From eedc06f3b50762d13e96440719531ca3932df26d Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 26 Apr 2022 09:50:50 -0400
Subject: [PATCH] import vim-8.0.1763-16.el8_5.13

---
 ...sing-buffer-line-after-it-has-been-f.patch | 22 +++++++++++++++++++
 SPECS/vim.spec                                |  8 ++++++-
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch

diff --git a/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch b/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
new file mode 100644
index 0000000..a2eb48b
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
@@ -0,0 +1,22 @@
+diff -up vim80/src/regexp.c.cve1154 vim80/src/regexp.c
+--- vim80/src/regexp.c.cve1154	2022-04-09 12:01:30.054452927 +0200
++++ vim80/src/regexp.c	2022-04-09 12:02:48.987999877 +0200
+@@ -4415,8 +4415,17 @@ regmatch(
+ 		int	mark = OPERAND(scan)[0];
+ 		int	cmp = OPERAND(scan)[1];
+ 		pos_T	*pos;
++		size_t	col = REG_MULTI ? reginput - regline : 0;
+ 
+ 		pos = getmark_buf(rex.reg_buf, mark, FALSE);
++
++		// Line may have been freed, get it again.
++		if (REG_MULTI)
++		{
++		    regline = reg_getline(reglnum);
++		    reginput = regline + col;
++		}
++
+ 		if (pos == NULL		     /* mark doesn't exist */
+ 			|| pos->lnum <= 0    /* mark isn't set in reg_buf */
+ 			|| (pos->lnum == reglnum + rex.reg_firstlnum
+diff -up vim80/src/testdir/test_regexp_latin.vim.cve1154 vim80/src/testdir/test_regexp_latin.vim
diff --git a/SPECS/vim.spec b/SPECS/vim.spec
index 8bd7a1d..46788e0 100644
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@@ -24,7 +24,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 16%{?dist}.12
+Release: 16%{?dist}.13
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: vim.sh
@@ -100,6 +100,8 @@ Patch3032: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch
 Patch3033: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
 # CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository
 Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch
+# CVE-2022-1154 vim: use after free in utf_ptr2char
+Patch3035: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -311,6 +313,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3032 -p1 -b .cve0392
 %patch3033 -p1 -b .cve0413
 %patch3034 -p1 -b .cve0361
+%patch3035 -p1 -b .cve1154
 
 %build
 %if 0%{?rhel} > 7
@@ -829,6 +832,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %{_datadir}/icons/locolor/*/apps/*
 
 %changelog
+* Sat Apr 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.13
+- CVE-2022-1154 vim: use after free in utf_ptr2char
+
 * Tue Feb 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.12
 - CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository