[vim] 01/02: Backport v8.0.0377 & v8.0.0378 to fix undo file buffer overflows
James McCoy
jamessan at debian.org
Tue Mar 7 03:35:35 UTC 2017
This is an automated email from the git hooks/post-receive script.
jamessan pushed a commit to branch debian/sid
in repository vim.
commit a6262cf22cebd835f7c01981d4f136183c484bfc
Author: James McCoy <jamessan at debian.org>
Date: Mon Mar 6 21:27:39 2017 -0500
Backport v8.0.0377 & v8.0.0378 to fix undo file buffer overflows
Signed-off-by: James McCoy <jamessan at debian.org>
---
debian/changelog | 8 ++++
debian/patches/series | 2 +
...ossible-overflow-when-reading-corrupted-u.patch | 47 ++++++++++++++++++
...ossible-overflow-when-reading-corrupted-u.patch | 56 ++++++++++++++++++++++
4 files changed, 113 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index c27418e..8286dd4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+vim (2:8.0.0197-3) UNRELEASED; urgency=high
+
+ * Backport upstream patches v8.0.0377 & v8.0.0378, to fix buffer overflows
+ when reading corrupted undo files. (Closes: #856266, CVE-2017-6349,
+ CVE-2017-6350)
+
+ -- James McCoy <jamessan at debian.org> Mon, 06 Mar 2017 20:50:18 -0500
+
vim (2:8.0.0197-2) unstable; urgency=high
* Backport upstream patch v8.0.0322, to fix buffer overflow if a spellfile
diff --git a/debian/patches/series b/debian/patches/series
index d4353ba..b6cf658 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,5 @@ debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch
upstream/Add-Zesty-Zapus-to-deb-changelog-sources-syntax-files.patch
upstream/debcontrol.vim-Add-sections-for-Rust-and-JavaScript.patch
upstream/patch-8.0.0322-possible-overflow-with-corrupted-spell-fil.patch
+upstream/patch-8.0.0377-possible-overflow-when-reading-corrupted-u.patch
+upstream/patch-8.0.0378-possible-overflow-when-reading-corrupted-u.patch
diff --git a/debian/patches/upstream/patch-8.0.0377-possible-overflow-when-reading-corrupted-u.patch b/debian/patches/upstream/patch-8.0.0377-possible-overflow-when-reading-corrupted-u.patch
new file mode 100644
index 0000000..9d47b8e
--- /dev/null
+++ b/debian/patches/upstream/patch-8.0.0377-possible-overflow-when-reading-corrupted-u.patch
@@ -0,0 +1,47 @@
+From: Bram Moolenaar <Bram at vim.org>
+Date: Sun, 26 Feb 2017 18:11:36 +0100
+Subject: patch 8.0.0377: possible overflow when reading corrupted undo file
+
+Problem: Possible overflow when reading corrupted undo file.
+Solution: Check if allocated size is not too big. (King)
+---
+ src/undo.c | 5 +++--
+ src/version.c | 2 ++
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/undo.c b/src/undo.c
+index 607f35f..9a6875b 100644
+--- a/src/undo.c
++++ b/src/undo.c
+@@ -1787,7 +1787,7 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name)
+ linenr_T line_lnum;
+ colnr_T line_colnr;
+ linenr_T line_count;
+- int num_head = 0;
++ long num_head = 0;
+ long old_header_seq, new_header_seq, cur_header_seq;
+ long seq_last, seq_cur;
+ long last_save_nr = 0;
+@@ -1974,7 +1974,8 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name)
+ * When there are no headers uhp_table is NULL. */
+ if (num_head > 0)
+ {
+- uhp_table = (u_header_T **)U_ALLOC_LINE(
++ if (num_head < LONG_MAX / (long)sizeof(u_header_T *))
++ uhp_table = (u_header_T **)U_ALLOC_LINE(
+ num_head * sizeof(u_header_T *));
+ if (uhp_table == NULL)
+ goto error;
+diff --git a/src/version.c b/src/version.c
+index c851d87..4c81879 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -771,6 +771,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ { /* Add new patch number below this line */
+ /**/
++ 377,
++/**/
+ 322,
+ /**/
+ 197,
diff --git a/debian/patches/upstream/patch-8.0.0378-possible-overflow-when-reading-corrupted-u.patch b/debian/patches/upstream/patch-8.0.0378-possible-overflow-when-reading-corrupted-u.patch
new file mode 100644
index 0000000..d6e9bd9
--- /dev/null
+++ b/debian/patches/upstream/patch-8.0.0378-possible-overflow-when-reading-corrupted-u.patch
@@ -0,0 +1,56 @@
+From: Bram Moolenaar <Bram at vim.org>
+Date: Sun, 26 Feb 2017 18:17:10 +0100
+Subject: patch 8.0.0378: possible overflow when reading corrupted undo file
+
+Problem: Another possible overflow when reading corrupted undo file.
+Solution: Check if allocated size is not too big. (King)
+---
+ src/undo.c | 7 +++----
+ src/version.c | 2 ++
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/src/undo.c b/src/undo.c
+index 9a6875b..6de985b 100644
+--- a/src/undo.c
++++ b/src/undo.c
+@@ -1385,7 +1385,7 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
+ {
+ int i;
+ u_entry_T *uep;
+- char_u **array;
++ char_u **array = NULL;
+ char_u *line;
+ int line_len;
+
+@@ -1402,7 +1402,8 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
+ uep->ue_size = undo_read_4c(bi);
+ if (uep->ue_size > 0)
+ {
+- array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
++ if (uep->ue_size < LONG_MAX / (int)sizeof(char_u *))
++ array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
+ if (array == NULL)
+ {
+ *error = TRUE;
+@@ -1410,8 +1411,6 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
+ }
+ vim_memset(array, 0, sizeof(char_u *) * uep->ue_size);
+ }
+- else
+- array = NULL;
+ uep->ue_array = array;
+
+ for (i = 0; i < uep->ue_size; ++i)
+diff --git a/src/version.c b/src/version.c
+index 4c81879..c301a98 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -771,6 +771,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ { /* Add new patch number below this line */
+ /**/
++ 378,
++/**/
+ 377,
+ /**/
+ 322,
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-vim/vim.git
More information about the pkg-vim-maintainers
mailing list