meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch

   1 From b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 Mon Sep 17 00:00:00 2001
   2 From: Bram Moolenaar <Bram@vim.org>
   3 Date: Sat, 4 Sep 2021 18:47:28 +0200
   4 Subject: [PATCH] patch 8.2.3402: invalid memory access when using :retab with
   5  large value
   6
   7 Problem:    Invalid memory access when using :retab with large value.
   8 Solution:   Check the number is positive.
   9
  10 CVE: CVE-2021-3770
  11 Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
  12 Upstream-Status: Backport [https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9]
  13 ---
  14  src/indent.c               | 34 +++++++++++++++++++++-------------
  15  src/option.c               | 12 ++++++------
  16  src/optionstr.c            |  4 ++--
  17  src/testdir/test_retab.vim |  3 +++
  18  src/version.c              |  2 ++
  19  5 files changed, 34 insertions(+), 21 deletions(-)
  20
  21 Index: git/src/indent.c
  22 ===================================================================
  23 --- git.orig/src/indent.c
  24 +++ git/src/indent.c
  25 @@ -18,18 +18,19 @@
  26  /*
  27   * Set the integer values corresponding to the string setting of 'vartabstop'.
  28   * "array" will be set, caller must free it if needed.
  29 + * Return FAIL for an error.
  30   */
  31      int
  32  tabstop_set(char_u *var, int **array)
  33  {
  34 -    int valcount = 1;
  35 -    int t;
  36 -    char_u *cp;
  37 +    int            valcount = 1;
  38 +    int            t;
  39 +    char_u  *cp;
  40
  41      if (var[0] == NUL || (var[0] == '0' && var[1] == NUL))
  42      {
  43         *array = NULL;
  44 -       return TRUE;
  45 +       return OK;
  46      }
  47
  48      for (cp = var; *cp != NUL; ++cp)
  49 @@ -43,8 +44,8 @@ tabstop_set(char_u *var, int **array)
  50                 if (cp != end)
  51                     emsg(_(e_positive));
  52                 else
  53 -                   emsg(_(e_invarg));
  54 -               return FALSE;
  55 +                   semsg(_(e_invarg2), cp);
  56 +               return FAIL;
  57             }
  58         }
  59
  60 @@ -55,26 +56,33 @@ tabstop_set(char_u *var, int **array)
  61             ++valcount;
  62             continue;
  63         }
  64 -       emsg(_(e_invarg));
  65 -       return FALSE;
  66 +       semsg(_(e_invarg2), var);
  67 +       return FAIL;
  68      }
  69
  70      *array = ALLOC_MULT(int, valcount + 1);
  71      if (*array == NULL)
  72 -       return FALSE;
  73 +       return FAIL;
  74      (*array)[0] = valcount;
  75
  76      t = 1;
  77      for (cp = var; *cp != NUL;)
  78      {
  79 -       (*array)[t++] = atoi((char *)cp);
  80 -       while (*cp  != NUL && *cp != ',')
  81 +       int n = atoi((char *)cp);
  82 +
  83 +       if (n < 0 || n > 9999)
  84 +       {
  85 +           semsg(_(e_invarg2), cp);
  86 +           return FAIL;
  87 +       }
  88 +       (*array)[t++] = n;
  89 +       while (*cp != NUL && *cp != ',')
  90             ++cp;
  91         if (*cp != NUL)
  92             ++cp;
  93      }
  94
  95 -    return TRUE;
  96 +    return OK;
  97  }
  98
  99  /*
 100 @@ -1556,7 +1564,7 @@ ex_retab(exarg_T *eap)
 101
 102  #ifdef FEAT_VARTABS
 103      new_ts_str = eap->arg;
 104 -    if (!tabstop_set(eap->arg, &new_vts_array))
 105 +    if (tabstop_set(eap->arg, &new_vts_array) == FAIL)
 106         return;
 107      while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',')
 108         ++(eap->arg);
 109 Index: git/src/option.c
 110 ===================================================================
 111 --- git.orig/src/option.c
 112 +++ git/src/option.c
 113 @@ -2292,9 +2292,9 @@ didset_options2(void)
 114  #endif
 115  #ifdef FEAT_VARTABS
 116      vim_free(curbuf->b_p_vsts_array);
 117 -    tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
 118 +    (void)tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
 119      vim_free(curbuf->b_p_vts_array);
 120 -    tabstop_set(curbuf->b_p_vts,  &curbuf->b_p_vts_array);
 121 +    (void)tabstop_set(curbuf->b_p_vts,  &curbuf->b_p_vts_array);
 122  #endif
 123  }
 124
 125 @@ -5756,7 +5756,7 @@ buf_copy_options(buf_T *buf, int flags)
 126             buf->b_p_vsts = vim_strsave(p_vsts);
 127             COPY_OPT_SCTX(buf, BV_VSTS);
 128             if (p_vsts && p_vsts != empty_option)
 129 -               tabstop_set(p_vsts, &buf->b_p_vsts_array);
 130 +               (void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
 131             else
 132                 buf->b_p_vsts_array = 0;
 133             buf->b_p_vsts_nopaste = p_vsts_nopaste
 134 @@ -5914,7 +5914,7 @@ buf_copy_options(buf_T *buf, int flags)
 135                 buf->b_p_isk = save_p_isk;
 136  #ifdef FEAT_VARTABS
 137                 if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
 138 -                   tabstop_set(p_vts, &buf->b_p_vts_array);
 139 +                   (void)tabstop_set(p_vts, &buf->b_p_vts_array);
 140                 else
 141                     buf->b_p_vts_array = NULL;
 142  #endif
 143 @@ -5929,7 +5929,7 @@ buf_copy_options(buf_T *buf, int flags)
 144                 buf->b_p_vts = vim_strsave(p_vts);
 145                 COPY_OPT_SCTX(buf, BV_VTS);
 146                 if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
 147 -                   tabstop_set(p_vts, &buf->b_p_vts_array);
 148 +                   (void)tabstop_set(p_vts, &buf->b_p_vts_array);
 149                 else
 150                     buf->b_p_vts_array = NULL;
 151  #endif
 152 @@ -6634,7 +6634,7 @@ paste_option_changed(void)
 153             if (buf->b_p_vsts_array)
 154                 vim_free(buf->b_p_vsts_array);
 155             if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
 156 -               tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
 157 +               (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
 158             else
 159                 buf->b_p_vsts_array = 0;
 160  #endif
 161 Index: git/src/optionstr.c
 162 ===================================================================
 163 --- git.orig/src/optionstr.c
 164 +++ git/src/optionstr.c
 165 @@ -2166,7 +2166,7 @@ did_set_string_option(
 166             if (errmsg == NULL)
 167             {
 168                 int *oldarray = curbuf->b_p_vsts_array;
 169 -               if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)))
 170 +               if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)) == OK)
 171                 {
 172                     if (oldarray)
 173                         vim_free(oldarray);
 174 @@ -2205,7 +2205,7 @@ did_set_string_option(
 175             {
 176                 int *oldarray = curbuf->b_p_vts_array;
 177
 178 -               if (tabstop_set(*varp, &(curbuf->b_p_vts_array)))
 179 +               if (tabstop_set(*varp, &(curbuf->b_p_vts_array)) == OK)
 180                 {
 181                     vim_free(oldarray);
 182  #ifdef FEAT_FOLDING
 183 Index: git/src/testdir/test_retab.vim
 184 ===================================================================
 185 --- git.orig/src/testdir/test_retab.vim
 186 +++ git/src/testdir/test_retab.vim
 187 @@ -74,4 +74,7 @@ endfunc
 188  func Test_retab_error()
 189    call assert_fails('retab -1',  'E487:')
 190    call assert_fails('retab! -1', 'E487:')
 191 +  call assert_fails('ret -1000', 'E487:')
 192 +  call assert_fails('ret 10000', 'E475:')
 193 +  call assert_fails('ret 80000000000000000000', 'E475:')
 194  endfunc
 195 Index: git/src/version.c
 196 ===================================================================
 197 --- git.orig/src/version.c
 198 +++ git/src/version.c
 199 @@ -743,6 +743,8 @@ static char *(features[]) =
 200  static int included_patches[] =
 201  {   /* Add new patch number below this line */
 202  /**/
 203 +    3402,
 204 +/**/
 205      0
 206  };
 207