf->b_ml.ml_line_count : lnum;
32
33 // Start a forward search at the end of the line (unless
34 // before the first line).
35diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim
36index 187671305..e142c3547 100644
37--- a/src/testdir/test_search.vim
38+++ b/src/testdir/test_search.vim
39@@ -1366,3 +1366,20 @@ func Test_searchdecl()
40
41 bwipe!
42 endfunc
43+
44+func Test_search_with_invalid_range()
45+ new
46+ let lines =<< trim END
47+ /\%.v
48+ 5/
49+ c
50+ END
51+ call writefile(lines, 'Xrangesearch')
52+ source Xrangesearch
53+
54+ bwipe!
55+ call delete('Xrangesearch')
56+endfunc
57+
58+
59+" vim: shiftwidth=2 sts=2 expandtab
60diff --git a/src/version.c b/src/version.c
61index 2b5de5ccf..092864bbb 100644
62--- a/src/version.c
63+++ b/src/version.c
64@@ -742,6 +742,8 @@ static char *(features[]) =
65
66 static int included_patches[] =
67 { /* Add new patch number below this line */
68+/**/
69+ 3489,
70 /**/
71 3487,
72 /**/
diff --git a/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch b/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
new file mode 100644
index 0000000000..7184b37cad
--- /dev/null
+++ b/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
@@ -0,0 +1,97 @@
1CVE: CVE-2021-3903
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From b15919c1fe0f7fc3d98ff5207ed2feb43c59009d Mon Sep 17 00:00:00 2001
6From: Bram Moolenaar <Bram@vim.org>
7Date: Mon, 25 Oct 2021 17:07:04 +0100
8Subject: [PATCH] patch 8.2.3564: invalid memory access when scrolling without
9 valid screen
10
11Problem: Invalid memory access when scrolling without a valid screen.
12Solution: Do not set VALID_BOTLINE in w_valid.
13---
14 src/move.c | 1 -
15 src/testdir/test_normal.vim | 23 ++++++++++++++++++++---
16 src/version.c | 2 ++
17 3 files changed, 22 insertions(+), 4 deletions(-)
18
19diff --git a/src/move.c b/src/move.c
20index 8e53d8bcb..10165ef4d 100644
21--- a/src/move.c
22+++ b/src/move.c
23@@ -198,7 +198,6 @@ update_topline(void)
24 {
25 curwin->w_topline = curwin->w_cursor.lnum;
26 curwin->w_botline = curwin->w_topline;
27- curwin->w_valid |= VALID_BOTLINE|VALID_BOTLINE_AP;
28 curwin->w_scbind_pos = 1;
29 return;
30 }
31diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim
32index d45cf4159..ca87928f5 100644
33--- a/src/testdir/test_normal.vim
34+++ b/src/testdir/test_normal.vim
35@@ -33,14 +33,14 @@ func CountSpaces(type, ...)
36 else
37 silent exe "normal! `[v`]y"
38 endif
39- let g:a=strlen(substitute(@@, '[^ ]', '', 'g'))
40+ let g:a = strlen(substitute(@@, '[^ ]', '', 'g'))
41 let &selection = sel_save
42 let @@ = reg_save
43 endfunc
44
45 func OpfuncDummy(type, ...)
46 " for testing operatorfunc
47- let g:opt=&linebreak
48+ let g:opt = &linebreak
49
50 if a:0 " Invoked from Visual mode, use gv command.
51 silent exe "normal! gvy"
52@@ -51,7 +51,7 @@ func OpfuncDummy(type, ...)
53 endif
54 " Create a new dummy window
55 new
56- let g:bufnr=bufnr('%')
57+ let g:bufnr = bufnr('%')
58 endfunc
59
60 fun! Test_normal00_optrans()
61@@ -718,6 +718,23 @@ func Test_normal17_z_scroll_hor2()
62 bw!
63 endfunc
64
65+
66+func Test_scroll_in_ex_mode()
67+ " This was using invalid memory because w_botline was invalid.
68+ let lines =<< trim END
69+ diffsplit
70+ norm os00(
71+ call writefile(['done'], 'Xdone')
72+ qa!
73+ END
74+ call writefile(lines, 'Xscript')
75+ call assert_equal(1, RunVim([], [], '--clean -X -Z -e -s -S Xscript'))
76+ call assert_equal(['done'], readfile('Xdone'))
77+
78+ call delete('Xscript')
79+ call delete('Xdone')
80+endfunc
81+
82 func Test_normal18_z_fold()
83 " basic tests for foldopen/folddelete
84 if !has("folding")
85diff --git a/src/version.c b/src/version.c
86index 092864bbb..a9e8be0e7 100644
87--- a/src/version.c
88+++ b/src/version.c
89@@ -742,6 +742,8 @@ static char *(features[]) =
90
91 static int included_patches[] =
92 { /* Add new patch number below this line */
93+/**/
94+ 3564,
95 /**/
96 3489,
97 /**/