RHEL-44652 vim-9.1.083-1.el10: RHEL SAST Automation: address 4 High impact true positive(s)

Resolves: RHEL-44652

0001-patch-9.1.0903-potential-overflow-in-spell_soundfold.patch

@@ -0,0 +1,61 @@
+From 39a94d20487794aeb722c21e84f8816e217f0cfe Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 4 Dec 2024 20:16:17 +0100
+Subject: [PATCH] patch 9.1.0903: potential overflow in spell_soundfold_wsal()
+
+Problem:  potential overflow in spell_soundfold_wsal()
+Solution: Protect wres from buffer overflow, by checking the
+          length (Zdenek Dohnal)
+
+Error: OVERRUN (CWE-119):
+vim91/src/spell.c:3819: cond_const: Checking "reslen < 254" implies that
+"reslen" is 254 on the false branch.
+vim91/src/spell.c:3833: incr: Incrementing "reslen". The value of "reslen"
+is now 255.
+vim91/src/spell.c:3792: overrun-local: Overrunning array "wres" of 254
+4-byte elements at element index 254 (byte offset 1019) using index
+"reslen - 1" (which evaluates to 254).
+ 3789|   		    {
+ 3790|   			// rule with '<' is used
+ 3791|-> 			if (reslen > 0 && ws != NULL && *ws != NUL
+ 3792|   				&& (wres[reslen - 1] == c
+ 3793|   						    || wres[reslen - 1] == *ws))
+
+Error: OVERRUN (CWE-119):
+vim91/src/spell.c:3819: cond_const: Checking "reslen < 254" implies that
+"reslen" is 254 on the false branch.
+vim91/src/spell.c:3833: overrun-local: Overrunning array "wres" of 254
+4-byte elements at element index 254 (byte offset 1019) using index
+"reslen++" (which evaluates to 254).
+ 3831|                         {
+ 3832|                             if (c != NUL)
+ 3833|->                               wres[reslen++] = c;
+ 3834|                             mch_memmove(word, word + i + 1,
+ 3835|                                        sizeof(int) * (wordlen -
+(i + 1) + 1));
+
+related: #16163
+
+Signed-off-by: Zdenek Dohnal <zdohnal@redhat.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/spell.c   | 2 +-
+ src/version.c | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/spell.c b/src/spell.c
+index 5a7720f7f..2581a5ede 100644
+--- a/src/spell.c
++++ b/src/spell.c
+@@ -3829,7 +3829,7 @@ spell_soundfold_wsal(slang_T *slang, char_u *inword, char_u *res)
+ 			    c = *ws;
+ 			if (strstr((char *)s, "^^") != NULL)
+ 			{
+-			    if (c != NUL)
++			    if (c != NUL && reslen < MAXWLEN)
+ 				wres[reslen++] = c;
+ 			    mch_memmove(word, word + i + 1,
+ 				       sizeof(int) * (wordlen - (i + 1) + 1));
+-- 
+2.47.1
+

0001-patch-9.1.0904-Vim9-copy-paste-error-in-class_defini.patch

@@ -0,0 +1,48 @@
+From 215c82d061d750d8a26ef52f529a9e3ca4e0f82a Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 4 Dec 2024 20:19:40 +0100
+Subject: [PATCH] patch 9.1.0904: Vim9: copy-paste error in
+ class_defining_member()
+
+Problem:  Vim9: copy-paste error in class_defining_member()
+Solution: use variable type VAR_CLASS instead (Zdenek Dohnal)
+
+Found issue by OpenScanHub:
+Error: COPY_PASTE_ERROR (CWE-398):
+vim91/src/vim9class.c:3308: original: "VAR_OBJECT" looks like the
+original copy.
+vim91/src/vim9class.c:3316: copy_paste_error: "VAR_OBJECT" looks like a
+copy-paste error.
+vim91/src/vim9class.c:3316: remediation: Should it say "VAR_CLASS"
+instead?
+3314|             {
+3315|                 cl_tmp = super;
+3316|->               vartype = VAR_OBJECT;
+3317|             }
+3318|         }
+
+closes: #16163
+
+Signed-off-by: Zdenek Dohnal <zdohnal@redhat.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/version.c   | 2 ++
+ src/vim9class.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/vim9class.c b/src/vim9class.c
+index d0ddcb820..e85cf827f 100644
+--- a/src/vim9class.c
++++ b/src/vim9class.c
+@@ -3313,7 +3313,7 @@ class_defining_member(class_T *cl, char_u *name, size_t len, ocmember_T **p_m)
+ 	    if (( m = class_member_lookup(super, name, len, NULL)) != NULL)
+ 	    {
+ 		cl_tmp = super;
+-		vartype = VAR_OBJECT;
++		vartype = VAR_CLASS;
+ 	    }
+ 	}
+ 	if (cl_tmp == NULL)
+-- 
+2.47.1
+

vim.spec

@@ -51,7 +51,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 2
 # swift.vim contains Apache 2.0 with runtime library exception:
 # which is taken as Apache-2.0 WITH Swift-exception - reported to legal as https://gitlab.com/fedora/legal/fedora-license-data/-/issues/188
@@ -99,6 +99,13 @@ Patch3003: vim-python3-tests.patch
 Patch3004: vim-crypto-warning.patch
 # don't ever set mouse (Fedora downstream patch)
 Patch3005: vim-8.0-copy-paste.patch
+# RHEL-44652 vim-9.1.083-1.el10: RHEL SAST Automation: address 4 High impact true positive(s)
+# 2 patches: 0001-src-spell.c-Protect-wres-from-possible-buffer-overfl.patch
+#            0003-src-vim9class.c-Fix-typo.patch
+# upstreamed as: https://github.com/vim/vim/commit/215c82d06
+#                https://github.com/vim/vim/commit/39a94d204
+Patch3006: 0001-patch-9.1.0903-potential-overflow-in-spell_soundfold.patch
+Patch3007: 0001-patch-9.1.0904-Vim9-copy-paste-error-in-class_defini.patch
 
 
 # uses autoconf in spec file
@@ -422,6 +429,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch -P 3003 -p1 -b .python-tests
 %patch -P 3004 -p1 -b .fips-warning
 %patch -P 3005 -p1 -b .copypaste
+%patch -P 3006 -p1 -b .buffer-overflow
+%patch -P 3007 -p1 -b .typo
 
 %build
 cd src
@@ -1057,6 +1066,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 
 
 %changelog
+* Thu Dec 05 2024 Zdenek Dohnal <zdohnal@redhat.com> - 2:9.1.083-4
+- RHEL-44652 vim-9.1.083-1.el10: RHEL SAST Automation: address 4 High impact true positive(s)
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2:9.1.083-3
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018