summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch207
-rw-r--r--meta/recipes-support/vim/vim.inc2
2 files changed, 209 insertions, 0 deletions
diff --git a/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch b/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch
new file mode 100644
index 0000000000..1cee759502
--- /dev/null
+++ b/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch
@@ -0,0 +1,207 @@
1From b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 Mon Sep 17 00:00:00 2001
2From: Bram Moolenaar <Bram@vim.org>
3Date: Sat, 4 Sep 2021 18:47:28 +0200
4Subject: [PATCH] patch 8.2.3402: invalid memory access when using :retab with
5 large value
6
7Problem: Invalid memory access when using :retab with large value.
8Solution: Check the number is positive.
9
10CVE: CVE-2021-3770
11Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
12Upstream-Status: Backport [https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9]
13---
14 src/indent.c | 34 +++++++++++++++++++++-------------
15 src/option.c | 12 ++++++------
16 src/optionstr.c | 4 ++--
17 src/testdir/test_retab.vim | 3 +++
18 src/version.c | 2 ++
19 5 files changed, 34 insertions(+), 21 deletions(-)
20
21Index: git/src/indent.c
22===================================================================
23--- git.orig/src/indent.c
24+++ git/src/indent.c
25@@ -18,18 +18,19 @@
26 /*
27 * Set the integer values corresponding to the string setting of 'vartabstop'.
28 * "array" will be set, caller must free it if needed.
29+ * Return FAIL for an error.
30 */
31 int
32 tabstop_set(char_u *var, int **array)
33 {
34- int valcount = 1;
35- int t;
36- char_u *cp;
37+ int valcount = 1;
38+ int t;
39+ char_u *cp;
40
41 if (var[0] == NUL || (var[0] == '0' && var[1] == NUL))
42 {
43 *array = NULL;
44- return TRUE;
45+ return OK;
46 }
47
48 for (cp = var; *cp != NUL; ++cp)
49@@ -43,8 +44,8 @@ tabstop_set(char_u *var, int **array)
50 if (cp != end)
51 emsg(_(e_positive));
52 else
53- emsg(_(e_invarg));
54- return FALSE;
55+ semsg(_(e_invarg2), cp);
56+ return FAIL;
57 }
58 }
59
60@@ -55,26 +56,33 @@ tabstop_set(char_u *var, int **array)
61 ++valcount;
62 continue;
63 }
64- emsg(_(e_invarg));
65- return FALSE;
66+ semsg(_(e_invarg2), var);
67+ return FAIL;
68 }
69
70 *array = ALLOC_MULT(int, valcount + 1);
71 if (*array == NULL)
72- return FALSE;
73+ return FAIL;
74 (*array)[0] = valcount;
75
76 t = 1;
77 for (cp = var; *cp != NUL;)
78 {
79- (*array)[t++] = atoi((char *)cp);
80- while (*cp != NUL && *cp != ',')
81+ int n = atoi((char *)cp);
82+
83+ if (n < 0 || n > 9999)
84+ {
85+ semsg(_(e_invarg2), cp);
86+ return FAIL;
87+ }
88+ (*array)[t++] = n;
89+ while (*cp != NUL && *cp != ',')
90 ++cp;
91 if (*cp != NUL)
92 ++cp;
93 }
94
95- return TRUE;
96+ return OK;
97 }
98
99 /*
100@@ -1556,7 +1564,7 @@ ex_retab(exarg_T *eap)
101
102 #ifdef FEAT_VARTABS
103 new_ts_str = eap->arg;
104- if (!tabstop_set(eap->arg, &new_vts_array))
105+ if (tabstop_set(eap->arg, &new_vts_array) == FAIL)
106 return;
107 while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',')
108 ++(eap->arg);
109Index: git/src/option.c
110===================================================================
111--- git.orig/src/option.c
112+++ git/src/option.c
113@@ -2292,9 +2292,9 @@ didset_options2(void)
114 #endif
115 #ifdef FEAT_VARTABS
116 vim_free(curbuf->b_p_vsts_array);
117- tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
118+ (void)tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
119 vim_free(curbuf->b_p_vts_array);
120- tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
121+ (void)tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
122 #endif
123 }
124
125@@ -5756,7 +5756,7 @@ buf_copy_options(buf_T *buf, int flags)
126 buf->b_p_vsts = vim_strsave(p_vsts);
127 COPY_OPT_SCTX(buf, BV_VSTS);
128 if (p_vsts && p_vsts != empty_option)
129- tabstop_set(p_vsts, &buf->b_p_vsts_array);
130+ (void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
131 else
132 buf->b_p_vsts_array = 0;
133 buf->b_p_vsts_nopaste = p_vsts_nopaste
134@@ -5914,7 +5914,7 @@ buf_copy_options(buf_T *buf, int flags)
135 buf->b_p_isk = save_p_isk;
136 #ifdef FEAT_VARTABS
137 if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
138- tabstop_set(p_vts, &buf->b_p_vts_array);
139+ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
140 else
141 buf->b_p_vts_array = NULL;
142 #endif
143@@ -5929,7 +5929,7 @@ buf_copy_options(buf_T *buf, int flags)
144 buf->b_p_vts = vim_strsave(p_vts);
145 COPY_OPT_SCTX(buf, BV_VTS);
146 if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
147- tabstop_set(p_vts, &buf->b_p_vts_array);
148+ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
149 else
150 buf->b_p_vts_array = NULL;
151 #endif
152@@ -6634,7 +6634,7 @@ paste_option_changed(void)
153 if (buf->b_p_vsts_array)
154 vim_free(buf->b_p_vsts_array);
155 if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
156- tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
157+ (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
158 else
159 buf->b_p_vsts_array = 0;
160 #endif
161Index: git/src/optionstr.c
162===================================================================
163--- git.orig/src/optionstr.c
164+++ git/src/optionstr.c
165@@ -2166,7 +2166,7 @@ did_set_string_option(
166 if (errmsg == NULL)
167 {
168 int *oldarray = curbuf->b_p_vsts_array;
169- if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)))
170+ if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)) == OK)
171 {
172 if (oldarray)
173 vim_free(oldarray);
174@@ -2205,7 +2205,7 @@ did_set_string_option(
175 {
176 int *oldarray = curbuf->b_p_vts_array;
177
178- if (tabstop_set(*varp, &(curbuf->b_p_vts_array)))
179+ if (tabstop_set(*varp, &(curbuf->b_p_vts_array)) == OK)
180 {
181 vim_free(oldarray);
182 #ifdef FEAT_FOLDING
183Index: git/src/testdir/test_retab.vim
184===================================================================
185--- git.orig/src/testdir/test_retab.vim
186+++ git/src/testdir/test_retab.vim
187@@ -74,4 +74,7 @@ endfunc
188 func Test_retab_error()
189 call assert_fails('retab -1', 'E487:')
190 call assert_fails('retab! -1', 'E487:')
191+ call assert_fails('ret -1000', 'E487:')
192+ call assert_fails('ret 10000', 'E475:')
193+ call assert_fails('ret 80000000000000000000', 'E475:')
194 endfunc
195Index: git/src/version.c
196===================================================================
197--- git.orig/src/version.c
198+++ git/src/version.c
199@@ -743,6 +743,8 @@ static char *(features[]) =
200 static int included_patches[] =
201 { /* Add new patch number below this line */
202 /**/
203+ 3402,
204+/**/
205 0
206 };
207
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 6fe8fb90db..ecaba7107e 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -17,7 +17,9 @@ SRC_URI = "git://github.com/vim/vim.git \
17 file://0001-src-Makefile-improve-reproducibility.patch \ 17 file://0001-src-Makefile-improve-reproducibility.patch \
18 file://no-path-adjust.patch \ 18 file://no-path-adjust.patch \
19 file://racefix.patch \ 19 file://racefix.patch \
20 file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
20" 21"
22
21SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44" 23SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
22 24
23# Do not consider .z in x.y.z, as that is updated with every commit 25# Do not consider .z in x.y.z, as that is updated with every commit
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-12-05 14:29:06 +0000