import vim-8.2.2637-16.el9_0.2

SOURCES/0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch

@@ -0,0 +1,110 @@
+From e3537aec2f8d6470010547af28dcbd83d41461b8 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 8 Feb 2022 15:05:20 +0000
+Subject: [PATCH] patch 8.2.4327: may end up with no current buffer
+
+Problem:    May end up with no current buffer.
+Solution:   When deleting the current buffer to not pick a quickfix buffer as
+            the new current buffer.
+---
+ src/buffer.c                  | 26 ++++++++++++++++++++++----
+ src/testdir/test_quickfix.vim | 25 +++++++++++++++++++++++++
+ src/version.c                 |  2 ++
+ 3 files changed, 49 insertions(+), 4 deletions(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 81bdb31ca..b3e2bc3f9 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -1430,8 +1430,14 @@ do_buffer_ext(
+ 		buf = buflist_findnr(curwin->w_jumplist[jumpidx].fmark.fnum);
+ 		if (buf != NULL)
+ 		{
+-		    if (buf == curbuf || !buf->b_p_bl)
+-			buf = NULL;	// skip current and unlisted bufs
++		    // Skip current and unlisted bufs.  Also skip a quickfix
++		    // buffer, it might be deleted soon.
++		    if (buf == curbuf || !buf->b_p_bl
++#if defined(FEAT_QUICKFIX)
++			    || bt_quickfix(buf)
++#endif
++			    )
++			buf = NULL;
+ 		    else if (buf->b_ml.ml_mfp == NULL)
+ 		    {
+ 			// skip unloaded buf, but may keep it for later
+@@ -1467,7 +1473,11 @@ do_buffer_ext(
+ 		    continue;
+ 		}
+ 		// in non-help buffer, try to skip help buffers, and vv
+-		if (buf->b_help == curbuf->b_help && buf->b_p_bl)
++		if (buf->b_help == curbuf->b_help && buf->b_p_bl
++#if defined(FEAT_QUICKFIX)
++			    && !bt_quickfix(buf)
++#endif
++			   )
+ 		{
+ 		    if (buf->b_ml.ml_mfp != NULL)   // found loaded buffer
+ 			break;
+@@ -1485,7 +1495,11 @@ do_buffer_ext(
+ 	if (buf == NULL)	// No loaded buffer, find listed one
+ 	{
+ 	    FOR_ALL_BUFFERS(buf)
+-		if (buf->b_p_bl && buf != curbuf)
++		if (buf->b_p_bl && buf != curbuf
++#if defined(FEAT_QUICKFIX)
++			    && !bt_quickfix(buf)
++#endif
++		       )
+ 		    break;
+ 	}
+ 	if (buf == NULL)	// Still no buffer, just take one
+@@ -1494,6 +1508,10 @@ do_buffer_ext(
+ 		buf = curbuf->b_next;
+ 	    else
+ 		buf = curbuf->b_prev;
++#if defined(FEAT_QUICKFIX)
++	    if (bt_quickfix(buf))
++		buf = NULL;
++#endif
+ 	}
+     }
+ 
+diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
+index 07fdb9644..adb0ea4fd 100644
+--- a/src/testdir/test_quickfix.vim
++++ b/src/testdir/test_quickfix.vim
+@@ -5851,5 +5851,30 @@ func Test_lopen_bwipe()
+   delfunc R
+ endfunc
+ 
++" Another sequence of commands that caused all buffers to be wiped out
++func Test_lopen_bwipe_all()
++  let lines =<< trim END
++    func R()
++      silent! tab lopen
++      e foo
++      silent! lfile
++    endfunc
++    cal R()
++    exe "norm \<C-W>\<C-V>0"
++    cal R()
++    bwipe
++
++    call writefile(['done'], 'Xresult')
++    qall!
++  END
++  call writefile(lines, 'Xscript')
++  if RunVim([], [], '-u NONE -n -X -Z -e -m -s -S Xscript')
++    call assert_equal(['done'], readfile('Xresult'))
++  endif
++
++  call delete('Xscript')
++  call delete('Xresult')
++endfunc
++
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.35.1
+

SOURCES/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch

@@ -0,0 +1,39 @@
+diff -up vim82/src/spellsuggest.c.cve0943 vim82/src/spellsuggest.c
+--- vim82/src/spellsuggest.c.cve0943	2022-03-28 20:48:07.079197805 +0200
++++ vim82/src/spellsuggest.c	2022-03-28 20:48:07.101197522 +0200
+@@ -501,6 +501,10 @@ spell_suggest(int count)
+ 	    curwin->w_cursor.col = VIsual.col;
+ 	++badlen;
+ 	end_visual_mode();
++	// make sure we don't include the NUL at the end of the line
++	line = ml_get_curline();
++	if (badlen > STRLEN(line) - curwin->w_cursor.col)
++	    badlen = STRLEN(line) - curwin->w_cursor.col;
+     }
+     // Find the start of the badly spelled word.
+     else if (spell_move_to(curwin, FORWARD, TRUE, TRUE, NULL) == 0
+diff -up vim82/src/testdir/test_spell.vim.cve0943 vim82/src/testdir/test_spell.vim
+--- vim82/src/testdir/test_spell.vim.cve0943	2022-03-28 20:48:07.102197509 +0200
++++ vim82/src/testdir/test_spell.vim	2022-03-28 20:49:05.038452974 +0200
+@@ -441,6 +441,21 @@ func Test_spellsuggest_expr_errors()
+   delfunc MySuggest3
+ endfunc
+ 
++func Test_spellsuggest_visual_end_of_line()
++  let enc_save = &encoding
++  set encoding=iso8859
++
++  " This was reading beyond the end of the line.
++  norm R00000000000
++  sil norm 0
++  sil! norm i00000)
++  sil! norm i00000)
++  call feedkeys("\<CR>")
++  norm z=
++
++  let &encoding = enc_save
++endfunc
++
+ func Test_spellinfo()
+   new
+   let runtime = substitute($VIMRUNTIME, '\\', '/', 'g')

SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch

@@ -0,0 +1,44 @@
+diff -up vim82/src/regexp_bt.c.cve1154 vim82/src/regexp_bt.c
+--- vim82/src/regexp_bt.c.cve1154	2022-04-25 15:22:28.367621755 +0200
++++ vim82/src/regexp_bt.c	2022-04-25 15:25:13.726340728 +0200
+@@ -3188,8 +3188,17 @@ regmatch(
+ 		int	mark = OPERAND(scan)[0];
+ 		int	cmp = OPERAND(scan)[1];
+ 		pos_T	*pos;
++		size_t	col = REG_MULTI ? rex.input - rex.line : 0;
+ 
+ 		pos = getmark_buf(rex.reg_buf, mark, FALSE);
++
++		// Line may have been freed, get it again.
++		if (REG_MULTI)
++		{
++		    rex.line = reg_getline(rex.lnum);
++		    rex.input = rex.line + col;
++		}
++
+ 		if (pos == NULL		     // mark doesn't exist
+ 			|| pos->lnum <= 0    // mark isn't set in reg_buf
+ 			|| (pos->lnum == rex.lnum + rex.reg_firstlnum
+diff -up vim82/src/testdir/test_regexp_latin.vim.cve1154 vim82/src/testdir/test_regexp_latin.vim
+--- vim82/src/testdir/test_regexp_latin.vim.cve1154	2022-04-25 15:22:28.368621752 +0200
++++ vim82/src/testdir/test_regexp_latin.vim	2022-04-25 15:26:57.515227712 +0200
+@@ -954,4 +954,19 @@ func Test_using_visual_position()
+   bwipe!
+ endfunc
+ 
++func Test_using_mark_position()
++  " this was using freed memory
++  " new engine
++  new
++  norm O0
++  call assert_fails("s/\\%')", 'E486:')
++  bwipe!
++
++  " old engine
++  new
++  norm O0
++  call assert_fails("s/\\%#=1\\%')", 'E486:')
++  bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab

SOURCES/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch

@@ -0,0 +1,51 @@
+diff -up vim82/src/errors.h.cve1420 vim82/src/errors.h
+--- vim82/src/errors.h.cve1420	2022-04-25 16:01:03.559985019 +0200
++++ vim82/src/errors.h	2022-04-25 16:01:58.113332024 +0200
+@@ -383,3 +383,7 @@ EXTERN char e_cannot_use_default_values_
+ 	INIT(= N_("E1172: Cannot use default values in a lambda"));
+ EXTERN char e_resulting_text_too_long[]
+ 	INIT(= N_("E1240: Resulting text too long"));
++#ifdef FEAT_EVAL
++EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
++	INIT(= N_("E1275: String or function required for ->(expr)"));
++#endif
+diff -up vim82/src/eval.c.cve1420 vim82/src/eval.c
+--- vim82/src/eval.c.cve1420	2022-04-25 16:01:03.560985007 +0200
++++ vim82/src/eval.c	2022-04-25 16:14:11.746600369 +0200
+@@ -3718,13 +3718,20 @@ eval_lambda(
+ 	if (**arg != ')')
+ 	{
+ 	    emsg(_(e_missing_close));
+-	    ret = FAIL;
++	    return FAIL;
++	}
++	if (rettv->v_type != VAR_STRING && rettv->v_type != VAR_FUNC
++					       && rettv->v_type != VAR_PARTIAL)
++	{
++	    emsg(_(e_string_or_function_required_for_arrow_parens_expr));
++	    return FAIL;
+ 	}
+ 	++*arg;
+     }
+     if (ret != OK)
+ 	return FAIL;
+-    else if (**arg != '(')
++
++    if (**arg != '(')
+     {
+ 	if (verbose)
+ 	{
+diff -up vim82/src/testdir/test_lambda.vim.cve1420 vim82/src/testdir/test_lambda.vim
+--- vim82/src/testdir/test_lambda.vim.cve1420	2022-04-25 16:01:03.560985007 +0200
++++ vim82/src/testdir/test_lambda.vim	2022-04-25 16:17:01.694886566 +0200
+@@ -64,6 +64,10 @@ function Test_lambda_fails()
+   call assert_fails('echo {a, a -> a + a}(1, 2)', 'E853:')
+   call assert_fails('echo {a, b -> a + b)}(1, 2)', 'E451:')
+   echo assert_fails('echo 10->{a -> a + 2}', 'E107:')
++  call assert_fails('eval 0->(3)()', "E1275:")
++  call assert_fails('eval 0->([3])()', "E1275:")
++  call assert_fails('eval 0->({"a": 3})()', "E1275:")
++  call assert_fails('eval 0->(xxx)()', "E121:")
+ endfunc
+ 
+ func Test_not_lamda()

SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch

@@ -0,0 +1,50 @@
+diff -up vim82/src/errors.h.cve1621 vim82/src/errors.h
+--- vim82/src/errors.h.cve1621	2022-05-24 13:36:23.883370040 +0200
++++ vim82/src/errors.h	2022-05-24 13:36:47.665487703 +0200
+@@ -387,3 +387,7 @@ EXTERN char e_resulting_text_too_long[]
+ EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
+ 	INIT(= N_("E1275: String or function required for ->(expr)"));
+ #endif
++#ifdef FEAT_SPELL
++EXTERN char e_illegal_character_in_word[]
++	INIT(= N_("E1280: Illegal character in word"));
++#endif
+diff -up vim82/src/mbyte.c.cve1621 vim82/src/mbyte.c
+--- vim82/src/mbyte.c.cve1621	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/mbyte.c	2022-05-24 13:36:23.884370045 +0200
+@@ -4181,7 +4181,7 @@ theend:
+     convert_setup(&vimconv, NULL, NULL);
+ }
+ 
+-#if defined(FEAT_GUI_GTK) || defined(PROTO)
++#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO)
+ /*
+  * Return TRUE if string "s" is a valid utf-8 string.
+  * When "end" is NULL stop at the first NUL.
+diff -up vim82/src/spellfile.c.cve1621 vim82/src/spellfile.c
+--- vim82/src/spellfile.c.cve1621	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/spellfile.c	2022-05-24 13:36:23.885370049 +0200
+@@ -4391,6 +4391,10 @@ store_word(
+     int		res = OK;
+     char_u	*p;
+ 
++    // Avoid adding illegal bytes to the word tree.
++    if (enc_utf8 && !utf_valid_string(word, NULL))
++	return FAIL;
++
+     (void)spell_casefold(word, len, foldword, MAXWLEN);
+     for (p = pfxlist; res == OK; ++p)
+     {
+@@ -6191,6 +6195,12 @@ spell_add_word(
+     int		i;
+     char_u	*spf;
+ 
++    if (enc_utf8 && !utf_valid_string(word, NULL))
++    {
++	emsg(_(e_illegal_character_in_word));
++	return;
++    }
++
+     if (idx == 0)	    // use internal wordlist
+     {
+ 	if (int_wordlist == NULL)

SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch

@@ -0,0 +1,33 @@
+From 53a70289c2712808e6d4e88927e03cac01b470dd Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 9 May 2022 13:15:07 +0100
+Subject: [PATCH] patch 8.2.4925: trailing backslash may cause reading past end
+ of line
+
+Problem:    Trailing backslash may cause reading past end of line.
+Solution:   Check for NUL after backslash.
+---
+ src/testdir/test_textobjects.vim | 10 +++++++++-
+ src/textobject.c                 |  4 ++++
+ src/version.c                    |  2 ++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/textobject.c b/src/textobject.c
+index e4a7db38e..edaa64c51 100644
+--- a/src/textobject.c
++++ b/src/textobject.c
+@@ -1664,7 +1664,11 @@ find_next_quote(
+ 	if (c == NUL)
+ 	    return -1;
+ 	else if (escape != NULL && vim_strchr(escape, c))
++	{
+ 	    ++col;
++	    if (line[col] == NUL)
++		return -1;
++	}
+ 	else if (c == quotechar)
+ 	    break;
+ 	if (has_mbyte)
+-- 
+2.36.1
+

SPECS/vim.spec

@@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 15%{?dist}
+Release: 16%{?dist}.2
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@@ -116,6 +116,18 @@ Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch
 Patch3042: 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch
 # CVE-2022-0714 vim: buffer overflow [rhel-9]
 Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch
+# CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
+Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
+# CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim
+Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
+# CVE-2022-1154 vim: use after free in utf_ptr2char
+Patch3046: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
+# CVE-2022-1420 vim: Out-of-range Pointer Offset
+Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
+# CVE-2022-1621 vim: heap buffer overflow
+Patch3048: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
+# CVE-2022-1629 vim: buffer over-read
+Patch3049: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -346,6 +358,12 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3041 -p1 -b .cve0572
 %patch3042 -p1 -b .cve0629
 %patch3043 -p1 -b .cve0714
+%patch3044 -p1 -b .cve0554
+%patch3045 -p1 -b .cve0943
+%patch3046 -p1 -b .cve1154
+%patch3047 -p1 -b .cve1420
+%patch3048 -p1 -b .cve1621
+%patch3049 -p1 -b .cve1629
 
 %build
 cd src
@@ -903,6 +921,16 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif
 
 %changelog
+* Wed May 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16.2
+- CVE-2022-1621 vim: heap buffer overflow
+- CVE-2022-1629 vim: buffer over-read
+
+* Mon Apr 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16.1
+- CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
+- CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim
+- CVE-2022-1154 vim: use after free in utf_ptr2char
+- CVE-2022-1420 vim: Out-of-range Pointer Offset
+
 * Thu Feb 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-15
 - CVE-2022-0714 vim: buffer overflow [rhel-9]