From 05d20104b8e1496cc49d38b29f2f04fb25564bf1 Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Thu, 7 Jul 2022 13:47:34 +0800 Subject: [PATCH] update to vim-8.0.1763-19.el8_6.2 Signed-off-by: Zhao Hang --- ...an-execute-shell-commands-in-rvim-th.patch | 461 ++++++++++++++++++ ...llegal-memory-access-if-buffer-name-.patch | 35 ++ ...llegal-memory-access-when-C-indentin.patch | 34 ++ ...uffer-overflow-with-long-help-argume.patch | 14 + ...h-8.2.3949-using-freed-memory-with-V.patch | 45 ++ ...oing-beyond-the-end-of-the-line-with.patch | 38 ++ ...lock-insert-goes-over-the-end-of-the.patch | 95 ++++ ...151-reading-beyond-the-end-of-a-line.patch | 46 ++ ...llegal-memory-access-with-large-tabs.patch | 12 + ...llegal-memory-access-when-copying-li.patch | 33 ++ ...llegal-memory-access-with-bracketed-.patch | 85 ++++ ...sing-freed-memory-when-substitute-wi.patch | 51 ++ ...sing-buffer-line-after-it-has-been-f.patch | 22 + ...can-add-invalid-bytes-with-spellgood.patch | 54 ++ ...railing-backslash-may-cause-reading-.patch | 15 + download | 1 + vim-cve3778-fix.patch | 13 + vim-cve3796.patch | 51 ++ vim.spec | 127 +++-- 19 files changed, 1204 insertions(+), 28 deletions(-) create mode 100644 0001-patch-8.1.0881-can-execute-shell-commands-in-rvim-th.patch create mode 100644 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch create mode 100644 0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch create mode 100644 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch create mode 100644 0001-patch-8.2.3949-using-freed-memory-with-V.patch create mode 100644 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch create mode 100644 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch create mode 100644 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch create mode 100644 0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch create mode 100644 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch create mode 100644 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch create mode 100644 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch create mode 100644 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch create mode 100644 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch create mode 100644 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch create mode 100644 download create mode 100644 vim-cve3778-fix.patch create mode 100644 vim-cve3796.patch diff --git a/0001-patch-8.1.0881-can-execute-shell-commands-in-rvim-th.patch b/0001-patch-8.1.0881-can-execute-shell-commands-in-rvim-th.patch new file mode 100644 index 0000000..e74d837 --- /dev/null +++ b/0001-patch-8.1.0881-can-execute-shell-commands-in-rvim-th.patch @@ -0,0 +1,461 @@ +diff --git a/runtime/doc/starting.txt b/runtime/doc/starting.txt +index 8256152..8320039 100644 +--- a/runtime/doc/starting.txt ++++ b/runtime/doc/starting.txt +@@ -247,12 +247,18 @@ a slash. Thus "-R" means recovery and "-/R" readonly. + changes and writing. + {not in Vi} + +- *-Z* *restricted-mode* *E145* ++ *-Z* *restricted-mode* *E145* *E981* + -Z Restricted mode. All commands that make use of an external + shell are disabled. This includes suspending with CTRL-Z, +- ":sh", filtering, the system() function, backtick expansion, +- delete(), rename(), mkdir(), writefile(), libcall(), +- job_start(), etc. ++ ":sh", filtering, the system() function, backtick expansion ++ and libcall(). ++ Also disallowed are delete(), rename(), mkdir(), job_start(), ++ etc. ++ Interfaces, such as Python, Ruby and Lua, are also disabled, ++ since they could be used to execute shell commands. Perl uses ++ the Safe module. ++ Note that the user may still find a loophole to execute a ++ shell command, it has only been made difficult. + {not in Vi} + + *-g* +diff --git a/src/evalfunc.c b/src/evalfunc.c +index dd4462d..3cc305a 100644 +--- a/src/evalfunc.c ++++ b/src/evalfunc.c +@@ -6446,7 +6446,7 @@ f_histadd(typval_T *argvars UNUSED, typval_T *rettv) + #endif + + rettv->vval.v_number = FALSE; +- if (check_restricted() || check_secure()) ++ if (check_secure()) + return; + #ifdef FEAT_CMDHIST + str = get_tv_string_chk(&argvars[0]); /* NULL on type error */ +@@ -7456,6 +7456,9 @@ f_luaeval(typval_T *argvars, typval_T *rettv) + char_u *str; + char_u buf[NUMBUFLEN]; + ++ if (check_restricted() || check_secure()) ++ return; ++ + str = get_tv_string_buf(&argvars[0], buf); + do_luaeval(str, argvars + 1, rettv); + } +@@ -8188,6 +8191,8 @@ f_mzeval(typval_T *argvars, typval_T *rettv) + char_u *str; + char_u buf[NUMBUFLEN]; + ++ if (check_restricted() || check_secure()) ++ return; + str = get_tv_string_buf(&argvars[0], buf); + do_mzeval(str, rettv); + } +@@ -8398,6 +8403,9 @@ f_py3eval(typval_T *argvars, typval_T *rettv) + char_u *str; + char_u buf[NUMBUFLEN]; + ++ if (check_restricted() || check_secure()) ++ return; ++ + if (p_pyx == 0) + p_pyx = 3; + +@@ -8416,6 +8424,9 @@ f_pyeval(typval_T *argvars, typval_T *rettv) + char_u *str; + char_u buf[NUMBUFLEN]; + ++ if (check_restricted() || check_secure()) ++ return; ++ + if (p_pyx == 0) + p_pyx = 2; + +@@ -8431,6 +8442,9 @@ f_pyeval(typval_T *argvars, typval_T *rettv) + static void + f_pyxeval(typval_T *argvars, typval_T *rettv) + { ++ if (check_restricted() || check_secure()) ++ return; ++ + # if defined(FEAT_PYTHON) && defined(FEAT_PYTHON3) + init_pyxversion(); + if (p_pyx == 2) +@@ -10272,7 +10286,7 @@ f_setbufvar(typval_T *argvars, typval_T *rettv UNUSED) + typval_T *varp; + char_u nbuf[NUMBUFLEN]; + +- if (check_restricted() || check_secure()) ++ if (check_secure()) + return; + (void)get_tv_number(&argvars[0]); /* issue errmsg if type error */ + varname = get_tv_string_chk(&argvars[1]); +@@ -10792,7 +10806,7 @@ f_settabvar(typval_T *argvars, typval_T *rettv) + + rettv->vval.v_number = 0; + +- if (check_restricted() || check_secure()) ++ if (check_secure()) + return; + + tp = find_tabpage((int)get_tv_number_chk(&argvars[0], NULL)); +@@ -13674,7 +13688,7 @@ f_writefile(typval_T *argvars, typval_T *rettv) + list_T *list; + + rettv->vval.v_number = -1; +- if (check_restricted() || check_secure()) ++ if (check_secure()) + return; + + if (argvars[0].v_type != VAR_LIST) +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index 111fe01..1827fec 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -4693,7 +4693,7 @@ check_restricted(void) + { + if (restricted) + { +- EMSG(_("E145: Shell commands not allowed in rvim")); ++ EMSG(_("E145: Shell commands and some functionality not allowed in rvim")); + return TRUE; + } + return FALSE; +diff --git a/src/ex_cmds.h b/src/ex_cmds.h +index 48b0253..82d6e29 100644 +--- a/src/ex_cmds.h ++++ b/src/ex_cmds.h +@@ -56,6 +56,7 @@ + * curbuf_lock is set */ + #define MODIFY 0x200000L /* forbidden in non-'modifiable' buffer */ + #define EXFLAGS 0x400000L /* allow flags after count in argument */ ++#define RESTRICT 0x800000L /* forbidden in restricted mode */ + #define FILES (XFILE | EXTRA) /* multiple extra files allowed */ + #define WORD1 (EXTRA | NOSPC) /* one extra word allowed */ + #define FILE1 (FILES | NOSPC) /* 1 file allowed, defaults to current file */ +@@ -860,13 +861,13 @@ EX(CMD_lunmap, "lunmap", ex_unmap, + EXTRA|TRLBAR|NOTRLCOM|USECTRLV|CMDWIN, + ADDR_LINES), + EX(CMD_lua, "lua", ex_lua, +- RANGE|EXTRA|NEEDARG|CMDWIN, ++ RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_luado, "luado", ex_luado, +- RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN, ++ RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_luafile, "luafile", ex_luafile, +- RANGE|FILE1|NEEDARG|CMDWIN, ++ RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_lvimgrep, "lvimgrep", ex_vimgrep, + RANGE|NOTADR|BANG|NEEDARG|EXTRA|NOTRLCOM|TRLBAR|XFILE, +@@ -929,10 +930,10 @@ EX(CMD_mode, "mode", ex_mode, + WORD1|TRLBAR|CMDWIN, + ADDR_LINES), + EX(CMD_mzscheme, "mzscheme", ex_mzscheme, +- RANGE|EXTRA|DFLALL|NEEDARG|CMDWIN|SBOXOK, ++ RANGE|EXTRA|DFLALL|NEEDARG|CMDWIN|SBOXOK|RESTRICT, + ADDR_LINES), + EX(CMD_mzfile, "mzfile", ex_mzfile, +- RANGE|FILE1|NEEDARG|CMDWIN, ++ RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_next, "next", ex_next, + RANGE|NOTADR|BANG|FILES|EDITCMD|ARGOPT|TRLBAR, +@@ -1115,37 +1116,37 @@ EX(CMD_pwd, "pwd", ex_pwd, + TRLBAR|CMDWIN, + ADDR_LINES), + EX(CMD_python, "python", ex_python, +- RANGE|EXTRA|NEEDARG|CMDWIN, ++ RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_pydo, "pydo", ex_pydo, +- RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN, ++ RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_pyfile, "pyfile", ex_pyfile, +- RANGE|FILE1|NEEDARG|CMDWIN, ++ RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_py3, "py3", ex_py3, +- RANGE|EXTRA|NEEDARG|CMDWIN, ++ RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_py3do, "py3do", ex_py3do, +- RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN, ++ RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_python3, "python3", ex_py3, +- RANGE|EXTRA|NEEDARG|CMDWIN, ++ RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_py3file, "py3file", ex_py3file, +- RANGE|FILE1|NEEDARG|CMDWIN, ++ RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_pyx, "pyx", ex_pyx, +- RANGE|EXTRA|NEEDARG|CMDWIN, ++ RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_pyxdo, "pyxdo", ex_pyxdo, +- RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN, ++ RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_pythonx, "pythonx", ex_pyx, +- RANGE|EXTRA|NEEDARG|CMDWIN, ++ RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_pyxfile, "pyxfile", ex_pyxfile, +- RANGE|FILE1|NEEDARG|CMDWIN, ++ RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_quit, "quit", ex_quit, + BANG|RANGE|COUNT|NOTADR|TRLBAR|CMDWIN, +@@ -1199,13 +1200,13 @@ EX(CMD_runtime, "runtime", ex_runtime, + BANG|NEEDARG|FILES|TRLBAR|SBOXOK|CMDWIN, + ADDR_LINES), + EX(CMD_ruby, "ruby", ex_ruby, +- RANGE|EXTRA|NEEDARG|CMDWIN, ++ RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_rubydo, "rubydo", ex_rubydo, +- RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN, ++ RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_rubyfile, "rubyfile", ex_rubyfile, +- RANGE|FILE1|NEEDARG|CMDWIN, ++ RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_rundo, "rundo", ex_rundo, + NEEDARG|FILE1, +@@ -1472,13 +1473,13 @@ EX(CMD_tabs, "tabs", ex_tabs, + TRLBAR|CMDWIN, + ADDR_TABS), + EX(CMD_tcl, "tcl", ex_tcl, +- RANGE|EXTRA|NEEDARG|CMDWIN, ++ RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_tcldo, "tcldo", ex_tcldo, +- RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN, ++ RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_tclfile, "tclfile", ex_tclfile, +- RANGE|FILE1|NEEDARG|CMDWIN, ++ RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT, + ADDR_LINES), + EX(CMD_tearoff, "tearoff", ex_tearoff, + NEEDARG|EXTRA|TRLBAR|NOTRLCOM|CMDWIN, +diff --git a/src/ex_docmd.c b/src/ex_docmd.c +index ef86fc8..aaf2f9d 100644 +--- a/src/ex_docmd.c ++++ b/src/ex_docmd.c +@@ -2372,11 +2372,16 @@ do_one_cmd( + #ifdef HAVE_SANDBOX + if (sandbox != 0 && !(ea.argt & SBOXOK)) + { +- /* Command not allowed in sandbox. */ ++ // Command not allowed in sandbox. + errormsg = (char_u *)_(e_sandbox); + goto doend; + } + #endif ++ if (restricted != 0 && (ea.argt & RESTRICT)) ++ { ++ errormsg = (char_u *)_("E981: Command not allowed in rvim"); ++ goto doend; ++ } + if (!curbuf->b_p_ma && (ea.argt & MODIFY)) + { + /* Command not allowed in non-'modifiable' buffer */ +diff --git a/src/if_perl.xs b/src/if_perl.xs +index 7b45033..fc8d613 100644 +--- a/src/if_perl.xs ++++ b/src/if_perl.xs +@@ -930,6 +930,7 @@ VIM_init(void) + #ifdef DYNAMIC_PERL + static char *e_noperl = N_("Sorry, this command is disabled: the Perl library could not be loaded."); + #endif ++static char *e_perlsandbox = N_("E299: Perl evaluation forbidden in sandbox without the Safe module"); + + /* + * ":perl" +@@ -978,13 +979,12 @@ ex_perl(exarg_T *eap) + vim_free(script); + } + +-#ifdef HAVE_SANDBOX +- if (sandbox) ++ if (sandbox || secure) + { + safe = perl_get_sv("VIM::safe", FALSE); + # ifndef MAKE_TEST /* avoid a warning for unreachable code */ + if (safe == NULL || !SvTRUE(safe)) +- EMSG(_("E299: Perl evaluation forbidden in sandbox without the Safe module")); ++ EMSG(_(e_perlsandbox)); + else + # endif + { +@@ -996,7 +996,6 @@ ex_perl(exarg_T *eap) + } + } + else +-#endif + perl_eval_sv(sv, G_DISCARD | G_NOARGS); + + SvREFCNT_dec(sv); +@@ -1259,13 +1258,12 @@ do_perleval(char_u *str, typval_T *rettv) + ENTER; + SAVETMPS; + +-#ifdef HAVE_SANDBOX +- if (sandbox) ++ if (sandbox || secure) + { + safe = get_sv("VIM::safe", FALSE); + # ifndef MAKE_TEST /* avoid a warning for unreachable code */ + if (safe == NULL || !SvTRUE(safe)) +- EMSG(_("E299: Perl evaluation forbidden in sandbox without the Safe module")); ++ EMSG(_(e_perlsandbox)); + else + # endif + { +@@ -1281,7 +1279,6 @@ do_perleval(char_u *str, typval_T *rettv) + } + } + else +-#endif /* HAVE_SANDBOX */ + sv = eval_pv((char *)str, 0); + + if (sv) { +diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak +index e36089a..5f1c38c 100644 +--- a/src/testdir/Make_all.mak ++++ b/src/testdir/Make_all.mak +@@ -156,6 +156,7 @@ NEW_TESTS = test_arabic.res \ + test_quotestar.res \ + test_regex_char_classes.res \ + test_registers.res \ ++ test_restricted.res \ + test_retab.res \ + test_ruby.res \ + test_scrollbind.res \ +diff --git a/src/testdir/test_restricted.vim b/src/testdir/test_restricted.vim +new file mode 100644 +index 0000000..9dd937c +--- /dev/null ++++ b/src/testdir/test_restricted.vim +@@ -0,0 +1,107 @@ ++" Test for "rvim" or "vim -Z" ++ ++source shared.vim ++ ++func Test_restricted() ++ let cmd = GetVimCommand('Xrestricted') ++ if cmd == '' ++ return ++ endif ++ ++ call writefile([ ++ \ "silent !ls", ++ \ "call writefile([v:errmsg], 'Xrestrout')", ++ \ "qa!", ++ \ ], 'Xrestricted') ++ call system(cmd . ' -Z') ++ call assert_match('E145:', join(readfile('Xrestrout'))) ++ ++ call delete('Xrestricted') ++ call delete('Xrestrout') ++endfunc ++ ++func Run_restricted_test(ex_cmd, error) ++ let cmd = GetVimCommand('Xrestricted') ++ if cmd == '' ++ return ++ endif ++ ++ call writefile([ ++ \ a:ex_cmd, ++ \ "call writefile([v:errmsg], 'Xrestrout')", ++ \ "qa!", ++ \ ], 'Xrestricted') ++ call system(cmd . ' -Z') ++ call assert_match(a:error, join(readfile('Xrestrout'))) ++ ++ call delete('Xrestricted') ++ call delete('Xrestrout') ++endfunc ++ ++func Test_restricted_lua() ++ if !has('lua') ++ throw 'Skipped: Lua is not supported' ++ endif ++ call Run_restricted_test('lua print("Hello, Vim!")', 'E981:') ++ call Run_restricted_test('luado return "hello"', 'E981:') ++ call Run_restricted_test('luafile somefile', 'E981:') ++ call Run_restricted_test('call luaeval("expression")', 'E145:') ++endfunc ++ ++func Test_restricted_mzscheme() ++ if !has('mzscheme') ++ throw 'Skipped: MzScheme is not supported' ++ endif ++ call Run_restricted_test('mzscheme statement', 'E981:') ++ call Run_restricted_test('mzfile somefile', 'E981:') ++ call Run_restricted_test('call mzeval("expression")', 'E145:') ++endfunc ++ ++func Test_restricted_perl() ++ if !has('perl') ++ throw 'Skipped: Perl is not supported' ++ endif ++ " TODO: how to make Safe mode fail? ++ " call Run_restricted_test('perl system("ls")', 'E981:') ++ " call Run_restricted_test('perldo system("hello")', 'E981:') ++ " call Run_restricted_test('perlfile somefile', 'E981:') ++ " call Run_restricted_test('call perleval("system(\"ls\")")', 'E145:') ++endfunc ++ ++func Test_restricted_python() ++ if !has('python') ++ throw 'Skipped: Python is not supported' ++ endif ++ call Run_restricted_test('python print "hello"', 'E981:') ++ call Run_restricted_test('pydo return "hello"', 'E981:') ++ call Run_restricted_test('pyfile somefile', 'E981:') ++ call Run_restricted_test('call pyeval("expression")', 'E145:') ++endfunc ++ ++func Test_restricted_python3() ++ if !has('python3') ++ throw 'Skipped: Python3 is not supported' ++ endif ++ call Run_restricted_test('py3 print "hello"', 'E981:') ++ call Run_restricted_test('py3do return "hello"', 'E981:') ++ call Run_restricted_test('py3file somefile', 'E981:') ++ call Run_restricted_test('call py3eval("expression")', 'E145:') ++endfunc ++ ++func Test_restricted_ruby() ++ if !has('ruby') ++ throw 'Skipped: Ruby is not supported' ++ endif ++ call Run_restricted_test('ruby print "Hello"', 'E981:') ++ call Run_restricted_test('rubydo print "Hello"', 'E981:') ++ call Run_restricted_test('rubyfile somefile', 'E981:') ++endfunc ++ ++func Test_restricted_tcl() ++ if !has('tcl') ++ throw 'Skipped: Tcl is not supported' ++ endif ++ call Run_restricted_test('tcl puts "Hello"', 'E981:') ++ call Run_restricted_test('tcldo puts "Hello"', 'E981:') ++ call Run_restricted_test('tclfile somefile', 'E981:') ++endfunc diff --git a/0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch b/0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch new file mode 100644 index 0000000..76018f9 --- /dev/null +++ b/0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch @@ -0,0 +1,35 @@ +diff -up vim80/src/screen.c.cve3872 vim80/src/screen.c +--- vim80/src/screen.c.cve3872 2021-10-21 13:20:27.694921335 +0200 ++++ vim80/src/screen.c 2021-10-21 13:22:42.221732996 +0200 +@@ -6911,13 +6911,13 @@ win_redr_status(win_T *wp) + *(p + len++) = ' '; + if (bt_help(wp->w_buffer)) + { +- STRCPY(p + len, _("[Help]")); ++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]")); + len += (int)STRLEN(p + len); + } + #ifdef FEAT_QUICKFIX + if (wp->w_p_pvw) + { +- STRCPY(p + len, _("[Preview]")); ++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]")); + len += (int)STRLEN(p + len); + } + #endif +@@ -6927,12 +6927,12 @@ win_redr_status(win_T *wp) + #endif + ) + { +- STRCPY(p + len, "[+]"); +- len += 3; ++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]"); ++ len += (int)STRLEN(p + len); + } + if (wp->w_buffer->b_p_ro) + { +- STRCPY(p + len, _("[RO]")); ++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]")); + len += (int)STRLEN(p + len); + } + diff --git a/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch b/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch new file mode 100644 index 0000000..668ffe5 --- /dev/null +++ b/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch @@ -0,0 +1,34 @@ +diff --git a/src/misc1.c b/src/misc1.c +index de79c8e..1c5867d 100644 +--- a/src/misc1.c ++++ b/src/misc1.c +@@ -6792,7 +6792,7 @@ find_start_brace(void) /* XXX */ + && (pos = ind_find_start_CORS(NULL)) == NULL) /* XXX */ + break; + if (pos != NULL) +- curwin->w_cursor.lnum = pos->lnum; ++ curwin->w_cursor = *pos; + } + curwin->w_cursor = cursor_save; + return trypos; +diff --git a/src/testdir/test_cindent.vim b/src/testdir/test_cindent.vim +index 7c2c5e3..f8c7e57 100644 +--- a/src/testdir/test_cindent.vim ++++ b/src/testdir/test_cindent.vim +@@ -102,4 +102,16 @@ func Test_cindent_expr() + bw! + endfunc + ++func Test_find_brace_backwards() ++ " this was looking beyond the end of the line ++ new ++ norm R/* ++ norm o0{ ++ norm o// ++ norm V{= ++ call assert_equal(['/*', ' 0{', '//'], getline(1, 3)) ++ bwipe! ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch b/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch new file mode 100644 index 0000000..0cfaec6 --- /dev/null +++ b/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch @@ -0,0 +1,14 @@ +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index 1827fec..e69fbd3 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -6537,8 +6537,7 @@ find_help_tags( + || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL + && arg[2] != NUL))) + { +- STRCPY(d, "/\\\\"); +- STRCPY(d + 3, arg + 1); ++ vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1); + /* Check for "/\\_$", should be "/\\_\$" */ + if (d[3] == '_' && d[4] == '$') + STRCPY(d + 4, "\\$"); diff --git a/0001-patch-8.2.3949-using-freed-memory-with-V.patch b/0001-patch-8.2.3949-using-freed-memory-with-V.patch new file mode 100644 index 0000000..c3f7bb1 --- /dev/null +++ b/0001-patch-8.2.3949-using-freed-memory-with-V.patch @@ -0,0 +1,45 @@ +diff -up vim80/src/regexp.c.cve4192 vim80/src/regexp.c +--- vim80/src/regexp.c.cve4192 2022-01-12 15:21:44.792239040 +0100 ++++ vim80/src/regexp.c 2022-01-12 15:34:35.190425880 +0100 +@@ -4203,9 +4203,9 @@ reg_match_visual(void) + if (lnum < top.lnum || lnum > bot.lnum) + return FALSE; + ++ col = (colnr_T)(reginput - regline); + if (mode == 'v') + { +- col = (colnr_T)(reginput - regline); + if ((lnum == top.lnum && col < top.col) + || (lnum == bot.lnum && col >= bot.col + (*p_sel != 'e'))) + return FALSE; +@@ -4220,7 +4220,12 @@ reg_match_visual(void) + end = end2; + if (top.col == MAXCOL || bot.col == MAXCOL) + end = MAXCOL; +- cols = win_linetabsize(wp, regline, (colnr_T)(reginput - regline)); ++ ++ // getvvcol() flushes rex.line, need to get it again ++ regline = reg_getline(reglnum); ++ reginput = regline + col; ++ ++ cols = win_linetabsize(wp, regline, col); + if (cols < start || cols > end - (*p_sel == 'e')) + return FALSE; + } +diff -up vim80/src/testdir/test_regexp_latin.vim.cve4192 vim80/src/testdir/test_regexp_latin.vim +--- vim80/src/testdir/test_regexp_latin.vim.cve4192 2022-01-12 15:21:44.792239040 +0100 ++++ vim80/src/testdir/test_regexp_latin.vim 2022-01-12 15:36:12.499693099 +0100 +@@ -80,3 +80,13 @@ func Test_using_invalid_visual_position( + /\%V + bwipe! + endfunc ++ ++func Test_using_visual_position() ++ " this was using freed memory ++ new ++ exe "norm 0o\\k\o0" ++ /\%V ++ bwipe! ++endfunc ++ ++" vim: shiftwidth=2 sts=2 expandtab diff --git a/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch b/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch new file mode 100644 index 0000000..485f00d --- /dev/null +++ b/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch @@ -0,0 +1,38 @@ +diff -up vim80/src/charset.c.cve4193 vim80/src/charset.c +--- vim80/src/charset.c.cve4193 2022-01-12 14:49:08.710592947 +0100 ++++ vim80/src/charset.c 2022-01-12 14:49:47.594705863 +0100 +@@ -1291,10 +1291,15 @@ getvcol( + posptr = NULL; /* continue until the NUL */ + else + { +- /* Special check for an empty line, which can happen on exit, when +- * ml_get_buf() always returns an empty string. */ +- if (*ptr == NUL) +- pos->col = 0; ++ colnr_T i; ++ ++ // In a few cases the position can be beyond the end of the line. ++ for (i = 0; i < pos->col; ++i) ++ if (ptr[i] == NUL) ++ { ++ pos->col = i; ++ break; ++ } + posptr = ptr + pos->col; + #ifdef FEAT_MBYTE + if (has_mbyte) +diff -up vim80/src/testdir/test_regexp_latin.vim.cve4193 vim80/src/testdir/test_regexp_latin.vim +--- vim80/src/testdir/test_regexp_latin.vim.cve4193 2022-01-12 14:49:08.710592947 +0100 ++++ vim80/src/testdir/test_regexp_latin.vim 2022-01-12 14:50:45.186873107 +0100 +@@ -72,3 +72,11 @@ func Test_backref() + call assert_fails('call search("\\%#=2\\(e\\1\\)")', 'E65:') + bwipe! + endfunc ++ ++func Test_using_invalid_visual_position() ++ " this was going beyond the end of the line ++ new ++ exe "norm 0o000\0\$s0" ++ /\%V ++ bwipe! ++endfunc diff --git a/0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch b/0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch new file mode 100644 index 0000000..31d30c1 --- /dev/null +++ b/0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch @@ -0,0 +1,95 @@ +diff -up vim80/src/ops.c.cve0261 vim80/src/ops.c +--- vim80/src/ops.c.cve0261 2022-01-26 14:30:27.475308323 +0100 ++++ vim80/src/ops.c 2022-01-26 14:34:16.650933713 +0100 +@@ -636,23 +636,30 @@ block_insert( + if (b_insert) + { + off = (*mb_head_off)(oldp, oldp + offset + spaces); ++ spaces -= off; ++ count -= off; + } + else + { +- off = (*mb_off_next)(oldp, oldp + offset); +- offset += off; ++ // spaces fill the gap, the character that's at the edge moves ++ // right ++ off = (*mb_head_off)(oldp, oldp + offset); ++ offset -= off; + } + spaces -= off; + count -= off; + } + #endif + +- newp = alloc_check((unsigned)(STRLEN(oldp)) + s_len + count + 1); ++ // Make sure the allocated size matches what is actually copied below. ++ newp = alloc(STRLEN(oldp) + spaces + s_len ++ + (spaces > 0 && !bdp->is_short ? p_ts - spaces : 0) ++ + count + 1); + if (newp == NULL) + continue; + + /* copy up to shifted part */ +- mch_memmove(newp, oldp, (size_t)(offset)); ++ mch_memmove(newp, oldp, (size_t)offset); + oldp += offset; + + /* insert pre-padding */ +@@ -662,14 +669,21 @@ block_insert( + mch_memmove(newp + offset + spaces, s, (size_t)s_len); + offset += s_len; + +- if (spaces && !bdp->is_short) ++ if (spaces > 0 && !bdp->is_short) + { +- /* insert post-padding */ +- vim_memset(newp + offset + spaces, ' ', (size_t)(p_ts - spaces)); +- /* We're splitting a TAB, don't copy it. */ +- oldp++; +- /* We allowed for that TAB, remember this now */ +- count++; ++ if (*oldp == TAB) ++ { ++ // insert post-padding ++ vim_memset(newp + offset + spaces, ' ', ++ (size_t)(p_ts - spaces)); ++ // we're splitting a TAB, don't copy it ++ oldp++; ++ // We allowed for that TAB, remember this now ++ count++; ++ } ++ else ++ // Not a TAB, no extra spaces ++ count = spaces; + } + + if (spaces > 0) +@@ -2738,9 +2752,9 @@ op_insert(oparg_T *oap, long count1) + oap->start_vcol = t; + } + else if (oap->op_type == OP_APPEND +- && oap->end.col ++ && oap->start.col + #ifdef FEAT_VIRTUALEDIT +- + oap->end.coladd ++ + oap->start.coladd + #endif + >= curbuf->b_op_start_orig.col + #ifdef FEAT_VIRTUALEDIT +diff -up vim80/src/testdir/test_visual.vim.cve0261 vim80/src/testdir/test_visual.vim +--- vim80/src/testdir/test_visual.vim.cve0261 2022-01-26 14:30:27.476308325 +0100 ++++ vim80/src/testdir/test_visual.vim 2022-01-26 14:36:03.482225225 +0100 +@@ -254,3 +254,12 @@ func Test_virtual_replace2() + %d_ + set bs&vim + endfunc ++ ++func Test_visual_block_append_invalid_char() ++ " this was going over the end of the line ++ new ++ call setline(1, [' let xxx', 'xxxxxˆ', 'xxxxxxxxxxx']) ++ exe "normal 0\jjA-\" ++ call assert_equal([' - let xxx', 'xxxxx -ˆ', 'xxxxxxxx-xxx'], getline(1, 3)) ++ bwipe! ++endfunc diff --git a/0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch b/0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch new file mode 100644 index 0000000..8e92918 --- /dev/null +++ b/0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch @@ -0,0 +1,46 @@ +diff --git a/src/ops.c b/src/ops.c +index e9cfb1d..e35b033 100644 +--- a/src/ops.c ++++ b/src/ops.c +@@ -629,26 +629,9 @@ block_insert( + + #ifdef FEAT_MBYTE + if (has_mbyte && spaces > 0) +- { +- int off; ++ // avoid copying part of a multi-byte character ++ offset -= (*mb_head_off)(oldp, oldp + offset); + +- /* Avoid starting halfway a multi-byte character. */ +- if (b_insert) +- { +- off = (*mb_head_off)(oldp, oldp + offset + spaces); +- spaces -= off; +- count -= off; +- } +- else +- { +- // spaces fill the gap, the character that's at the edge moves +- // right +- off = (*mb_head_off)(oldp, oldp + offset); +- offset -= off; +- } +- spaces -= off; +- count -= off; +- } + #endif + + // Make sure the allocated size matches what is actually copied below. +diff --git a/src/testdir/test_utf8.vim b/src/testdir/test_utf8.vim +index 24e3db8..1042720 100644 +--- a/src/testdir/test_utf8.vim ++++ b/src/testdir/test_utf8.vim +@@ -9,7 +9,7 @@ func Test_visual_block_insert() + new + call setline(1, ["aaa", "あああ", "bbb"]) + exe ":norm! gg0l\jjIx\" +- call assert_equal(['axaa', 'xあああ', 'bxbb'], getline(1, '$')) ++ call assert_equal(['axaa', ' xあああ', 'bxbb'], getline(1, '$')) + bwipeout! + endfunc + diff --git a/0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch b/0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch new file mode 100644 index 0000000..98e738c --- /dev/null +++ b/0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch @@ -0,0 +1,12 @@ +diff -up vim80/src/ex_getln.c.cve0359 vim80/src/ex_getln.c +--- vim80/src/ex_getln.c.cve0359 2022-01-27 16:55:41.386213891 +0100 ++++ vim80/src/ex_getln.c 2022-01-27 17:00:20.330960544 +0100 +@@ -300,7 +300,7 @@ getcmdline( + ccline.cmdindent = (firstc > 0 ? indent : 0); + + /* alloc initial ccline.cmdbuff */ +- alloc_cmdbuff(exmode_active ? 250 : indent + 1); ++ alloc_cmdbuff(indent + 50); + if (ccline.cmdbuff == NULL) + return NULL; /* out of memory */ + ccline.cmdlen = ccline.cmdpos = 0; diff --git a/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch b/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch new file mode 100644 index 0000000..604a8ff --- /dev/null +++ b/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch @@ -0,0 +1,33 @@ +diff -up vim80/src/ex_cmds.c.cve0361 vim80/src/ex_cmds.c +--- vim80/src/ex_cmds.c.cve0361 2022-02-08 12:20:51.277666290 +0100 ++++ vim80/src/ex_cmds.c 2022-02-08 12:20:51.280666209 +0100 +@@ -983,6 +983,8 @@ ex_copy(linenr_T line1, linenr_T line2, + } + + appended_lines_mark(n, count); ++ if (VIsual_active) ++ check_pos(curbuf, &VIsual); + + msgmore((long)count); + } +diff -up vim80/src/testdir/test_visual.vim.cve0361 vim80/src/testdir/test_visual.vim +--- vim80/src/testdir/test_visual.vim.cve0361 2022-02-08 12:20:51.280666209 +0100 ++++ vim80/src/testdir/test_visual.vim 2022-02-08 12:21:44.530356814 +0100 +@@ -263,3 +263,17 @@ func Test_visual_block_append_invalid_ch + call assert_equal([' - let xxx', 'xxxxx -ˆ', 'xxxxxxxx-xxx'], getline(1, 3)) + bwipe! + endfunc ++ ++" this was leaving the end of the Visual area beyond the end of a line ++func Test_visual_ex_copy_line() ++ new ++ call setline(1, ["aaa", "bbbbbbbbbxbb"]) ++ /x ++ exe "normal ggvjfxO" ++ t0 ++ normal gNU ++ bwipe! ++endfunc ++ ++ ++" vim: shiftwidth=2 sts=2 expandtab diff --git a/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch b/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch new file mode 100644 index 0000000..8cb7a44 --- /dev/null +++ b/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch @@ -0,0 +1,85 @@ +commit ec45bc7682fd698d8d39f43732129c4d092355f3 +Author: Tomas Korbar +Date: Wed Feb 2 16:30:11 2022 +0100 + + Fix illegal memory access with bracketed paste in Ex mode + +diff --git a/src/edit.c b/src/edit.c +index f29fbc7..57b8dce 100644 +--- a/src/edit.c ++++ b/src/edit.c +@@ -9519,27 +9519,33 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + int ret_char = -1; + int save_allow_keys = allow_keys; + int save_paste = p_paste; +- int save_ai = curbuf->b_p_ai; + +- /* If the end code is too long we can't detect it, read everything. */ +- if (STRLEN(end) >= NUMBUFLEN) ++ // If the end code is too long we can't detect it, read everything. ++ if (end != NULL && STRLEN(end) >= NUMBUFLEN) + end = NULL; + ++no_mapping; + allow_keys = 0; +- p_paste = TRUE; +- curbuf->b_p_ai = FALSE; ++ if (!p_paste) ++ // Also have the side effects of setting 'paste' to make it work much ++ // faster. ++ set_option_value((char_u *)"paste", TRUE, NULL, 0); + + for (;;) + { + /* When the end is not defined read everything. */ + if (end == NULL && vpeekc() == NUL) + break; +- c = plain_vgetc(); +-#ifdef FEAT_MBYTE ++ do ++ c = vgetc(); ++ while (c == K_IGNORE || c == K_VER_SCROLLBAR || c == K_HOR_SCROLLBAR); ++ if (c == NUL || got_int || (ex_normal_busy > 0 && c == Ctrl_C)) ++ // When CTRL-C was encountered the typeahead will be flushed and we ++ // won't get the end sequence. Except when using ":normal". ++ break; ++ + if (has_mbyte) + idx += (*mb_char2bytes)(c, buf + idx); + else +-#endif + buf[idx++] = c; + buf[idx] = NUL; + if (end != NULL && STRNCMP(buf, end, idx) == 0) +@@ -9557,7 +9563,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + break; + + case PASTE_EX: +- if (gap != NULL && ga_grow(gap, idx) == OK) ++ // add one for the NUL that is going to be appended ++ if (gap != NULL && ga_grow(gap, idx + 1) == OK) + { + mch_memmove((char *)gap->ga_data + gap->ga_len, + buf, (size_t)idx); +@@ -9582,11 +9589,9 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + case PASTE_ONE_CHAR: + if (ret_char == -1) + { +-#ifdef FEAT_MBYTE + if (has_mbyte) + ret_char = (*mb_ptr2char)(buf); + else +-#endif + ret_char = buf[0]; + } + break; +@@ -9597,8 +9602,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + + --no_mapping; + allow_keys = save_allow_keys; +- p_paste = save_paste; +- curbuf->b_p_ai = save_ai; ++ if (!save_paste) ++ set_option_value((char_u *)"paste", FALSE, NULL, 0); + + return ret_char; + } diff --git a/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch b/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch new file mode 100644 index 0000000..b37d821 --- /dev/null +++ b/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch @@ -0,0 +1,51 @@ +commit c604f3ad4782fde770617ff688e1ceac0dc1bd7c +Author: Tomas Korbar +Date: Thu Feb 3 10:14:42 2022 +0100 + + Fix using freed memory when substitute with function call + +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index e69fbd3..0788573 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -4767,6 +4767,7 @@ do_sub(exarg_T *eap) + int save_do_all; /* remember user specified 'g' flag */ + int save_do_ask; /* remember user specified 'c' flag */ + char_u *pat = NULL, *sub = NULL; /* init for GCC */ ++ char_u *sub_copy = NULL; + int delimiter; + int sublen; + int got_quit = FALSE; +@@ -5062,11 +5063,20 @@ do_sub(exarg_T *eap) + sub_firstline = NULL; + + /* +- * ~ in the substitute pattern is replaced with the old pattern. +- * We do it here once to avoid it to be replaced over and over again. +- * But don't do it when it starts with "\=", then it's an expression. ++ * If the substitute pattern starts with "\=" then it's an expression. ++ * Make a copy, a recursive function may free it. ++ * Otherwise, '~' in the substitute pattern is replaced with the old ++ * pattern. We do it here once to avoid it to be replaced over and over ++ * again. + */ +- if (!(sub[0] == '\\' && sub[1] == '=')) ++ if (sub[0] == '\\' && sub[1] == '=') ++ { ++ sub = vim_strsave(sub); ++ if (sub == NULL) ++ return; ++ sub_copy = sub; ++ } ++ else + sub = regtilde(sub, p_magic); + + /* +@@ -5825,6 +5835,7 @@ outofmem: + #endif + + vim_regfree(regmatch.regprog); ++ vim_free(sub_copy); + + /* Restore the flag values, they can be used for ":&&". */ + subflags.do_all = save_do_all; diff --git a/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch b/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch new file mode 100644 index 0000000..a2eb48b --- /dev/null +++ b/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch @@ -0,0 +1,22 @@ +diff -up vim80/src/regexp.c.cve1154 vim80/src/regexp.c +--- vim80/src/regexp.c.cve1154 2022-04-09 12:01:30.054452927 +0200 ++++ vim80/src/regexp.c 2022-04-09 12:02:48.987999877 +0200 +@@ -4415,8 +4415,17 @@ regmatch( + int mark = OPERAND(scan)[0]; + int cmp = OPERAND(scan)[1]; + pos_T *pos; ++ size_t col = REG_MULTI ? reginput - regline : 0; + + pos = getmark_buf(rex.reg_buf, mark, FALSE); ++ ++ // Line may have been freed, get it again. ++ if (REG_MULTI) ++ { ++ regline = reg_getline(reglnum); ++ reginput = regline + col; ++ } ++ + if (pos == NULL /* mark doesn't exist */ + || pos->lnum <= 0 /* mark isn't set in reg_buf */ + || (pos->lnum == reglnum + rex.reg_firstlnum +diff -up vim80/src/testdir/test_regexp_latin.vim.cve1154 vim80/src/testdir/test_regexp_latin.vim diff --git a/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch b/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch new file mode 100644 index 0000000..e998524 --- /dev/null +++ b/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch @@ -0,0 +1,54 @@ +diff -up vim80/src/globals.h.cve1621 vim80/src/globals.h +--- vim80/src/globals.h.cve1621 2022-05-24 12:46:44.883952323 +0200 ++++ vim80/src/globals.h 2022-05-24 12:47:30.534183523 +0200 +@@ -1657,6 +1657,11 @@ EXTERN int *eval_lavars_used INIT(= NULL + EXTERN int ctrl_break_was_pressed INIT(= FALSE); + #endif + ++#ifdef FEAT_SPELL ++EXTERN char e_illegal_character_in_word[] ++ INIT(= N_("E1280: Illegal character in word")); ++#endif ++ + /* + * Optional Farsi support. Include it here, so EXTERN and INIT are defined. + */ +diff -up vim80/src/mbyte.c.cve1621 vim80/src/mbyte.c +--- vim80/src/mbyte.c.cve1621 2018-04-09 14:55:56.000000000 +0200 ++++ vim80/src/mbyte.c 2022-05-24 12:22:13.166893098 +0200 +@@ -4034,7 +4034,7 @@ theend: + convert_setup(&vimconv, NULL, NULL); + } + +-#if defined(FEAT_GUI_GTK) || defined(PROTO) ++#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO) + /* + * Return TRUE if string "s" is a valid utf-8 string. + * When "end" is NULL stop at the first NUL. +diff -up vim80/src/spellfile.c.cve1621 vim80/src/spellfile.c +--- vim80/src/spellfile.c.cve1621 2022-05-24 12:22:13.167893104 +0200 ++++ vim80/src/spellfile.c 2022-05-24 12:49:55.816919350 +0200 +@@ -4441,6 +4441,10 @@ store_word( + int res = OK; + char_u *p; + ++ // Avoid adding illegal bytes to the word tree. ++ if (enc_utf8 && !utf_valid_string(word, NULL)) ++ return FAIL; ++ + (void)spell_casefold(word, len, foldword, MAXWLEN); + for (p = pfxlist; res == OK; ++p) + { +@@ -6251,6 +6255,12 @@ spell_add_word( + int i; + char_u *spf; + ++ if (enc_utf8 && !utf_valid_string(word, NULL)) ++ { ++ emsg(_(e_illegal_character_in_word)); ++ return; ++ } ++ + if (idx == 0) /* use internal wordlist */ + { + if (int_wordlist == NULL) diff --git a/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch b/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch new file mode 100644 index 0000000..6ce497f --- /dev/null +++ b/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch @@ -0,0 +1,15 @@ +diff -up vim80/src/search.c.cve1629 vim80/src/search.c +--- vim80/src/search.c.cve1629 2022-05-24 13:55:06.789859865 +0200 ++++ vim80/src/search.c 2022-05-24 13:56:31.889218958 +0200 +@@ -4349,7 +4349,11 @@ find_next_quote( + if (c == NUL) + return -1; + else if (escape != NULL && vim_strchr(escape, c)) ++ { + ++col; ++ if (line[col] == NUL) ++ return -1; ++ } + else if (c == quotechar) + break; + #ifdef FEAT_MBYTE diff --git a/download b/download new file mode 100644 index 0000000..1ff0096 --- /dev/null +++ b/download @@ -0,0 +1 @@ +44d6e48cd0af44856aba4aef224d1719 vim-8.0-1763.tar.bz2 diff --git a/vim-cve3778-fix.patch b/vim-cve3778-fix.patch new file mode 100644 index 0000000..a482b38 --- /dev/null +++ b/vim-cve3778-fix.patch @@ -0,0 +1,13 @@ +diff -up vim80/src/regexp_nfa.c.cve3796-fix vim80/src/regexp_nfa.c +--- vim80/src/regexp_nfa.c.cve3796-fix 2021-09-20 08:27:13.752604505 +0200 ++++ vim80/src/regexp_nfa.c 2021-09-20 08:29:10.206546910 +0200 +@@ -5493,7 +5493,8 @@ find_match_text(colnr_T startcol, int re + match = FALSE; + break; + } +- len2 += MB_CHAR2LEN(c2); ++ len2 += enc_utf8 ? utf_ptr2len(regline + col + len2) ++ : MB_CHAR2LEN(c2); + } + if (match + #ifdef FEAT_MBYTE diff --git a/vim-cve3796.patch b/vim-cve3796.patch new file mode 100644 index 0000000..ca41acf --- /dev/null +++ b/vim-cve3796.patch @@ -0,0 +1,51 @@ +diff --git a/src/normal.c b/src/normal.c +index be0e75e..7d62e20 100644 +--- a/src/normal.c ++++ b/src/normal.c +@@ -7147,19 +7147,23 @@ nv_replace(cmdarg_T *cap) + { + /* + * Get ptr again, because u_save and/or showmatch() will have +- * released the line. At the same time we let know that the +- * line will be changed. ++ * released the line. This may also happen in ins_copychar(). ++ * At the same time we let know that the line will be changed. + */ +- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); + if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y) + { + int c = ins_copychar(curwin->w_cursor.lnum + + (cap->nchar == Ctrl_Y ? -1 : 1)); ++ ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); + if (c != NUL) + ptr[curwin->w_cursor.col] = c; + } + else ++ { ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); + ptr[curwin->w_cursor.col] = cap->nchar; ++ } + if (p_sm && msg_silent == 0) + showmatch(cap->nchar); + ++curwin->w_cursor.col; +diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim +index 7278bcd..8818805 100644 +--- a/src/testdir/test_edit.vim ++++ b/src/testdir/test_edit.vim +@@ -1387,3 +1387,15 @@ func Test_edit_quit() + only + endfunc + ++" Test for getting the character of the line below after "p" ++func Test_edit_put_CTRL_E() ++ set encoding=latin1 ++ new ++ let @" = '' ++ sil! norm orggRx ++ sil! norm pr ++ call assert_equal(['r', 'r'], getline(1, 2)) ++ bwipe! ++ set encoding=utf-8 ++endfunc ++ diff --git a/vim.spec b/vim.spec index 722852f..4c78012 100644 --- a/vim.spec +++ b/vim.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 %define patchlevel 1763 %if %{?WITH_SELINUX:0}%{!?WITH_SELINUX:1} %define WITH_SELINUX 1 @@ -25,7 +24,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 13%{anolis_release}%{?dist} +Release: 19%{?dist}.2 License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -74,11 +73,39 @@ Patch3018: vim-covscan.patch Patch3019: 0001-patch-8.1.1365-source-command-doesn-t-check-for-the-.patch # 1605095 - vim: should not re-implement crypto Patch3020: vim-crypto-warning.patch - -# Add by Anolis -# backport patch to fix build error with ruby -Patch10000: 0001-vim-anolis-build-with-ruby26.patch -# End +# 1842755 - CVE-2019-20807 +Patch3021: 0001-patch-8.1.0881-can-execute-shell-commands-in-rvim-th.patch +# 2004975 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.6.0] +Patch3022: vim-cve3796.patch +# 2004892 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.6.0] +Patch3023: vim-cve3778-fix.patch +Patch3024: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch +# 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0] +Patch3025: 0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch +# 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0] +Patch3026: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch +# CVE-2021-4193 vim: vulnerable to Out-of-bounds Read +Patch3027: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch +# CVE-2021-4192 vim: vulnerable to Use After Free +Patch3028: 0001-patch-8.2.3949-using-freed-memory-with-V.patch +# CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c +Patch3029: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch +# CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c +Patch3030: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch +# CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c +Patch3031: 0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch +# CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c +Patch3032: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch +# CVE-2022-0413 vim: use after free in src/ex_cmds.c +Patch3033: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch +# CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository +Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch +# CVE-2022-1154 vim: use after free in utf_ptr2char +Patch3035: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch +# CVE-2022-1621 vim: heap buffer overflow +Patch3036: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch +# CVE-2022-1629 vim: buffer over-read +Patch3037: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -276,8 +303,23 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3018 -p1 %patch3019 -p1 -b .cve %patch3020 -p1 -b .crypto-warning - -%patch10000 -p1 +%patch3021 -p1 -b .rvim +%patch3022 -p1 -b .cve3796 +%patch3023 -p1 -b .cve3778 +%patch3024 -p1 -b .cve3872 +%patch3025 -p1 -b .cve3984 +%patch3026 -p1 -b .cve4019 +%patch3027 -p1 -b .cve4193 +%patch3028 -p1 -b .cve4192 +%patch3029 -p1 -b .cve0261 +%patch3030 -p1 -b .cve0318 +%patch3031 -p1 -b .cve0359 +%patch3032 -p1 -b .cve0392 +%patch3033 -p1 -b .cve0413 +%patch3034 -p1 -b .cve0361 +%patch3035 -p1 -b .cve1154 +%patch3036 -p1 -b .cve1621 +%patch3037 -p1 -b .cve1629 %build %if 0%{?rhel} > 7 @@ -308,8 +350,8 @@ perl -pi -e "s/vimrc/virc/" os_unix.h --disable-pythoninterp --disable-perlinterp --disable-tclinterp \ --with-tlib=ncurses --enable-gui=no --disable-gpm --exec-prefix=/ \ --enable-fips-warning \ - --with-compiledby="OpenAnolis Community" \ - --with-modified-by="OpenAnolis Community" + --with-compiledby="" \ + --with-modified-by="" make VIMRCLOC=/etc VIMRUNTIMEDIR=/usr/share/vim/%{vimdir} %{?_smp_mflags} cp vim minimal-vim @@ -327,8 +369,8 @@ mv -f ex_cmds.c.save ex_cmds.c --with-tlib=ncurses \ --enable-gtk3-check --enable-gui=gtk3 \ --enable-fips-warning \ - --with-compiledby="OpenAnolis Community" --enable-cscope \ - --with-modified-by="OpenAnolis Community" \ + --with-compiledby="" --enable-cscope \ + --with-modified-by="" \ %if "%{withnetbeans}" == "1" --enable-netbeans \ %else @@ -362,10 +404,10 @@ make clean --disable-tclinterp \ --with-x=no \ --enable-gui=no --exec-prefix=%{_prefix} --enable-multibyte \ - --enable-cscope --with-modified-by="OpenAnolis Community" \ + --enable-cscope --with-modified-by="" \ --with-tlib=ncurses \ --enable-fips-warning \ - --with-compiledby="OpenAnolis Community" \ + --with-compiledby="" \ %if "%{withnetbeans}" == "1" --enable-netbeans \ %else @@ -557,16 +599,6 @@ rm -f %{buildroot}/%{_datadir}/vim/%{vimdir}/macros/maze/maze*.c rm -rf %{buildroot}/%{_datadir}/vim/%{vimdir}/tools rm -rf %{buildroot}/%{_datadir}/vim/%{vimdir}/doc/vim2html.pl rm -f %{buildroot}/%{_datadir}/vim/%{vimdir}/tutor/tutor.gr.utf-8~ -( cd %{buildroot}/%{_mandir} - for i in `find ??/ -type f`; do - if [[ "`file $i`" == *UTF-8\ Unicode\ text* ]]; then - continue - fi - bi=`basename $i` - iconv -f latin1 -t UTF8 $i > %{buildroot}/$bi - mv -f %{buildroot}/$bi $i - done -) # Remove not UTF-8 manpages for i in pl.ISO8859-2 it.ISO8859-1 ru.KOI8-R fr.ISO8859-1; do @@ -806,9 +838,48 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog -* Thu Jan 28 2021 Mahailiang - 2:8.0.1763-13.0.1 -- Rebrand to Anolis -- Fix build issue with ruby +* Wed May 25 2022 Zdenek Dohnal - 2:8.0.1763-19.2 +- CVE-2022-1621 vim: heap buffer overflow +- CVE-2022-1629 vim: buffer over-read + +* Sat Apr 09 2022 Zdenek Dohnal - 2:8.0.1763-19.1 +- CVE-2022-1154 vim: use after free in utf_ptr2char + +* Tue Feb 08 2022 Zdenek Dohnal - 2:8.0.1763-19 +- CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository + +* Mon Feb 07 2022 Zdenek Dohnal - 2:8.0.1763-18 +- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c +- CVE-2022-0413 vim: use after free in src/ex_cmds.c + +* Thu Jan 27 2022 Zdenek Dohnal - 2:8.0.1763-18 +- fix test suite after fix for CVE-2022-0318 +- CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c + +* Wed Jan 12 2022 Zdenek Dohnal - 2:8.0.1763-18 +- CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c +- CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c + +* Wed Jan 12 2022 Zdenek Dohnal - 2:8.0.1763-18 +- CVE-2021-4193 vim: vulnerable to Out-of-bounds Read +- CVE-2021-4192 vim: vulnerable to Use After Free + +* Fri Dec 03 2021 Zdenek Dohnal - 2:8.0.1763-18 +- 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0] +- 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0] + +* Tue Oct 26 2021 Zdenek Dohnal - 2:8.0.1763-17 +- 2016201 - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-8.6.0] + +* Thu Sep 23 2021 Zdenek Dohnal - 2:8.0.1763-16 +- 2004975 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.6.0] +- 2004892 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.6.0] + +* Tue Jun 02 2020 Zdenek Dohnal - 2:8.0.1763-15 +- 1842755 - CVE-2019-20807 + +* Mon Feb 10 2020 Zdenek Dohnal - 2:8.0.1763-14 +- 1745476 - manpage of vim is garbled in Japanese locale * Tue Jul 23 2019 Zdenek Dohnal - 2:8.0.1763-13 - fixing covscan issues raised by previous commit -- Gitee