From 329a0f6996a48f7a41c067ef21d958e46ff586b7 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 28 Jun 2022 06:54:16 -0400
Subject: [PATCH] import vim-8.0.1763-19.el8_6.2

---
 ...can-add-invalid-bytes-with-spellgood.patch | 54 ++++++++++++++++
 ...railing-backslash-may-cause-reading-.patch | 15 +++++
 SPECS/vim.spec                                | 63 ++++++++-----------
 3 files changed, 96 insertions(+), 36 deletions(-)
 create mode 100644 SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
 create mode 100644 SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch

diff --git a/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch b/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
new file mode 100644
index 0000000..e998524
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
@@ -0,0 +1,54 @@
+diff -up vim80/src/globals.h.cve1621 vim80/src/globals.h
+--- vim80/src/globals.h.cve1621	2022-05-24 12:46:44.883952323 +0200
++++ vim80/src/globals.h	2022-05-24 12:47:30.534183523 +0200
+@@ -1657,6 +1657,11 @@ EXTERN int *eval_lavars_used INIT(= NULL
+ EXTERN int ctrl_break_was_pressed INIT(= FALSE);
+ #endif
+ 
++#ifdef FEAT_SPELL
++EXTERN char e_illegal_character_in_word[]
++	INIT(= N_("E1280: Illegal character in word"));
++#endif
++
+ /*
+  * Optional Farsi support.  Include it here, so EXTERN and INIT are defined.
+  */
+diff -up vim80/src/mbyte.c.cve1621 vim80/src/mbyte.c
+--- vim80/src/mbyte.c.cve1621	2018-04-09 14:55:56.000000000 +0200
++++ vim80/src/mbyte.c	2022-05-24 12:22:13.166893098 +0200
+@@ -4034,7 +4034,7 @@ theend:
+     convert_setup(&vimconv, NULL, NULL);
+ }
+ 
+-#if defined(FEAT_GUI_GTK) || defined(PROTO)
++#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO)
+ /*
+  * Return TRUE if string "s" is a valid utf-8 string.
+  * When "end" is NULL stop at the first NUL.
+diff -up vim80/src/spellfile.c.cve1621 vim80/src/spellfile.c
+--- vim80/src/spellfile.c.cve1621	2022-05-24 12:22:13.167893104 +0200
++++ vim80/src/spellfile.c	2022-05-24 12:49:55.816919350 +0200
+@@ -4441,6 +4441,10 @@ store_word(
+     int		res = OK;
+     char_u	*p;
+ 
++    // Avoid adding illegal bytes to the word tree.
++    if (enc_utf8 && !utf_valid_string(word, NULL))
++	return FAIL;
++
+     (void)spell_casefold(word, len, foldword, MAXWLEN);
+     for (p = pfxlist; res == OK; ++p)
+     {
+@@ -6251,6 +6255,12 @@ spell_add_word(
+     int		i;
+     char_u	*spf;
+ 
++    if (enc_utf8 && !utf_valid_string(word, NULL))
++    {
++	emsg(_(e_illegal_character_in_word));
++	return;
++    }
++
+     if (idx == 0)	    /* use internal wordlist */
+     {
+ 	if (int_wordlist == NULL)
diff --git a/SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch b/SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
new file mode 100644
index 0000000..6ce497f
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
@@ -0,0 +1,15 @@
+diff -up vim80/src/search.c.cve1629 vim80/src/search.c
+--- vim80/src/search.c.cve1629	2022-05-24 13:55:06.789859865 +0200
++++ vim80/src/search.c	2022-05-24 13:56:31.889218958 +0200
+@@ -4349,7 +4349,11 @@ find_next_quote(
+ 	if (c == NUL)
+ 	    return -1;
+ 	else if (escape != NULL && vim_strchr(escape, c))
++	{
+ 	    ++col;
++	    if (line[col] == NUL)
++		return -1;
++	}
+ 	else if (c == quotechar)
+ 	    break;
+ #ifdef FEAT_MBYTE
diff --git a/SPECS/vim.spec b/SPECS/vim.spec
index 46788e0..4c78012 100644
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@@ -24,7 +24,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 16%{?dist}.13
+Release: 19%{?dist}.2
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: vim.sh
@@ -75,9 +75,9 @@ Patch3019: 0001-patch-8.1.1365-source-command-doesn-t-check-for-the-.patch
 Patch3020: vim-crypto-warning.patch
 # 1842755 - CVE-2019-20807
 Patch3021: 0001-patch-8.1.0881-can-execute-shell-commands-in-rvim-th.patch
-# 2004974 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.5.0]
+# 2004975 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.6.0]
 Patch3022: vim-cve3796.patch
-# 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0]
+# 2004892 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.6.0]
 Patch3023: vim-cve3778-fix.patch
 Patch3024: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
 # 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0]
@@ -102,6 +102,10 @@ Patch3033: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
 Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch
 # CVE-2022-1154 vim: use after free in utf_ptr2char
 Patch3035: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
+# CVE-2022-1621 vim: heap buffer overflow
+Patch3036: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
+# CVE-2022-1629 vim: buffer over-read
+Patch3037: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -314,6 +318,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3033 -p1 -b .cve0413
 %patch3034 -p1 -b .cve0361
 %patch3035 -p1 -b .cve1154
+%patch3036 -p1 -b .cve1621
+%patch3037 -p1 -b .cve1629
 
 %build
 %if 0%{?rhel} > 7
@@ -832,57 +838,42 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %{_datadir}/icons/locolor/*/apps/*
 
 %changelog
-* Sat Apr 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.13
+* Wed May 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.2
+- CVE-2022-1621 vim: heap buffer overflow
+- CVE-2022-1629 vim: buffer over-read
+
+* Sat Apr 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.1
 - CVE-2022-1154 vim: use after free in utf_ptr2char
 
-* Tue Feb 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.12
+* Tue Feb 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19
 - CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository
 
-* Fri Feb 04 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.11
-- CVE-2022-0413 vim: use after free in src/ex_cmds.c
-- Fix specfile problems
-- Resolves: rhbz#2048525
-
-* Thu Feb 03 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.10
-- CVE-2022-0413 vim: use after free in src/ex_cmds.c
-- Resolves: rhbz#2048525
-
-* Wed Feb 02 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.9
+* Mon Feb 07 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-18
 - CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
-- Improve fix
-- Resolves: rhbz#2049403
+- CVE-2022-0413 vim: use after free in src/ex_cmds.c
 
-* Wed Feb 02 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.8
-- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
-- Resolves: rhbz#2049403
-
-* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.7
+* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-18
+- fix test suite after fix for CVE-2022-0318
 - CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c
 
-* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.6
-- fix test suite after fix for CVE-2022-0318
-
-* Wed Jan 26 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.5
+* Wed Jan 12 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-18
 - CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
 - CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
 
-* Wed Jan 12 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.4
+* Wed Jan 12 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-18
 - CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
 - CVE-2021-4192 vim: vulnerable to Use After Free
 
-* Fri Dec 03 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.3
+* Fri Dec 03 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-18
 - 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0]
 - 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0]
 
-* Tue Oct 26 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.2
-- remove the upstream test - uses a feature which is not presented in RHEL 8
+* Tue Oct 26 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-17
+- 2016201 - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-8.6.0]
 
-* Tue Oct 26 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.1
-- CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-8.6.0]
-
-* Mon Sep 20 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16
-- 2004974 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.5.0]
-- 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0]
+* Thu Sep 23 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16
+- 2004975 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.6.0]
+- 2004892 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.6.0]
 
 * Tue Jun 02 2020 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-15
 - 1842755 - CVE-2019-20807