vim: fix CVE-2021-3968 and CVE-2021-3973

Backport a fix for -3972, and whitelist -3968: it isn't valid as it fixes a bug which was introduced after 8.2. (From OE-Core rev: 4d2cdd3971b4cd3e42c47ec10ec105adfbc78e6e) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit bec5caadfb53638748d8c41ce7230c2bf7808d27) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross@burtonini.com> 2021-11-30 16:53:12 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-12-13 23:02:49 +0000
commit: cbf8e1c83ad7929d1f3ac80dcb931c3984eda84b (patch)
tree: c734ac3c8431ee7b0f0576ed3eb47849b1a16d78 /meta/recipes-support
parent: 848bedfbb2df68c2165df43a668d48998cb029af (diff)
download: poky-cbf8e1c83ad7929d1f3ac80dcb931c3984eda84b.tar.gz
2 files changed, 96 insertions, 0 deletions
diff --git a/meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch b/meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch
new file mode 100644
index 0000000000..58d3442677
--- /dev/null
+++ b/meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch
@@ -0,0 +1,92 @@
+CVE: CVE-2021-3973
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From b6154e9f530544ddc3130d981caae0dabc053757 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 17 Nov 2021 18:00:31 +0000
+Subject: [PATCH] patch 8.2.3611: crash when using CTRL-W f without finding a
+ file name  Problem:    Crash when using CTRL-W f without finding
+ a file name. Solution:   Bail out when the file name length is zero.
+---
+ src/findfile.c              | 8 ++++++++
+ src/normal.c                | 6 ++++--
+ src/testdir/test_visual.vim | 8 ++++++++
+ src/version.c               | 2 ++
+ 4 files changed, 22 insertions(+), 2 deletions(-)
+diff --git a/src/findfile.c b/src/findfile.c
+index dba547da1..5764fd7b8 100644
+--- a/src/findfile.c
+++ b/src/findfile.c
+@@ -1727,6 +1727,9 @@ find_file_in_path_option(
+     proc->pr_WindowPtr = (APTR)-1L;
+ # endif
+ 
+    if (len == 0)
+       return NULL;
+
+     if (first == TRUE)
+     {
+        // copy file name into NameBuff, expanding environment variables
+@@ -2094,7 +2097,12 @@ find_file_name_in_path(
+     int                c;
+ # if defined(FEAT_FIND_ID) && defined(FEAT_EVAL)
+     char_u     *tofree = NULL;
+# endif
+ 
+    if (len == 0)
+       return NULL;
+
+# if defined(FEAT_FIND_ID) && defined(FEAT_EVAL)
+     if ((options & FNAME_INCL) && *curbuf->b_p_inex != NUL)
+     {
+        tofree = eval_includeexpr(ptr, len);
+diff --git a/src/normal.c b/src/normal.c
+index 7cb959257..f0084f2ac 100644
+--- a/src/normal.c
+++ b/src/normal.c
+@@ -3778,8 +3778,10 @@ get_visual_text(
+            *pp = ml_get_pos(&VIsual);
+            *lenp = curwin->w_cursor.col - VIsual.col + 1;
+        }
+-       if (has_mbyte)
+-           // Correct the length to include the whole last character.
+       if (**pp == NUL)
+           *lenp = 0;
+       if (has_mbyte && *lenp > 0)
+           // Correct the length to include all bytes of the last character.
+            *lenp += (*mb_ptr2len)(*pp + (*lenp - 1)) - 1;
+     }
+     reset_VIsual_and_resel();
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index ae281238e..0705fdb57 100644
+--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
+@@ -894,4 +894,12 @@ func Test_block_insert_replace_tabs()
+   bwipe!
+ endfunc
+ 
+func Test_visual_block_ctrl_w_f()
+  " Emtpy block selected in new buffer should not result in an error.
+  au! BufNew foo sil norm f
+  edit foo
+
+  au! BufNew
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 52be3c39d..59a314b3a 100644
+--- a/src/version.c
+++ b/src/version.c
+@@ -742,6 +742,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
+/**/
+    3611,
+ /**/
+     3582,
+ /**/
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index d0957bfeae..6cdf157cb6 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -25,6 +25,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
           file://0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch \
           file://0001-patch-8.2.3581-reading-character-past-end-of-line.patch \
           file://0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch \
+           file://0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch \
           "
 SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
@@ -32,6 +33,9 @@ SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
 # Do not consider .z in x.y.z, as that is updated with every commit
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+)\.0"
+# CVE-2021-3968 is related to an issue which was introduced after 8.2, this can be removed after 8.3.
+CVE_CHECK_WHITELIST += "CVE-2021-3968"
 S = "${WORKDIR}/git"
 VIMDIR = "vim${@d.getVar('PV').split('.')[0]}${@d.getVar('PV').split('.')[1]}"
author	Ross Burton <ross@burtonini.com>	2021-11-30 16:53:12 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-12-13 23:02:49 +0000
commit	cbf8e1c83ad7929d1f3ac80dcb931c3984eda84b (patch)
tree	c734ac3c8431ee7b0f0576ed3eb47849b1a16d78 /meta/recipes-support
parent	848bedfbb2df68c2165df43a668d48998cb029af (diff)
download	poky-cbf8e1c83ad7929d1f3ac80dcb931c3984eda84b.tar.gz

diff --git a/meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch b/meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch new file mode 100644 index 0000000000..58d3442677 --- /dev/null +++ b/meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch
@@ -0,0 +1,92 @@
		1	CVE: CVE-2021-3973
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From b6154e9f530544ddc3130d981caae0dabc053757 Mon Sep 17 00:00:00 2001
		6	From: Bram Moolenaar <Bram@vim.org>
		7	Date: Wed, 17 Nov 2021 18:00:31 +0000
		8	Subject: [PATCH] patch 8.2.3611: crash when using CTRL-W f without finding a
		9	file name Problem: Crash when using CTRL-W f without finding
		10	a file name. Solution: Bail out when the file name length is zero.
		11
		12	---
		13	src/findfile.c \| 8 ++++++++
		14	src/normal.c \| 6 ++++--
		15	src/testdir/test_visual.vim \| 8 ++++++++
		16	src/version.c \| 2 ++
		17	4 files changed, 22 insertions(+), 2 deletions(-)
		18
		19	diff --git a/src/findfile.c b/src/findfile.c
		20	index dba547da1..5764fd7b8 100644
		21	--- a/src/findfile.c
		22	+++ b/src/findfile.c
		23	@@ -1727,6 +1727,9 @@ find_file_in_path_option(
		24	proc->pr_WindowPtr = (APTR)-1L;
		25	# endif
		26
		27	+ if (len == 0)
		28	+ return NULL;
		29	+
		30	if (first == TRUE)
		31	{
		32	// copy file name into NameBuff, expanding environment variables
		33	@@ -2094,7 +2097,12 @@ find_file_name_in_path(
		34	int c;
		35	# if defined(FEAT_FIND_ID) && defined(FEAT_EVAL)
		36	char_u *tofree = NULL;
		37	+# endif
		38
		39	+ if (len == 0)
		40	+ return NULL;
		41	+
		42	+# if defined(FEAT_FIND_ID) && defined(FEAT_EVAL)
		43	if ((options & FNAME_INCL) && *curbuf->b_p_inex != NUL)
		44	{
		45	tofree = eval_includeexpr(ptr, len);
		46	diff --git a/src/normal.c b/src/normal.c
		47	index 7cb959257..f0084f2ac 100644
		48	--- a/src/normal.c
		49	+++ b/src/normal.c
		50	@@ -3778,8 +3778,10 @@ get_visual_text(
		51	*pp = ml_get_pos(&VIsual);
		52	*lenp = curwin->w_cursor.col - VIsual.col + 1;
		53	}
		54	- if (has_mbyte)
		55	- // Correct the length to include the whole last character.
		56	+ if (**pp == NUL)
		57	+ *lenp = 0;
		58	+ if (has_mbyte && *lenp > 0)
		59	+ // Correct the length to include all bytes of the last character.
		60	lenp += (mb_ptr2len)(pp + (lenp - 1)) - 1;
		61	}
		62	reset_VIsual_and_resel();
		63	diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
		64	index ae281238e..0705fdb57 100644
		65	--- a/src/testdir/test_visual.vim
		66	+++ b/src/testdir/test_visual.vim
		67	@@ -894,4 +894,12 @@ func Test_block_insert_replace_tabs()
		68	bwipe!
		69	endfunc
		70
		71	+func Test_visual_block_ctrl_w_f()
		72	+ " Emtpy block selected in new buffer should not result in an error.
		73	+ au! BufNew foo sil norm f
		74	+ edit foo
		75	+
		76	+ au! BufNew
		77	+endfunc
		78	+
		79	" vim: shiftwidth=2 sts=2 expandtab
		80	diff --git a/src/version.c b/src/version.c
		81	index 52be3c39d..59a314b3a 100644
		82	--- a/src/version.c
		83	+++ b/src/version.c
		84	@@ -742,6 +742,8 @@ static char *(features[]) =
		85
		86	static int included_patches[] =
		87	{ /* Add new patch number below this line */
		88	+/**/
		89	+ 3611,
		90	/**/
		91	3582,
		92	/**/


diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index d0957bfeae..6cdf157cb6 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc
@@ -25,6 +25,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
25	file://0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch \	25	file://0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch \
26	file://0001-patch-8.2.3581-reading-character-past-end-of-line.patch \	26	file://0001-patch-8.2.3581-reading-character-past-end-of-line.patch \
27	file://0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch \	27	file://0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch \
		28	file://0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch \
28	"	29	"
29		30
30	SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"	31	SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
@@ -32,6 +33,9 @@ SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
32	# Do not consider .z in x.y.z, as that is updated with every commit	33	# Do not consider .z in x.y.z, as that is updated with every commit
33	UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+)\.0"	34	UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+)\.0"
34		35
		36	# CVE-2021-3968 is related to an issue which was introduced after 8.2, this can be removed after 8.3.
		37	CVE_CHECK_WHITELIST += "CVE-2021-3968"
		38
35	S = "${WORKDIR}/git"	39	S = "${WORKDIR}/git"
36		40
37	VIMDIR = "vim${@d.getVar('PV').split('.')[0]}${@d.getVar('PV').split('.')[1]}"	41	VIMDIR = "vim${@d.getVar('PV').split('.')[0]}${@d.getVar('PV').split('.')[1]}"