From 2bba9e816637b751f5eb4b5cdeee8099e1ca4369 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Mon, 5 Aug 2024 16:39:07 +0200
Subject: [PATCH] RHEL-40602 CVE-2021-3903 vim heap-based buffer overflow
 vulnerability

Resolves: RHEL-40602
---
 ...nvalid-memory-access-when-scrolling-.patch | 82 +++++++++++++++++++
 vim.spec                                      |  8 +-
 2 files changed, 89 insertions(+), 1 deletion(-)
 create mode 100644 0001-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch

diff --git a/0001-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch b/0001-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
new file mode 100644
index 00000000..5bd88ad9
--- /dev/null
+++ b/0001-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
@@ -0,0 +1,82 @@
+From 777e7c21b7627be80961848ac560cb0a9978ff43 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 25 Oct 2021 17:07:04 +0100
+Subject: [PATCH] patch 8.2.3564: invalid memory access when scrolling without
+ valid screen
+
+Problem:    Invalid memory access when scrolling without a valid screen.
+Solution:   Do not set VALID_BOTLINE in w_valid.
+---
+ src/move.c                  |  1 -
+ src/testdir/test_normal.vim | 22 +++++++++++++++++++---
+ src/version.c               |  2 ++
+ 3 files changed, 21 insertions(+), 4 deletions(-)
+
+diff --git a/src/move.c b/src/move.c
+index 8fe00bb67..64b12963c 100644
+--- a/src/move.c
++++ b/src/move.c
+@@ -199,7 +199,6 @@ update_topline(void)
+ 	check_cursor_lnum();
+ 	curwin->w_topline = curwin->w_cursor.lnum;
+ 	curwin->w_botline = curwin->w_topline;
+-	curwin->w_valid |= VALID_BOTLINE|VALID_BOTLINE_AP;
+ 	curwin->w_scbind_pos = 1;
+ 	return;
+     }
+diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim
+index f8dbf8aed..f994f970a 100644
+--- a/src/testdir/test_normal.vim
++++ b/src/testdir/test_normal.vim
+@@ -34,14 +34,14 @@ func CountSpaces(type, ...)
+   else
+     silent exe "normal! `[v`]y"
+   endif
+-  let g:a=strlen(substitute(@@, '[^ ]', '', 'g'))
++  let g:a = strlen(substitute(@@, '[^ ]', '', 'g'))
+   let &selection = sel_save
+   let @@ = reg_save
+ endfunc
+ 
+ func OpfuncDummy(type, ...)
+   " for testing operatorfunc
+-  let g:opt=&linebreak
++  let g:opt = &linebreak
+ 
+   if a:0  " Invoked from Visual mode, use gv command.
+     silent exe "normal! gvy"
+@@ -52,7 +52,7 @@ func OpfuncDummy(type, ...)
+   endif
+   " Create a new dummy window
+   new
+-  let g:bufnr=bufnr('%')
++  let g:bufnr = bufnr('%')
+ endfunc
+ 
+ func Test_normal00_optrans()
+@@ -987,6 +987,22 @@ func Test_vert_scroll_cmds()
+   close!
+ endfunc
+ 
++func Test_scroll_in_ex_mode()
++  " This was using invalid memory because w_botline was invalid.
++  let lines =<< trim END
++      diffsplit
++      norm os00(
++      call writefile(['done'], 'Xdone')
++      qa!
++  END
++  call writefile(lines, 'Xscript')
++  call assert_equal(1, RunVim([], [], '--clean -X -Z -e -s -S Xscript'))
++  call assert_equal(['done'], readfile('Xdone'))
++
++  call delete('Xscript')
++  call delete('Xdone')
++endfunc
++
+ " Test for the 'sidescroll' option
+ func Test_sidescroll_opt()
+   new
+-- 
+2.45.2
+
diff --git a/vim.spec b/vim.spec
index ec73e6ca..c7125b99 100644
--- a/vim.spec
+++ b/vim.spec
@@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@@ -136,6 +136,8 @@ Patch3051: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
 Patch3052: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
 # CVE-2022-47024 vim: no check if the return value of XChangeGC() is NULL
 Patch3053:0001-patch-9.0.0339-no-check-if-the-return-value-of-XChan.patch
+# RHEL-40602 CVE-2021-3903 vim: heap-based buffer overflow vulnerability
+Patch3054: 0001-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -376,6 +378,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3051 -p1 -b .cve1897
 %patch3052 -p1 -b .cve1927
 %patch3053 -p1 -b .cve47024
+%patch -P 3054 -p1 -b .cve2021-3903
 
 %build
 cd src
@@ -933,6 +936,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif
 
 %changelog
+* Mon Aug 05 2024 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-21
+- RHEL-40602 CVE-2021-3903 vim: heap-based buffer overflow vulnerability
+
 * Thu Feb 09 2023 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-20
 - CVE-2022-47024 vim: no check if the return value of XChangeGC() is NULL