import vim-8.2.2637-13.el9

SOURCES/0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch

@@ -0,0 +1,94 @@
+diff --git a/src/ops.c b/src/ops.c
+index d8e96ff..88992b6 100644
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -534,22 +534,27 @@ block_insert(
+ 	    if (b_insert)
+ 	    {
+ 		off = (*mb_head_off)(oldp, oldp + offset + spaces);
++		spaces -= off;
++		count -= off;
+ 	    }
+ 	    else
+ 	    {
+-		off = (*mb_off_next)(oldp, oldp + offset);
+-		offset += off;
++		// spaces fill the gap, the character that's at the edge moves
++		// right
++		off = (*mb_head_off)(oldp, oldp + offset);
++		offset -= off;
+ 	    }
+-	    spaces -= off;
+-	    count -= off;
+ 	}
+ 
+-	newp = alloc(STRLEN(oldp) + s_len + count + 1);
++	// Make sure the allocated size matches what is actually copied below.
++	newp = alloc(STRLEN(oldp) + spaces + s_len
++		    + (spaces > 0 && !bdp->is_short ? ts_val - spaces : 0)
++								  + count + 1);
+ 	if (newp == NULL)
+ 	    continue;
+ 
+ 	// copy up to shifted part
+-	mch_memmove(newp, oldp, (size_t)(offset));
++	mch_memmove(newp, oldp, (size_t)offset);
+ 	oldp += offset;
+ 
+ 	// insert pre-padding
+@@ -560,14 +565,21 @@ block_insert(
+ 	mch_memmove(newp + startcol, s, (size_t)s_len);
+ 	offset += s_len;
+ 
+-	if (spaces && !bdp->is_short)
++	if (spaces > 0 && !bdp->is_short)
+ 	{
+-	    // insert post-padding
+-	    vim_memset(newp + offset + spaces, ' ', (size_t)(ts_val - spaces));
+-	    // We're splitting a TAB, don't copy it.
+-	    oldp++;
+-	    // We allowed for that TAB, remember this now
+-	    count++;
++	    if (*oldp == TAB)
++	    {
++		// insert post-padding
++		vim_memset(newp + offset + spaces, ' ',
++						    (size_t)(ts_val - spaces));
++		// we're splitting a TAB, don't copy it
++		oldp++;
++		// We allowed for that TAB, remember this now
++		count++;
++	    }
++	    else
++		// Not a TAB, no extra spaces
++		count = spaces;
+ 	}
+ 
+ 	if (spaces > 0)
+@@ -1574,7 +1586,7 @@ op_insert(oparg_T *oap, long count1)
+ 		oap->start_vcol = t;
+ 	    }
+ 	    else if (oap->op_type == OP_APPEND
+-		      && oap->end.col + oap->end.coladd
++		      && oap->start.col + oap->start.coladd
+ 			>= curbuf->b_op_start_orig.col
+ 					      + curbuf->b_op_start_orig.coladd)
+ 	    {
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index 7c5f973..dc8e376 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -967,4 +967,13 @@ func Test_visual_put_in_block()
+   bwipe!
+ endfunc
+ 
++func Test_visual_block_append_invalid_char()
++  " this was going over the end of the line
++  new
++  call setline(1, ['	   let xxx', 'xxxxxˆ', 'xxxxxxxxxxx'])
++  exe "normal 0\<C-V>jjA-\<Esc>"
++  call assert_equal(['	-   let xxx', 'xxxxx   -ˆ', 'xxxxxxxx-xxx'], getline(1, 3))
++  bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab

SOURCES/0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch

@@ -0,0 +1,62 @@
+diff --git a/src/ops.c b/src/ops.c
+index 88992b6..80e0ea1 100644
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -527,24 +527,8 @@ block_insert(
+ 	}
+ 
+ 	if (has_mbyte && spaces > 0)
+-	{
+-	    int off;
+-
+-	    // Avoid starting halfway a multi-byte character.
+-	    if (b_insert)
+-	    {
+-		off = (*mb_head_off)(oldp, oldp + offset + spaces);
+-		spaces -= off;
+-		count -= off;
+-	    }
+-	    else
+-	    {
+-		// spaces fill the gap, the character that's at the edge moves
+-		// right
+-		off = (*mb_head_off)(oldp, oldp + offset);
+-		offset -= off;
+-	    }
+-	}
++	    // avoid copying part of a multi-byte character
++	    offset -= (*mb_head_off)(oldp, oldp + offset);
+ 
+ 	// Make sure the allocated size matches what is actually copied below.
+ 	newp = alloc(STRLEN(oldp) + spaces + s_len
+diff --git a/src/testdir/test_utf8.vim b/src/testdir/test_utf8.vim
+index 5454e43..bedec20 100644
+--- a/src/testdir/test_utf8.vim
++++ b/src/testdir/test_utf8.vim
+@@ -7,7 +7,7 @@ func Test_visual_block_insert()
+   new
+   call setline(1, ["aaa", "あああ", "bbb"])
+   exe ":norm! gg0l\<C-V>jjIx\<Esc>"
+-  call assert_equal(['axaa', 'xあああ', 'bxbb'], getline(1, '$'))
++  call assert_equal(['axaa', ' xあああ', 'bxbb'], getline(1, '$'))
+   bwipeout!
+ endfunc
+ 
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index dc8e376..8de9e3d 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -976,4 +976,13 @@ func Test_visual_block_append_invalid_char()
+   bwipe!
+ endfunc
+ 
++func Test_visual_block_insert_round_off()
++  new
++  " The number of characters are tuned to fill a 4096 byte allocated block,
++  " so that valgrind reports going over the end.
++  call setline(1, ['xxxxx', repeat('0', 1350), "\t", repeat('x', 60)])
++  exe "normal gg0\<C-V>GI" .. repeat('0', 1320) .. "\<Esc>"
++  bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab

SOURCES/0001-patch-8.2.4154-ml_get-error-when-exchanging-windows-.patch

@@ -0,0 +1,43 @@
+diff -up vim82/src/testdir/test_visual.vim.cve0319 vim82/src/testdir/test_visual.vim
+--- vim82/src/testdir/test_visual.vim.cve0319	2022-02-08 13:24:54.170813231 +0100
++++ vim82/src/testdir/test_visual.vim	2022-02-08 13:26:21.313747976 +0100
+@@ -985,4 +985,15 @@ func Test_visual_block_insert_round_off(
+   bwipe!
+ endfunc
+ 
++" this was causing an ml_get error
++func Test_visual_exchange_windows()
++  enew!
++  new
++  call setline(1, ['foo', 'bar'])
++  exe "normal G\<C-V>gg\<C-W>\<C-X>OO\<Esc>"
++  bwipe!
++  bwipe!
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab
+diff -up vim82/src/window.c.cve0319 vim82/src/window.c
+--- vim82/src/window.c.cve0319	2022-02-08 13:24:54.137813879 +0100
++++ vim82/src/window.c	2022-02-08 13:24:54.171813211 +0100
+@@ -1697,6 +1697,11 @@ win_exchange(long Prenum)
+ 
+     (void)win_comp_pos();		// recompute window positions
+ 
++    if (wp->w_buffer != curbuf)
++	reset_VIsual_and_resel();
++    else if (VIsual_active)
++	wp->w_cursor = curwin->w_cursor;
++
+     win_enter(wp, TRUE);
+     redraw_all_later(NOT_VALID);
+ }
+@@ -5261,7 +5266,7 @@ frame_remove(frame_T *frp)
+ win_alloc_lines(win_T *wp)
+ {
+     wp->w_lines_valid = 0;
+-    wp->w_lines = ALLOC_CLEAR_MULT(wline_T, Rows );
++    wp->w_lines = ALLOC_CLEAR_MULT(wline_T, Rows);
+     if (wp->w_lines == NULL)
+ 	return FAIL;
+     return OK;

SOURCES/0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch

@@ -0,0 +1,49 @@
+From 85b6747abc15a7a81086db31289cf1b8b17e6cb1 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 25 Jan 2022 11:55:02 +0000
+Subject: [PATCH] patch 8.2.4214: illegal memory access with large 'tabstop' in
+ Ex mode
+
+Problem:    Illegal memory access with large 'tabstop' in Ex mode.
+Solution:   Allocate enough memory.
+---
+ src/ex_getln.c               |  2 +-
+ src/testdir/test_ex_mode.vim | 10 ++++++++++
+ src/version.c                |  2 ++
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 5dc43d845..097b97eeb 100644
+--- a/src/ex_getln.c
++++ b/src/ex_getln.c
+@@ -1513,7 +1513,7 @@ init_ccline(int firstc, int indent)
+     ccline.cmdindent = (firstc > 0 ? indent : 0);
+ 
+     // alloc initial ccline.cmdbuff
+-    alloc_cmdbuff(exmode_active ? 250 : indent + 1);
++    alloc_cmdbuff(indent + 50);
+     if (ccline.cmdbuff == NULL)
+ 	return FAIL;
+     ccline.cmdlen = ccline.cmdpos = 0;
+diff --git a/src/testdir/test_ex_mode.vim b/src/testdir/test_ex_mode.vim
+index 7031115fc..2642a16d2 100644
+--- a/src/testdir/test_ex_mode.vim
++++ b/src/testdir/test_ex_mode.vim
+@@ -241,4 +241,14 @@ func Test_ex_mode_count_overflow()
+   call delete('Xexmodescript')
+ endfunc
+ 
++func Test_ex_mode_large_indent()
++  new
++  set ts=500 ai
++  call setline(1, "\t")
++  exe "normal gQi\<CR>."
++  set ts=8 noai
++  bwipe!
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.34.1
+

SOURCES/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch

@@ -0,0 +1,51 @@
+From dc5490e2cbc8c16022a23b449b48c1bd0083f366 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 25 Jan 2022 13:52:53 +0000
+Subject: [PATCH] patch 8.2.4215: illegal memory access when copying lines in
+ Visual mode
+
+Problem:    Illegal memory access when copying lines in Visual mode.
+Solution:   Adjust the Visual position after copying lines.
+---
+ src/ex_cmds.c               |  2 ++
+ src/testdir/test_visual.vim | 11 +++++++++++
+ src/version.c               |  2 ++
+ 3 files changed, 15 insertions(+)
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 95209985e..f5d93e664 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -866,6 +866,8 @@ ex_copy(linenr_T line1, linenr_T line2, linenr_T n)
+     }
+ 
+     appended_lines_mark(n, count);
++    if (VIsual_active)
++	check_pos(curbuf, &VIsual);
+ 
+     msgmore((long)count);
+ }
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index 72f5388b9..9b322fd21 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -1328,5 +1328,16 @@ func Test_visual_exchange_windows()
+   bwipe!
+ endfunc
+ 
++" this was leaving the end of the Visual area beyond the end of a line
++func Test_visual_ex_copy_line()
++  new
++  call setline(1, ["aaa", "bbbbbbbbbxbb"])
++  /x
++  exe "normal ggvjfxO"
++  t0
++  normal gNU
++  bwipe!
++endfunc
++
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.34.1
+

SOURCES/0001-patch-8.2.4217-illegal-memory-access-when-undo-makes.patch

@@ -0,0 +1,55 @@
+From 8d02ce1ed75d008c34a5c9aaa51b67cbb9d33baa Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 25 Jan 2022 18:24:00 +0000
+Subject: [PATCH] patch 8.2.4217: illegal memory access when undo makes Visual
+ area invalid
+
+Problem:    Illegal memory access when undo makes Visual area invalid.
+Solution:   Correct the Visual area after undo.
+---
+ src/testdir/test_visual.vim | 15 +++++++++++++++
+ src/undo.c                  |  2 ++
+ src/version.c               |  2 ++
+ 3 files changed, 19 insertions(+)
+
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index 9b322fd21..b2beda08d 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -1339,5 +1339,20 @@ func Test_visual_ex_copy_line()
+   bwipe!
+ endfunc
+ 
++" This was leaving the end of the Visual area beyond the end of a line.
++" Set 'undolevels' to start a new undo block.
++func Test_visual_undo_deletes_last_line()
++  new
++  call setline(1, ["aaa", "ccc", "dyd"])
++  set undolevels=100
++  exe "normal obbbbbbbbbxbb\<Esc>"
++  set undolevels=100
++  /y
++  exe "normal ggvjfxO"
++  undo
++  normal gNU
++  bwipe!
++endfunc
++
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/undo.c b/src/undo.c
+index 4d186d453..636144aef 100644
+--- a/src/undo.c
++++ b/src/undo.c
+@@ -3029,6 +3029,8 @@ u_undo_end(
+ 	}
+     }
+ #endif
++    if (VIsual_active)
++	check_pos(curbuf, &VIsual);
+ 
+     smsg_attr_keep(0, _("%ld %s; %s #%ld  %s"),
+ 	    u_oldcount < 0 ? -u_oldcount : u_oldcount,
+-- 
+2.34.1
+

SOURCES/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch

@@ -0,0 +1,45 @@
+From 806d037671e133bd28a7864248763f643967973a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 25 Jan 2022 20:45:16 +0000
+Subject: [PATCH] patch 8.2.4218: illegal memory access with bracketed paste in
+ Ex mode
+
+Problem:    Illegal memory access with bracketed paste in Ex mode.
+Solution:   Reserve space for the trailing NUL.
+---
+ src/edit.c                 | 3 ++-
+ src/testdir/test_paste.vim | 3 +++
+ src/version.c              | 2 ++
+ 3 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/edit.c b/src/edit.c
+index ee3caf0da..2b5301100 100644
+--- a/src/edit.c
++++ b/src/edit.c
+@@ -4452,7 +4452,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+ 		    break;
+ 
+ 		case PASTE_EX:
+-		    if (gap != NULL && ga_grow(gap, idx) == OK)
++		    // add one for the NUL that is going to be appended
++		    if (gap != NULL && ga_grow(gap, idx + 1) == OK)
+ 		    {
+ 			mch_memmove((char *)gap->ga_data + gap->ga_len,
+ 							     buf, (size_t)idx);
+diff --git a/src/testdir/test_paste.vim b/src/testdir/test_paste.vim
+index c94fe7c35..5b8d8a0e3 100644
+--- a/src/testdir/test_paste.vim
++++ b/src/testdir/test_paste.vim
+@@ -90,6 +90,9 @@ func Test_paste_ex_mode()
+   unlet! foo
+   call feedkeys("Qlet foo=\"\<Esc>[200~foo\<CR>bar\<Esc>[201~\"\<CR>vi\<CR>", 'xt')
+   call assert_equal("foo\rbar", foo)
++
++  " pasting more than 40 bytes
++  exe "norm Q\<PasteStart>0000000000000000000000000000000000000000000000000000000000000000000000\<C-C>"
+ endfunc
+ 
+ func Test_paste_onechar()
+-- 
+2.34.1
+

SOURCES/0001-patch-8.2.4245-retab-0-may-cause-illegal-memory-acce.patch

@@ -0,0 +1,95 @@
+diff -up vim82/src/indent.c.cve0417 vim82/src/indent.c
+--- vim82/src/indent.c.cve0417	2022-02-09 10:01:34.250009316 +0100
++++ vim82/src/indent.c	2022-02-09 10:02:54.802588536 +0100
+@@ -71,7 +71,7 @@ tabstop_set(char_u *var, int **array)
+ 	int n = atoi((char *)cp);
+ 
+ 	// Catch negative values, overflow and ridiculous big values.
+-	if (n < 0 || n > 9999)
++	if (n < 0 || n > TABSTOP_MAX)
+ 	{
+ 	    semsg(_(e_invarg2), cp);
+ 	    vim_free(*array);
+@@ -1595,7 +1595,7 @@ ex_retab(exarg_T *eap)
+ 	emsg(_(e_positive));
+ 	return;
+     }
+-    if (new_ts < 0 || new_ts > 9999)
++    if (new_ts < 0 || new_ts > TABSTOP_MAX)
+     {
+ 	semsg(_(e_invarg2), eap->arg);
+ 	return;
+diff -up vim82/src/option.c.cve0417 vim82/src/option.c
+--- vim82/src/option.c.cve0417	2022-02-09 10:01:34.196009598 +0100
++++ vim82/src/option.c	2022-02-09 10:28:10.398548161 +0100
+@@ -3640,6 +3640,11 @@ set_num_option(
+ 	errmsg = e_positive;
+ 	curbuf->b_p_ts = 8;
+     }
++    else if (curbuf->b_p_ts > TABSTOP_MAX)
++    {
++	errmsg = e_invarg;
++	curbuf->b_p_ts = 8;
++    }
+     if (p_tm < 0)
+     {
+ 	errmsg = e_positive;
+@@ -5830,7 +5835,7 @@ buf_copy_options(buf_T *buf, int flags)
+ 	    if (p_vsts && p_vsts != empty_option)
+ 		(void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
+ 	    else
+-		buf->b_p_vsts_array = 0;
++		buf->b_p_vsts_array = NULL;
+ 	    buf->b_p_vsts_nopaste = p_vsts_nopaste
+ 				 ? vim_strsave(p_vsts_nopaste) : NULL;
+ #endif
+@@ -6649,9 +6654,7 @@ paste_option_changed(void)
+ 	    if (buf->b_p_vsts)
+ 		free_string_option(buf->b_p_vsts);
+ 	    buf->b_p_vsts = empty_option;
+-	    if (buf->b_p_vsts_array)
+-		vim_free(buf->b_p_vsts_array);
+-	    buf->b_p_vsts_array = 0;
++	    VIM_CLEAR(buf->b_p_vsts_array);
+ #endif
+ 	}
+ 
+@@ -6697,12 +6700,11 @@ paste_option_changed(void)
+ 		free_string_option(buf->b_p_vsts);
+ 	    buf->b_p_vsts = buf->b_p_vsts_nopaste
+ 			 ? vim_strsave(buf->b_p_vsts_nopaste) : empty_option;
+-	    if (buf->b_p_vsts_array)
+-		vim_free(buf->b_p_vsts_array);
++	    vim_free(buf->b_p_vsts_array);
+ 	    if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
+ 		(void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
+ 	    else
+-		buf->b_p_vsts_array = 0;
++		buf->b_p_vsts_array = NULL;
+ #endif
+ 	}
+ 
+diff -up vim82/src/testdir/test_options.vim.cve0417 vim82/src/testdir/test_options.vim
+--- vim82/src/testdir/test_options.vim.cve0417	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/testdir/test_options.vim	2022-02-09 10:01:34.251009311 +0100
+@@ -362,6 +362,8 @@ func Test_set_errors()
+   call assert_fails('set shiftwidth=-1', 'E487:')
+   call assert_fails('set sidescroll=-1', 'E487:')
+   call assert_fails('set tabstop=-1', 'E487:')
++  call assert_fails('set tabstop=10000', 'E474:')
++  call assert_fails('set tabstop=5500000000', 'E474:')
+   call assert_fails('set textwidth=-1', 'E487:')
+   call assert_fails('set timeoutlen=-1', 'E487:')
+   call assert_fails('set updatecount=-1', 'E487:')
+diff -up vim82/src/vim.h.cve0417 vim82/src/vim.h
+--- vim82/src/vim.h.cve0417	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/vim.h	2022-02-09 10:01:34.252009306 +0100
+@@ -2032,6 +2032,8 @@ typedef int sock_T;
+ 
+ #define DICT_MAXNEST 100	// maximum nesting of lists and dicts
+ 
++#define TABSTOP_MAX 9999
++
+ #ifdef FEAT_CLIPBOARD
+ 
+ // VIM_ATOM_NAME is the older Vim-specific selection type for X11.  Still

SOURCES/0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch

@@ -0,0 +1,75 @@
+diff --git a/src/spellsuggest.c b/src/spellsuggest.c
+index 3de9ff2..5462583 100644
+--- a/src/spellsuggest.c
++++ b/src/spellsuggest.c
+@@ -1200,7 +1200,7 @@ suggest_try_change(suginfo_T *su)
+ 
+ // Check the maximum score, if we go over it we won't try this change.
+ #define TRY_DEEPER(su, stack, depth, add) \
+-		(stack[depth].ts_score + (add) < su->su_maxscore)
++       (depth < MAXWLEN - 1 && stack[depth].ts_score + (add) < su->su_maxscore)
+ 
+ /*
+  * Try finding suggestions by adding/removing/swapping letters.
+@@ -1272,6 +1272,9 @@ suggest_trie_walk(
+     char_u	changename[MAXWLEN][80];
+ #endif
+     int		breakcheckcount = 1000;
++#ifdef FEAT_RELTIME
++    proftime_T	time_limit;
++#endif
+     int		compound_ok;
+ 
+     // Go through the whole case-fold tree, try changes at each node.
+@@ -1316,6 +1319,11 @@ suggest_trie_walk(
+ 	    sp->ts_state = STATE_START;
+ 	}
+     }
++#ifdef FEAT_RELTIME
++    // The loop may take an indefinite amount of time. Break out after five
++    // sectonds. TODO: add an option for the time limit.
++    profile_setlimit(5000, &time_limit);
++#endif
+ 
+     // Loop to find all suggestions.  At each round we either:
+     // - For the current state try one operation, advance "ts_curi",
+@@ -1350,7 +1358,8 @@ suggest_trie_walk(
+ 
+ 		// At end of a prefix or at start of prefixtree: check for
+ 		// following word.
+-		if (byts[arridx] == 0 || n == (int)STATE_NOPREFIX)
++		if (depth < MAXWLEN - 1
++			    && (byts[arridx] == 0 || n == (int)STATE_NOPREFIX))
+ 		{
+ 		    // Set su->su_badflags to the caps type at this position.
+ 		    // Use the caps type until here for the prefix itself.
+@@ -2644,6 +2653,10 @@ suggest_trie_walk(
+ 	    {
+ 		ui_breakcheck();
+ 		breakcheckcount = 1000;
++#ifdef FEAT_RELTIME
++		if (profile_passed_limit(&time_limit))
++		    got_int = TRUE;
++#endif
+ 	    }
+ 	}
+     }
+diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
+index a3a9621..35035a2 100644
+--- a/src/testdir/test_spell.vim
++++ b/src/testdir/test_spell.vim
+@@ -768,6 +768,14 @@ func Test_spell_long_word()
+   set nospell
+ endfunc
+ 
++func Test_spellsuggest_too_deep()
++  " This was incrementing "depth" over MAXWLEN.
++  new
++  norm s000G00ý000000000000
++  sil norm ..vzG................vvzG0     v z=
++  bwipe!
++endfunc
++
+ func LoadAffAndDic(aff_contents, dic_contents)
+   set enc=latin1
+   set spellfile=

SOURCES/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch

@@ -0,0 +1,69 @@
+diff -up vim82/src/ex_cmds.c.cve0413 vim82/src/ex_cmds.c
+--- vim82/src/ex_cmds.c.cve0413	2022-02-10 08:09:27.644493218 +0100
++++ vim82/src/ex_cmds.c	2022-02-10 08:09:27.653493168 +0100
+@@ -3627,6 +3627,7 @@ ex_substitute(exarg_T *eap)
+     int		save_do_all;		// remember user specified 'g' flag
+     int		save_do_ask;		// remember user specified 'c' flag
+     char_u	*pat = NULL, *sub = NULL;	// init for GCC
++    char_u	*sub_copy = NULL;
+     int		delimiter;
+     int		sublen;
+     int		got_quit = FALSE;
+@@ -3928,11 +3929,20 @@ ex_substitute(exarg_T *eap)
+     sub_firstline = NULL;
+ 
+     /*
+-     * ~ in the substitute pattern is replaced with the old pattern.
+-     * We do it here once to avoid it to be replaced over and over again.
+-     * But don't do it when it starts with "\=", then it's an expression.
++     * If the substitute pattern starts with "\=" then it's an expression.
++     * Make a copy, a recursive function may free it.
++     * Otherwise, '~' in the substitute pattern is replaced with the old
++     * pattern.  We do it here once to avoid it to be replaced over and over
++     * again.
+      */
+-    if (!(sub[0] == '\\' && sub[1] == '='))
++    if (sub[0] == '\\' && sub[1] == '=')
++    {
++	sub = vim_strsave(sub);
++	if (sub == NULL)
++	    return;
++	sub_copy = sub;
++    }
++    else
+ 	sub = regtilde(sub, magic_isset());
+ 
+     /*
+@@ -4737,6 +4747,7 @@ outofmem:
+ #endif
+ 
+     vim_regfree(regmatch.regprog);
++    vim_free(sub_copy);
+ 
+     // Restore the flag values, they can be used for ":&&".
+     subflags.do_all = save_do_all;
+diff -up vim82/src/testdir/test_substitute.vim.cve0413 vim82/src/testdir/test_substitute.vim
+--- vim82/src/testdir/test_substitute.vim.cve0413	2022-02-10 08:09:27.654493162 +0100
++++ vim82/src/testdir/test_substitute.vim	2022-02-10 08:10:14.392230843 +0100
+@@ -926,4 +926,21 @@ func Test_substitute_multiline_submatch(
+   close!
+ endfunc
+ 
++" This was using "old_sub" after it was freed.
++func Test_using_old_sub()
++  set compatible maxfuncdepth=10
++  new
++  call setline(1, 'some text.')
++  func Repl()
++    ~
++    s/
++  endfunc
++  silent!  s/\%')/\=Repl()
++
++  delfunc Repl
++  bwipe!
++  set nocompatible
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab

SOURCES/0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch

@@ -0,0 +1,75 @@
+diff -up vim82/src/buffer.c.cve0443 vim82/src/buffer.c
+--- vim82/src/buffer.c.cve0443	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/buffer.c	2022-02-10 08:33:19.159488384 +0100
+@@ -1710,6 +1710,7 @@ set_curbuf(buf_T *buf, int action)
+ #endif
+     bufref_T	newbufref;
+     bufref_T	prevbufref;
++    int		valid;
+ 
+     setpcmark();
+     if ((cmdmod.cmod_flags & CMOD_KEEPALT) == 0)
+@@ -1763,13 +1764,19 @@ set_curbuf(buf_T *buf, int action)
+     // An autocommand may have deleted "buf", already entered it (e.g., when
+     // it did ":bunload") or aborted the script processing.
+     // If curwin->w_buffer is null, enter_buffer() will make it valid again
+-    if ((buf_valid(buf) && buf != curbuf
++    valid = buf_valid(buf);
++    if ((valid && buf != curbuf
+ #ifdef FEAT_EVAL
+ 		&& !aborting()
+ #endif
+ 	) || curwin->w_buffer == NULL)
+     {
+-	enter_buffer(buf);
++	// If the buffer is not valid but curwin->w_buffer is NULL we must
++	// enter some buffer.  Using the last one is hopefully OK.
++	if (!valid)
++	    enter_buffer(lastbuf);
++	else
++	    enter_buffer(buf);
+ #ifdef FEAT_SYN_HL
+ 	if (old_tw != curbuf->b_p_tw)
+ 	    check_colorcolumn(curwin);
+@@ -2286,8 +2293,7 @@ free_buf_options(
+     clear_string_option(&buf->b_p_vsts);
+     vim_free(buf->b_p_vsts_nopaste);
+     buf->b_p_vsts_nopaste = NULL;
+-    vim_free(buf->b_p_vsts_array);
+-    buf->b_p_vsts_array = NULL;
++    VIM_CLEAR(buf->b_p_vsts_array);
+     clear_string_option(&buf->b_p_vts);
+     VIM_CLEAR(buf->b_p_vts_array);
+ #endif
+diff -up vim82/src/testdir/test_quickfix.vim.cve0443 vim82/src/testdir/test_quickfix.vim
+--- vim82/src/testdir/test_quickfix.vim.cve0443	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/testdir/test_quickfix.vim	2022-02-10 08:34:10.288204457 +0100
+@@ -923,6 +923,7 @@ func Test_locationlist_curwin_was_closed
+   call assert_fails('lrewind', 'E924:')
+ 
+   augroup! testgroup
++  delfunc R
+ endfunc
+ 
+ func Test_locationlist_cross_tab_jump()
+@@ -5372,4 +5373,20 @@ func Test_vimgrep_noswapfile()
+   set swapfile
+ endfunc
+ 
++" Weird sequence of commands that caused entering a wiped-out buffer
++func Test_lopen_bwipe()
++  func R()
++    silent! tab lopen
++    e x
++    silent! lfile
++  endfunc
++
++  cal R()
++  cal R()
++  cal R()
++  bw!
++  delfunc R
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab

SOURCES/0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch

@@ -0,0 +1,61 @@
+diff --git a/src/errors.h b/src/errors.h
+index 3008020..3daf1a6 100644
+--- a/src/errors.h
++++ b/src/errors.h
+@@ -381,3 +381,5 @@ EXTERN char e_missing_end_block[]
+ 	INIT(= N_("E1171: Missing } after inline function"));
+ EXTERN char e_cannot_use_default_values_in_lambda[]
+ 	INIT(= N_("E1172: Cannot use default values in a lambda"));
++EXTERN char e_resulting_text_too_long[]
++	INIT(= N_("E1240: Resulting text too long"));
+diff --git a/src/indent.c b/src/indent.c
+index 4f909d0..77d8b0a 100644
+--- a/src/indent.c
++++ b/src/indent.c
+@@ -1696,6 +1696,11 @@ ex_retab(exarg_T *eap)
+ 	    if (ptr[col] == NUL)
+ 		break;
+ 	    vcol += chartabsize(ptr + col, (colnr_T)vcol);
++	    if (vcol >= MAXCOL)
++	    {
++		emsg(_(e_resulting_text_too_long));
++		break;
++	    }
+ 	    if (has_mbyte)
+ 		col += (*mb_ptr2len)(ptr + col);
+ 	    else
+diff --git a/src/testdir/test_retab.vim b/src/testdir/test_retab.vim
+index c7190aa..6133e8f 100644
+--- a/src/testdir/test_retab.vim
++++ b/src/testdir/test_retab.vim
+@@ -70,6 +70,8 @@ func Test_retab()
+   call assert_equal("    a       b        c    ",         Retab('!', 3))
+   call assert_equal("    a       b        c    ",         Retab('',  5))
+   call assert_equal("    a       b        c    ",         Retab('!', 5))
++
++  set tabstop& expandtab&
+ endfunc
+ 
+ func Test_retab_error()
+@@ -80,4 +82,21 @@ func Test_retab_error()
+   call assert_fails('ret 80000000000000000000', 'E475:')
+ endfunc
+ 
++func Test_retab_endless()
++  new
++  call setline(1, "\t0\t")
++  let caught = 'no'
++  try
++    while 1
++      set ts=4000
++      retab 4
++    endwhile
++  catch /E1240/
++    let caught = 'yes'
++  endtry
++  bwipe!
++  set tabstop&
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab

SPECS/vim.spec

@@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 10%{?dist}
+Release: 13%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@@ -88,6 +88,30 @@ Patch3027: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch
 Patch3028: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch
 # CVE-2021-4192 vim: vulnerable to Use After Free
 Patch3029: 0001-patch-8.2.3949-using-freed-memory-with-V.patch
+# CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
+Patch3030: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch
+# CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
+Patch3031: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch
+# CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c
+Patch3032: 0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch
+# CVE-2022-0319 vim: heap-based out-of-bounds read
+Patch3033: 0001-patch-8.2.4154-ml_get-error-when-exchanging-windows-.patch
+# CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository
+Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch
+# CVE-2022-0368 vim: Out-of-bounds Read in vim
+Patch3035: 0001-patch-8.2.4217-illegal-memory-access-when-undo-makes.patch
+# CVE-2022-0417 vim: heap-based-buffer-overflow in ex_retab() of src/indent.c
+Patch3036: 0001-patch-8.2.4245-retab-0-may-cause-illegal-memory-acce.patch
+# CVE-2022-0408 vim: Stack-based Buffer Overflow in spellsuggest.c
+Patch3037: 0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch
+# CVE-2022-0413 vim: use after free in src/ex_cmds.c
+Patch3038: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
+# CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c
+Patch3039: 0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch
+# CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
+Patch3040: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch
+# CVE-2022-0572 vim: heap overflow in ex_retab() may lead to crash
+Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -304,6 +328,18 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3027 -p1 -b .cve4019
 %patch3028 -p1 -b .cve4193
 %patch3029 -p1 -b .cve4192
+%patch3030 -p1 -b .cve0261
+%patch3031 -p1 -b .cve0318
+%patch3032 -p1 -b .cve0359
+%patch3033 -p1 -b .cve0319
+%patch3034 -p1 -b .cve0361
+%patch3035 -p1 -b .cve0368
+%patch3036 -p1 -b .cve0417
+%patch3037 -p1 -b .cve0408
+%patch3038 -p1 -b .cve0413
+%patch3039 -p1 -b .cve0443
+%patch3040 -p1 -b .cve0392
+%patch3041 -p1 -b .cve0572
 
 %build
 cd src
@@ -861,6 +897,28 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif
 
 %changelog
+* Wed Feb 16 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-13
+- CVE-2022-0572 vim: heap overflow in ex_retab() may lead to crash
+
+* Thu Feb 10 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
+- CVE-2022-0413 vim: use after free in src/ex_cmds.c
+- CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c
+- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
+
+* Wed Feb 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
+- CVE-2022-0368 vim: Out-of-bounds Read in vim
+- CVE-2022-0417 vim: heap-based-buffer-overflow in ex_retab() of src/indent.c
+- CVE-2022-0408 vim: Stack-based Buffer Overflow in spellsuggest.c
+
+* Tue Feb 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
+- CVE-2022-0319 vim: heap-based out-of-bounds read
+- CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository
+
+* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-11
+- CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
+- CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
+- CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c
+
 * Thu Jan 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-10
 - CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
 - CVE-2021-4192 vim: vulnerable to Use After Free