packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vim/backport-CVE-2022-2287.patch

91 lines
2.5 KiB
Diff
Raw Normal View History

fix CVE-2022-2264 CVE-2022-2257 CVE-2022-2286 CVE-2022-2287 (cherry picked from commit abed0f93104ac6dbfb93cee247292b9f7e4036e3)
2022-07-13 10:40:41 +08:00
From 5e59ea54c0c37c2f84770f068d95280069828774 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 1 Jul 2022 22:26:20 +0100
Subject: [PATCH] patch 9.0.0021: invalid memory access when adding word to
spell word list
Problem: Invalid memory access when adding word with a control character to
the internal spell word list.
Solution: Disallow adding a word with control characters or a trailing
slash.
---
src/spellfile.c | 21 +++++++++++++++++++--
src/testdir/test_spell.vim | 15 +++++++++++++++
2 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/src/spellfile.c b/src/spellfile.c
index 5171572..aeeb6ad 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -4343,6 +4343,23 @@ wordtree_alloc(spellinfo_T *spin)
}
/*
+ * Return TRUE if "word" contains valid word characters.
+ * Control characters and trailing '/' are invalid. Space is OK.
+ */
+ static int
+valid_spell_word(char_u *word)
+{
+ char_u *p;
+
+ if (enc_utf8 && !utf_valid_string(word, NULL))
+ return FALSE;
+ for (p = word; *p != NUL; p += mb_ptr2len(p))
+ if (*p < ' ' || (p[0] == '/' && p[1] == NUL))
+ return FALSE;
+ return TRUE;
+}
+
+/*
* Store a word in the tree(s).
* Always store it in the case-folded tree. For a keep-case word this is
* useful when the word can also be used with all caps (no WF_FIXCAP flag) and
@@ -4367,7 +4384,7 @@ store_word(
char_u *p;
// Avoid adding illegal bytes to the word tree.
- if (enc_utf8 && !utf_valid_string(word, NULL))
+ if (!valid_spell_word(word))
return FAIL;
(void)spell_casefold(word, len, foldword, MAXWLEN);
@@ -6171,7 +6188,7 @@ spell_add_word(
int i;
char_u *spf;
- if (enc_utf8 && !utf_valid_string(word, NULL))
+ if (!valid_spell_word(word))
{
emsg(_(e_illegal_character_in_word));
return;
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index 1f79907..bc4f41d 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -574,6 +574,21 @@ func Test_spell_screendump()
call delete('XtestSpell')
endfunc
+func Test_spell_good_word_invalid()
+ " This was adding a word with a 0x02 byte, which causes havoc.
+ enew
+ norm o0
+ sil! norm rzzWs00/
+ 2
+ sil! norm VzGprzzW
+ sil! norm z=
+
+ bwipe!
+ " clear the internal word list
+ set enc=latin1
+ set enc=utf-8
+endfunc
+
let g:test_data_aff1 = [
\"SET ISO8859-1",
\"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",
--
1.8.3.1
Reference in New Issue Copy Permalink