[OE-core] [PATCH 1/2] vim: Security Fix For CVE-2022-1381

Mon, 02 May 2022 05:50:36 -0700 

CVE: CVE-2022-1381

Signed-off-by: Rahul Chauhan <rahulchauhanki...@gmail.com>
---
 .../vim/files/CVE-2022-1381.patch             | 111 ++++++++++++++++++
 meta/recipes-support/vim/vim.inc              |   1 +
 2 files changed, 112 insertions(+)
 create mode 100644 meta/recipes-support/vim/files/CVE-2022-1381.patch

diff --git a/meta/recipes-support/vim/files/CVE-2022-1381.patch 
b/meta/recipes-support/vim/files/CVE-2022-1381.patch
new file mode 100644
index 0000000000..1b0e129746
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2022-1381.patch
@@ -0,0 +1,111 @@
+From 6a6cb529c7a8bda2c45964137d7c8df9c2623d51 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <b...@vim.org>
+Date: Sat, 16 Apr 2022 18:52:17 +0100
+Subject: [PATCH] patch 8.2.4763: using invalid pointer with "V:" in Ex mode
+
+Problem:    Using invalid pointer with "V:" in Ex mode.
+Solution:   Correctly handle the command being changed to "+".
+
+Upstream-Status: Backport 
[https://github.com/vim/vim/commit/f50808ed135ab973296bca515ae4029b321afe47]
+CVE-2022-1381
+
+Signed-off-by: Rahul Chauhan <rahulchauhanki...@gmail.com>
+---
+ src/ex_docmd.c               | 29 ++++++++++++++++++++++++-----
+ src/testdir/test_ex_mode.vim | 13 +++++++++++++
+ src/version.c                |  2 ++
+ 3 files changed, 39 insertions(+), 5 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index c12f151c3..9d3f1b420 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -2782,7 +2782,9 @@ parse_command_modifiers(
+       cmdmod_T    *cmod,
+       int         skip_only)
+ {
++    char_u  *orig_cmd = eap->cmd;
+     char_u  *cmd_start = NULL;
++    int           did_plus_cmd = FALSE;
+     char_u  *p;
+     int           starts_with_colon = FALSE;
+     int           vim9script = in_vim9script();
+@@ -2818,6 +2820,7 @@ parse_command_modifiers(
+                       && curwin->w_cursor.lnum < curbuf->b_ml.ml_line_count)
+       {
+           eap->cmd = (char_u *)"+";
++          did_plus_cmd = TRUE;
+           if (!skip_only)
+               ex_pressedreturn = TRUE;
+       }
+@@ -3100,13 +3103,29 @@ parse_command_modifiers(
+           // Since the modifiers have been parsed put the colon on top of the
+           // space: "'<,'>mod cmd" -> "mod:'<,'>cmd
+           // Put eap->cmd after the colon.
+-          mch_memmove(cmd_start - 5, cmd_start, eap->cmd - cmd_start);
+-          eap->cmd -= 5;
+-          mch_memmove(eap->cmd - 1, ":'<,'>", 6);
++          if (did_plus_cmd)
++          {
++              size_t len = STRLEN(cmd_start);
++
++              // Special case: empty command may have been changed to "+":
++              //  "'<,'>mod" -> "mod'<,'>+
++              mch_memmove(orig_cmd, cmd_start, len);
++              STRCPY(orig_cmd + len, "'<,'>+");
++          }
++          else
++          {
++              mch_memmove(cmd_start - 5, cmd_start, eap->cmd - cmd_start);
++              eap->cmd -= 5;
++              mch_memmove(eap->cmd - 1, ":'<,'>", 6);
++          }
+       }
+       else
+-          // no modifiers, move the pointer back
+-          eap->cmd -= 5;
++          // No modifiers, move the pointer back.
++          // Special case: empty command may have been changed to "+".
++          if (did_plus_cmd)
++              eap->cmd = (char_u *)"'<,'>+";
++          else
++              eap->cmd = orig_cmd;
+     }
+ 
+     return OK;
+diff --git a/src/testdir/test_ex_mode.vim b/src/testdir/test_ex_mode.vim
+index 2642a16d2..d981ced6b 100644
+--- a/src/testdir/test_ex_mode.vim
++++ b/src/testdir/test_ex_mode.vim
+@@ -250,5 +250,18 @@ func Test_ex_mode_large_indent()
+   bwipe!
+ endfunc
+ 
++" This was accessing illegal memory when using "+" for eap->cmd.
++func Test_empty_command_visual_mode()
++  let lines =<< trim END
++      r<sfile>
++      0norm0V:
++      :qall!
++  END
++  call writefile(lines, 'Xexmodescript')
++  call assert_equal(1, RunVim([], [], '-u NONE -e -s -S Xexmodescript'))
++
++  call delete('Xexmodescript')
++endfunc
++
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 79a3bad67..38c3e69b6 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -750,6 +750,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
++/**/
++    4763,
+ /**/
+     4681,
+ /**/
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 21ff036cf4..c78e53007e 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,6 +19,7 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
            file://0001-src-Makefile-improve-reproducibility.patch \
            file://no-path-adjust.patch \
            file://racefix.patch \
+           file://CVE-2022-1381.patch \
            "
 
 PV .= ".4681"
-- 
2.17.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165165): 
https://lists.openembedded.org/g/openembedded-core/message/165165
Mute This Topic: https://lists.openembedded.org/mt/90834051/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to