Attachment #183429 for bug #219941




# Created by: David O'Brien <obrien@cs.ucdavis.edu>
# $FreeBSD$

PORTNAME=	vim7
PORTVERSION=	7.4.2367
DISTVERSIONPREFIX=	v
PORTREVISION=	CVEp2
CATEGORIES?=	editors
CONFLICTS_INSTALL= ${VPNAME}-*

MAINTAINER?=	ports@FreeBSD.org
COMMENT?=	Improved version of the vi editor (pre-GTK3)

OPTIONS_DEFINE=	CSCOPE DEFAULT_VIMRC EXUBERANT_CTAGS LUA NLS PERL PYTHON RUBY TCL XTERM_SAVE
OPTIONS_SINGLE=	UI

USES=		cpe iconv ncurses pkgconfig shebangfix
WANT_GNOME=	yes

VPNAME=		vim # $PORTNAME differs from upstream with this private port.
PLIST_SUB=	VIM_VER=${VIM_VER}
PORTDATA=	${VIM_VER}
DATADIR=	${PREFIX}/share/${VPNAME}

VIM_VER=	${VPNAME}${PORTVERSION:R:S|.||g}

USE_GITHUB=	yes
GH_ACCOUNT=     ${VPNAME}
GH_PROJECT=     ${VPNAME}

CPE_VERSION=	${PORTVERSION:R}

SLAVEDIRS=	editors/vim7-lite

SHEBANG_FILES=	runtime/tools/efm_perl.pl





--- src/option.c.orig	2016-09-12 13:32:02.000000000 +0200
+++ src/option.c	2017-06-12 11:57:58.845378000 +0200
@@ -5823,6 +5823,21 @@
 }
 
 /*
+ * Return TRUE if "val" is a valid 'filetype' name.
+ * Also used for 'syntax' and 'keymap'.
+ */
+    static int
+valid_filetype(char_u *val)
+{
+    char_u *s;
+
+    for (s = val; *s != NUL; ++s)
+	if (!ASCII_ISALNUM(*s) && vim_strchr((char_u *)".-_", *s) == NULL)
+	    return FALSE;
+    return TRUE;
+}
+
+/*
  * Handle string options that need some action to perform when changed.
  * Returns NULL for success, or an error message for an error.
  */
@@ -6235,8 +6250,11 @@
 #ifdef FEAT_KEYMAP
     else if (varp == &curbuf->b_p_keymap)
     {
-	/* load or unload key mapping tables */
-	errmsg = keymap_init();
+	if (!valid_filetype(*varp))
+	    errmsg = e_invarg;
+	else
+	    /* load or unload key mapping tables */
+	    errmsg = keymap_init();
 
 	if (errmsg == NULL)
 	{
@@ -7222,6 +7240,22 @@
     }
 #endif
 
+#ifdef FEAT_AUTOCMD
+    else if (gvarp == &p_ft)
+    {
+	if (!valid_filetype(*varp))
+	    errmsg = e_invarg;
+    }
+#endif
+
+#ifdef FEAT_SYN_HL
+    else if (gvarp == &p_syn)
+    {
+	if (!valid_filetype(*varp))
+	    errmsg = e_invarg;
+    }
+#endif
+
     /* Options that are a list of flags. */
     else
     {
--- src/testdir/test_options.vim.orig	2016-09-12 13:32:02.000000000 +0200
+++ src/testdir/test_options.vim	2017-06-12 11:57:58.845713000 +0200
@@ -48,3 +48,52 @@
   endif
 endfunc
 
+func Test_filetype_valid()
+  set ft=valid_name
+  call assert_equal("valid_name", &filetype)
+  set ft=valid-name
+  call assert_equal("valid-name", &filetype)
+
+  call assert_fails(":set ft=wrong;name", "E474:")
+  call assert_fails(":set ft=wrong\\\\name", "E474:")
+  call assert_fails(":set ft=wrong\\|name", "E474:")
+  call assert_fails(":set ft=wrong/name", "E474:")
+  call assert_fails(":set ft=wrong\\\nname", "E474:")
+  call assert_equal("valid-name", &filetype)
+
+  exe "set ft=trunc\x00name"
+  call assert_equal("trunc", &filetype)
+endfunc
+
+func Test_syntax_valid()
+  set syn=valid_name
+  call assert_equal("valid_name", &syntax)
+  set syn=valid-name
+  call assert_equal("valid-name", &syntax)
+
+  call assert_fails(":set syn=wrong;name", "E474:")
+  call assert_fails(":set syn=wrong\\\\name", "E474:")
+  call assert_fails(":set syn=wrong\\|name", "E474:")
+  call assert_fails(":set syn=wrong/name", "E474:")
+  call assert_fails(":set syn=wrong\\\nname", "E474:")
+  call assert_equal("valid-name", &syntax)
+
+  exe "set syn=trunc\x00name"
+  call assert_equal("trunc", &syntax)
+endfunc
+
+func Test_keymap_valid()
+  call assert_fails(":set kmp=valid_name", "E544:")
+  call assert_fails(":set kmp=valid_name", "valid_name")
+  call assert_fails(":set kmp=valid-name", "E544:")
+  call assert_fails(":set kmp=valid-name", "valid-name")
+
+  call assert_fails(":set kmp=wrong;name", "E474:")
+  call assert_fails(":set kmp=wrong\\\\name", "E474:")
+  call assert_fails(":set kmp=wrong\\|name", "E474:")
+  call assert_fails(":set kmp=wrong/name", "E474:")
+  call assert_fails(":set kmp=wrong\\\nname", "E474:")
+
+  call assert_fails(":set kmp=trunc\x00name", "E544:")
+  call assert_fails(":set kmp=trunc\x00name", "trunc")
+endfunc




--- src/spellfile.c.orig	2016-09-12 13:32:02.000000000 +0200
+++ src/spellfile.c	2017-06-12 11:53:50.234578000 +0200
@@ -1595,6 +1595,9 @@
     len = get4c(fd);
     if (len < 0)
 	return SP_TRUNCERROR;
+    if (len >= 0x3ffffff)
+	/* Invalid length, multiply with sizeof(int) would overflow. */
+	return SP_FORMERROR;
     if (len > 0)
     {
 	/* Allocate the byte array. */

Lines 3-8 Link Here

(-)vim/files/vimrc (+1 lines)
3	endif	3	endif
4		4
5	let g:is_posix = 1	5	let g:is_posix = 1
		6	let skip_defaults_vim = 1
6	set nocompatible	7	set nocompatible
7	set bs=indent,eol,start	8	set bs=indent,eol,start
8	set history=50	9	set history=50

Return to bug 219941

Lines 1-13 Link Here

(-)vim/Makefile (-5 / +11 lines)
1	# Created by: David O'Brien <obrien@cs.ucdavis.edu>	1	# Created by: David O'Brien <obrien@cs.ucdavis.edu>
2	# $FreeBSD$	2	# $FreeBSD$
3		3
4	PORTNAME= vim	4	PORTNAME= vim7
5	PORTVERSION= 7.4.2367	5	PORTVERSION= 7.4.2367
6	DISTVERSIONPREFIX= v	6	DISTVERSIONPREFIX= v
		7	PORTREVISION= CVEp2
7	CATEGORIES?= editors	8	CATEGORIES?= editors
		9	CONFLICTS_INSTALL= ${VPNAME}-*
8		10
9	MAINTAINER?= sunpoet@FreeBSD.org	11	MAINTAINER?= ports@FreeBSD.org
10	COMMENT?= Improved version of the vi editor	12	COMMENT?= Improved version of the vi editor (pre-GTK3)
11		13
12	OPTIONS_DEFINE= CSCOPE DEFAULT_VIMRC EXUBERANT_CTAGS LUA NLS PERL PYTHON RUBY TCL XTERM_SAVE	14	OPTIONS_DEFINE= CSCOPE DEFAULT_VIMRC EXUBERANT_CTAGS LUA NLS PERL PYTHON RUBY TCL XTERM_SAVE
13	OPTIONS_SINGLE= UI	15	OPTIONS_SINGLE= UI
Lines 30-45 Link Here
30	USES= cpe iconv ncurses pkgconfig shebangfix	32	USES= cpe iconv ncurses pkgconfig shebangfix
31	WANT_GNOME= yes	33	WANT_GNOME= yes
32		34
		35	VPNAME= vim # $PORTNAME differs from upstream with this private port.
33	PLIST_SUB= VIM_VER=${VIM_VER}	36	PLIST_SUB= VIM_VER=${VIM_VER}
34	PORTDATA= ${VIM_VER}	37	PORTDATA= ${VIM_VER}
		38	DATADIR= ${PREFIX}/share/${VPNAME}
35		39
36	VIM_VER= ${PORTNAME}${PORTVERSION:R:S\|.\|\|g}	40	VIM_VER= ${VPNAME}${PORTVERSION:R:S\|.\|\|g}
37		41
38	USE_GITHUB= yes	42	USE_GITHUB= yes
		43	GH_ACCOUNT= ${VPNAME}
		44	GH_PROJECT= ${VPNAME}
39		45
40	CPE_VERSION= ${PORTVERSION:R}	46	CPE_VERSION= ${PORTVERSION:R}
41		47
42	SLAVEDIRS= editors/vim-lite	48	SLAVEDIRS= editors/vim7-lite
43		49
44	SHEBANG_FILES= runtime/tools/efm_perl.pl	50	SHEBANG_FILES= runtime/tools/efm_perl.pl
45		51

Line 0 Link Here

(-)vim/files/patch-vim_CVE-2016-1248 (+116 lines)
		1	--- src/option.c.orig 2016-09-12 13:32:02.000000000 +0200
		2	+++ src/option.c 2017-06-12 11:57:58.845378000 +0200
		3	@@ -5823,6 +5823,21 @@
		4	}
		5
		6	/*
		7	+ * Return TRUE if "val" is a valid 'filetype' name.
		8	+ * Also used for 'syntax' and 'keymap'.
		9	+ */
		10	+ static int
		11	+valid_filetype(char_u *val)
		12	+{
		13	+ char_u *s;
		14	+
		15	+ for (s = val; *s != NUL; ++s)
		16	+ if (!ASCII_ISALNUM(s) && vim_strchr((char_u )".-_", *s) == NULL)
		17	+ return FALSE;
		18	+ return TRUE;
		19	+}
		20	+
		21	+/*
		22	* Handle string options that need some action to perform when changed.
		23	* Returns NULL for success, or an error message for an error.
		24	*/
		25	@@ -6235,8 +6250,11 @@
		26	#ifdef FEAT_KEYMAP
		27	else if (varp == &curbuf->b_p_keymap)
		28	{
		29	- /* load or unload key mapping tables */
		30	- errmsg = keymap_init();
		31	+ if (!valid_filetype(*varp))
		32	+ errmsg = e_invarg;
		33	+ else
		34	+ /* load or unload key mapping tables */
		35	+ errmsg = keymap_init();
		36
		37	if (errmsg == NULL)
		38	{
		39	@@ -7222,6 +7240,22 @@
		40	}
		41	#endif
		42
		43	+#ifdef FEAT_AUTOCMD
		44	+ else if (gvarp == &p_ft)
		45	+ {
		46	+ if (!valid_filetype(*varp))
		47	+ errmsg = e_invarg;
		48	+ }
		49	+#endif
		50	+
		51	+#ifdef FEAT_SYN_HL
		52	+ else if (gvarp == &p_syn)
		53	+ {
		54	+ if (!valid_filetype(*varp))
		55	+ errmsg = e_invarg;
		56	+ }
		57	+#endif
		58	+
		59	/* Options that are a list of flags. */
		60	else
		61	{
		62	--- src/testdir/test_options.vim.orig 2016-09-12 13:32:02.000000000 +0200
		63	+++ src/testdir/test_options.vim 2017-06-12 11:57:58.845713000 +0200
		64	@@ -48,3 +48,52 @@
65	endif
66	endfunc
67
68	+func Test_filetype_valid()
69	+ set ft=valid_name
70	+ call assert_equal("valid_name", &filetype)
71	+ set ft=valid-name
72	+ call assert_equal("valid-name", &filetype)
73	+
74	+ call assert_fails(":set ft=wrong;name", "E474:")
75	+ call assert_fails(":set ft=wrong\\\\name", "E474:")
76	+ call assert_fails(":set ft=wrong\\\|name", "E474:")
77	+ call assert_fails(":set ft=wrong/name", "E474:")
78	+ call assert_fails(":set ft=wrong\\\nname", "E474:")
79	+ call assert_equal("valid-name", &filetype)
80	+
81	+ exe "set ft=trunc\x00name"
82	+ call assert_equal("trunc", &filetype)
83	+endfunc
84	+
85	+func Test_syntax_valid()
86	+ set syn=valid_name
87	+ call assert_equal("valid_name", &syntax)
88	+ set syn=valid-name
89	+ call assert_equal("valid-name", &syntax)
90	+
91	+ call assert_fails(":set syn=wrong;name", "E474:")
92	+ call assert_fails(":set syn=wrong\\\\name", "E474:")
93	+ call assert_fails(":set syn=wrong\\\|name", "E474:")
94	+ call assert_fails(":set syn=wrong/name", "E474:")
95	+ call assert_fails(":set syn=wrong\\\nname", "E474:")
96	+ call assert_equal("valid-name", &syntax)
97	+
98	+ exe "set syn=trunc\x00name"
99	+ call assert_equal("trunc", &syntax)
100	+endfunc
101	+
102	+func Test_keymap_valid()
103	+ call assert_fails(":set kmp=valid_name", "E544:")
104	+ call assert_fails(":set kmp=valid_name", "valid_name")
105	+ call assert_fails(":set kmp=valid-name", "E544:")
106	+ call assert_fails(":set kmp=valid-name", "valid-name")
107	+
108	+ call assert_fails(":set kmp=wrong;name", "E474:")
109	+ call assert_fails(":set kmp=wrong\\\\name", "E474:")
110	+ call assert_fails(":set kmp=wrong\\\|name", "E474:")
111	+ call assert_fails(":set kmp=wrong/name", "E474:")
112	+ call assert_fails(":set kmp=wrong\\\nname", "E474:")
113	+
114	+ call assert_fails(":set kmp=trunc\x00name", "E544:")
115	+ call assert_fails(":set kmp=trunc\x00name", "trunc")
116	+endfunc

Line 0 Link Here

(-)vim/files/patch-vim_CVE-2017-5953 (+12 lines)
	1	--- src/spellfile.c.orig 2016-09-12 13:32:02.000000000 +0200
	2	+++ src/spellfile.c 2017-06-12 11:53:50.234578000 +0200
	3	@@ -1595,6 +1595,9 @@
	4	len = get4c(fd);
	5	if (len < 0)
	6	return SP_TRUNCERROR;
	7	+ if (len >= 0x3ffffff)
	8	+ /* Invalid length, multiply with sizeof(int) would overflow. */
	9	+ return SP_FORMERROR;
	10	if (len > 0)
	11	{
	12	/* Allocate the byte array. */