From a5fef02e17601009cc2c8b9fc7a13d8ae61ebfe2 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 9 Aug 2022 05:34:24 -0400
Subject: [PATCH] import vim-8.2.2637-16.el9_0.3

---
 ...emory-access-error-when-substitute-e.patch |  59 +++++++++
 ...ubstitute-overwrites-allocated-buffe.patch | 121 ++++++++++++++++++
 ...ursor-position-may-be-invalid-after-.patch | 106 +++++++++++++++
 SPECS/vim.spec                                |  16 ++-
 4 files changed, 301 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
 create mode 100644 SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
 create mode 100644 SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch

diff --git a/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch b/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
new file mode 100644
index 0000000..b5a9272
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
@@ -0,0 +1,59 @@
+diff -up vim82/src/ex_cmds.c.cve1785 vim82/src/ex_cmds.c
+--- vim82/src/ex_cmds.c.cve1785	2022-06-10 10:26:16.883312704 +0200
++++ vim82/src/ex_cmds.c	2022-06-10 10:26:16.910312568 +0200
+@@ -4356,12 +4356,17 @@ ex_substitute(exarg_T *eap)
+ 		// Save flags for recursion.  They can change for e.g.
+ 		// :s/^/\=execute("s#^##gn")
+ 		subflags_save = subflags;
++
++		// Disallow changing text or switching window in an expression.
++		++textwinlock;
+ #endif
+ 		// get length of substitution part
+ 		sublen = vim_regsub_multi(&regmatch,
+ 				    sub_firstlnum - regmatch.startpos[0].lnum,
+ 			       sub, sub_firstline, FALSE, magic_isset(), TRUE);
+ #ifdef FEAT_EVAL
++		--textwinlock;
++
+ 		// If getting the substitute string caused an error, don't do
+ 		// the replacement.
+ 		// Don't keep flags set by a recursive call.
+@@ -4462,9 +4467,15 @@ ex_substitute(exarg_T *eap)
+ 		mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
+ 		new_end += copy_len;
+ 
++#ifdef FEAT_EVAL
++		++textwinlock;
++#endif
+ 		(void)vim_regsub_multi(&regmatch,
+ 				    sub_firstlnum - regmatch.startpos[0].lnum,
+ 				      sub, new_end, TRUE, magic_isset(), TRUE);
++#ifdef FEAT_EVAL
++		--textwinlock;
++#endif
+ 		sub_nsubs++;
+ 		did_sub = TRUE;
+ 
+diff -up vim82/src/testdir/test_substitute.vim.cve1785 vim82/src/testdir/test_substitute.vim
+--- vim82/src/testdir/test_substitute.vim.cve1785	2022-06-10 10:26:16.910312568 +0200
++++ vim82/src/testdir/test_substitute.vim	2022-06-10 10:27:02.166084629 +0200
+@@ -942,5 +942,18 @@ func Test_using_old_sub()
+   set nocompatible
+ endfunc
+ 
++" This was switching windows in between computing the length and using it.
++func Test_sub_change_window()
++  silent! lfile
++  sil! norm o0000000000000000000000000000000000000000000000000000
++  func Repl()
++    lopen
++  endfunc
++  silent!  s/\%')/\=Repl()
++  bwipe!
++  bwipe!
++  delfunc Repl
++endfunc
++
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch b/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
new file mode 100644
index 0000000..71ce847
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
@@ -0,0 +1,121 @@
+diff -up vim82/src/normal.c.cve1897 vim82/src/normal.c
+--- vim82/src/normal.c.cve1897	2022-06-13 09:31:42.880768567 +0200
++++ vim82/src/normal.c	2022-06-13 09:35:38.560084927 +0200
+@@ -479,6 +479,22 @@ find_command(int cmdchar)
+ }
+ 
+ /*
++ * If currently editing a cmdline or text is locked: beep and give an error
++ * message, return TRUE.
++ */
++    static int
++check_text_locked(oparg_T *oap)
++{
++    if (text_locked())
++    {
++	clearopbeep(oap);
++	text_locked_msg();
++	return TRUE;
++    }
++    return FALSE;
++}
++
++/*
+  * Execute a command in Normal mode.
+  */
+     void
+@@ -742,14 +758,9 @@ getcount:
+ 	goto normal_end;
+     }
+ 
+-    if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW))
+-    {
+-	// This command is not allowed while editing a cmdline: beep.
+-	clearopbeep(oap);
+-	text_locked_msg();
+-	goto normal_end;
+-    }
+-    if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked())
++    if ((nv_cmds[idx].cmd_flags & NV_NCW)
++				&& (check_text_locked(oap) || curbuf_locked()))
++	// this command is not allowed now
+ 	goto normal_end;
+ 
+     /*
+@@ -4212,12 +4223,8 @@ nv_gotofile(cmdarg_T *cap)
+     char_u	*ptr;
+     linenr_T	lnum = -1;
+ 
+-    if (text_locked())
+-    {
+-	clearopbeep(cap->oap);
+-	text_locked_msg();
++    if (check_text_locked(cap->oap))
+ 	return;
+-    }
+     if (curbuf_locked())
+     {
+ 	clearop(cap->oap);
+@@ -6343,14 +6350,7 @@ nv_g_cmd(cmdarg_T *cap)
+ 
+     // "gQ": improved Ex mode
+     case 'Q':
+-	if (text_locked())
+-	{
+-	    clearopbeep(cap->oap);
+-	    text_locked_msg();
+-	    break;
+-	}
+-
+-	if (!checkclearopq(oap))
++	if (!check_text_locked(cap->oap) && !checkclearopq(oap))
+ 	    do_exmode(TRUE);
+ 	break;
+ 
+diff -up vim82/src/testdir/test_substitute.vim.cve1897 vim82/src/testdir/test_substitute.vim
+--- vim82/src/testdir/test_substitute.vim.cve1897	2022-06-13 09:31:42.938768884 +0200
++++ vim82/src/testdir/test_substitute.vim	2022-06-13 09:36:39.013406036 +0200
+@@ -955,5 +955,27 @@ func Test_sub_change_window()
+   delfunc Repl
+ endfunc
+ 
++" This was undoign a change in between computing the length and using it.
++func Do_Test_sub_undo_change()
++  new
++  norm o0000000000000000000000000000000000000000000000000000
++  silent! s/\%')/\=Repl()
++  bwipe!
++endfunc
++
++func Test_sub_undo_change()
++  func Repl()
++    silent! norm g-
++  endfunc
++  call Do_Test_sub_undo_change()
++
++  func! Repl()
++    silent earlier
++  endfunc
++  call Do_Test_sub_undo_change()
++
++  delfunc Repl
++endfunc
++
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+diff -up vim82/src/undo.c.cve1897 vim82/src/undo.c
+--- vim82/src/undo.c.cve1897	2022-06-13 09:31:42.904768698 +0200
++++ vim82/src/undo.c	2022-06-13 09:31:42.938768884 +0200
+@@ -2323,6 +2323,12 @@ undo_time(
+     int		    above = FALSE;
+     int		    did_undo = TRUE;
+ 
++    if (text_locked())
++    {
++	text_locked_msg();
++	return;
++    }
++
+     // First make sure the current undoable change is synced.
+     if (curbuf->b_u_synced == FALSE)
+ 	u_sync(TRUE);
diff --git a/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch b/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
new file mode 100644
index 0000000..a8eeda7
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
@@ -0,0 +1,106 @@
+diff -up vim82/src/ex_docmd.c.cve1927 vim82/src/ex_docmd.c
+--- vim82/src/ex_docmd.c.cve1927	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/ex_docmd.c	2022-06-13 15:29:45.099472751 +0200
+@@ -3081,6 +3081,8 @@ parse_cmd_address(exarg_T *eap, char **e
+ {
+     int		address_count = 1;
+     linenr_T	lnum;
++    int		need_check_cursor = FALSE;
++    int		ret = FAIL;
+ 
+     // Repeat for all ',' or ';' separated addresses.
+     for (;;)
+@@ -3091,7 +3093,7 @@ parse_cmd_address(exarg_T *eap, char **e
+ 	lnum = get_address(eap, &eap->cmd, eap->addr_type, eap->skip, silent,
+ 					eap->addr_count == 0, address_count++);
+ 	if (eap->cmd == NULL)	// error detected
+-	    return FAIL;
++	    goto theend;
+ 	if (lnum == MAXLNUM)
+ 	{
+ 	    if (*eap->cmd == '%')   // '%' - all lines
+@@ -3136,14 +3138,14 @@ parse_cmd_address(exarg_T *eap, char **e
+ 			    // there is no Vim command which uses '%' and
+ 			    // ADDR_WINDOWS or ADDR_TABS
+ 			    *errormsg = _(e_invrange);
+-			    return FAIL;
++			    goto theend;
+ 			}
+ 			break;
+ 		    case ADDR_TABS_RELATIVE:
+ 		    case ADDR_UNSIGNED:
+ 		    case ADDR_QUICKFIX:
+ 			*errormsg = _(e_invrange);
+-			return FAIL;
++			goto theend;
+ 		    case ADDR_ARGUMENTS:
+ 			if (ARGCOUNT == 0)
+ 			    eap->line1 = eap->line2 = 0;
+@@ -3175,7 +3177,7 @@ parse_cmd_address(exarg_T *eap, char **e
+ 		if (eap->addr_type != ADDR_LINES)
+ 		{
+ 		    *errormsg = _(e_invrange);
+-		    return FAIL;
++		    goto theend;
+ 		}
+ 
+ 		++eap->cmd;
+@@ -3183,11 +3185,11 @@ parse_cmd_address(exarg_T *eap, char **e
+ 		{
+ 		    fp = getmark('<', FALSE);
+ 		    if (check_mark(fp) == FAIL)
+-			return FAIL;
++			goto theend;
+ 		    eap->line1 = fp->lnum;
+ 		    fp = getmark('>', FALSE);
+ 		    if (check_mark(fp) == FAIL)
+-			return FAIL;
++			goto theend;
+ 		    eap->line2 = fp->lnum;
+ 		    ++eap->addr_count;
+ 		}
+@@ -3202,10 +3204,13 @@ parse_cmd_address(exarg_T *eap, char **e
+ 	    if (!eap->skip)
+ 	    {
+ 		curwin->w_cursor.lnum = eap->line2;
++
+ 		// Don't leave the cursor on an illegal line or column, but do
+ 		// accept zero as address, so 0;/PATTERN/ works correctly.
++		// Check the cursor position before returning.
+ 		if (eap->line2 > 0)
+ 		    check_cursor();
++		need_check_cursor = TRUE;
+ 	    }
+ 	}
+ 	else if (*eap->cmd != ',')
+@@ -3221,7 +3226,12 @@ parse_cmd_address(exarg_T *eap, char **e
+ 	if (lnum == MAXLNUM)
+ 	    eap->addr_count = 0;
+     }
+-    return OK;
++    ret = OK;
++
++theend:
++    if (need_check_cursor)
++	check_cursor();
++    return ret;
+ }
+ 
+ /*
+diff -up vim82/src/testdir/test_excmd.vim.cve1927 vim82/src/testdir/test_excmd.vim
+--- vim82/src/testdir/test_excmd.vim.cve1927	2022-06-13 15:26:53.941517542 +0200
++++ vim82/src/testdir/test_excmd.vim	2022-06-13 15:30:53.972860361 +0200
+@@ -536,4 +536,13 @@ func Test_sandbox()
+   sandbox call Sandbox_tests()
+ endfunc
+ 
++" This was leaving the cursor in line zero
++func Test_using_zero_in_range()
++  new
++  norm o00
++  silent!  0;s/\%')
++  bwipe!
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/SPECS/vim.spec b/SPECS/vim.spec
index 8fe2b5d..2cc9194 100644
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 16%{?dist}.2
+Release: 16%{?dist}.3
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@@ -128,6 +128,12 @@ Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
 Patch3048: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
 # CVE-2022-1629 vim: buffer over-read
 Patch3049: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
+# CVE-2022-1785 vim: Out-of-bounds Write
+Patch3050: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
+# CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
+Patch3051: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
+# CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
+Patch3052: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -364,6 +370,9 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3047 -p1 -b .cve1420
 %patch3048 -p1 -b .cve1621
 %patch3049 -p1 -b .cve1629
+%patch3050 -p1 -b .cve1785
+%patch3051 -p1 -b .cve1897
+%patch3052 -p1 -b .cve1927
 
 %build
 cd src
@@ -921,6 +930,11 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif
 
 %changelog
+* Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16.3
+- CVE-2022-1785 vim: Out-of-bounds Write
+- CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
+- CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
+
 * Wed May 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16.2
 - CVE-2022-1621 vim: heap buffer overflow
 - CVE-2022-1629 vim: buffer over-read