From f77538d02cbbb7959326d886a221108c33c8f4aa Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Mon, 13 Jun 2022 16:32:30 +0200
Subject: [PATCH] CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in
 mbyte.c

Resolves: CVE-2022-1927
---
 ...ursor-position-may-be-invalid-after-.patch | 106 ++++++++++++++++++
 vim.spec                                      |   4 +
 2 files changed, 110 insertions(+)
 create mode 100644 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch

diff --git a/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch b/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
new file mode 100644
index 0000000..a8eeda7
--- /dev/null
+++ b/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
@@ -0,0 +1,106 @@
+diff -up vim82/src/ex_docmd.c.cve1927 vim82/src/ex_docmd.c
+--- vim82/src/ex_docmd.c.cve1927	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/ex_docmd.c	2022-06-13 15:29:45.099472751 +0200
+@@ -3081,6 +3081,8 @@ parse_cmd_address(exarg_T *eap, char **e
+ {
+     int		address_count = 1;
+     linenr_T	lnum;
++    int		need_check_cursor = FALSE;
++    int		ret = FAIL;
+ 
+     // Repeat for all ',' or ';' separated addresses.
+     for (;;)
+@@ -3091,7 +3093,7 @@ parse_cmd_address(exarg_T *eap, char **e
+ 	lnum = get_address(eap, &eap->cmd, eap->addr_type, eap->skip, silent,
+ 					eap->addr_count == 0, address_count++);
+ 	if (eap->cmd == NULL)	// error detected
+-	    return FAIL;
++	    goto theend;
+ 	if (lnum == MAXLNUM)
+ 	{
+ 	    if (*eap->cmd == '%')   // '%' - all lines
+@@ -3136,14 +3138,14 @@ parse_cmd_address(exarg_T *eap, char **e
+ 			    // there is no Vim command which uses '%' and
+ 			    // ADDR_WINDOWS or ADDR_TABS
+ 			    *errormsg = _(e_invrange);
+-			    return FAIL;
++			    goto theend;
+ 			}
+ 			break;
+ 		    case ADDR_TABS_RELATIVE:
+ 		    case ADDR_UNSIGNED:
+ 		    case ADDR_QUICKFIX:
+ 			*errormsg = _(e_invrange);
+-			return FAIL;
++			goto theend;
+ 		    case ADDR_ARGUMENTS:
+ 			if (ARGCOUNT == 0)
+ 			    eap->line1 = eap->line2 = 0;
+@@ -3175,7 +3177,7 @@ parse_cmd_address(exarg_T *eap, char **e
+ 		if (eap->addr_type != ADDR_LINES)
+ 		{
+ 		    *errormsg = _(e_invrange);
+-		    return FAIL;
++		    goto theend;
+ 		}
+ 
+ 		++eap->cmd;
+@@ -3183,11 +3185,11 @@ parse_cmd_address(exarg_T *eap, char **e
+ 		{
+ 		    fp = getmark('<', FALSE);
+ 		    if (check_mark(fp) == FAIL)
+-			return FAIL;
++			goto theend;
+ 		    eap->line1 = fp->lnum;
+ 		    fp = getmark('>', FALSE);
+ 		    if (check_mark(fp) == FAIL)
+-			return FAIL;
++			goto theend;
+ 		    eap->line2 = fp->lnum;
+ 		    ++eap->addr_count;
+ 		}
+@@ -3202,10 +3204,13 @@ parse_cmd_address(exarg_T *eap, char **e
+ 	    if (!eap->skip)
+ 	    {
+ 		curwin->w_cursor.lnum = eap->line2;
++
+ 		// Don't leave the cursor on an illegal line or column, but do
+ 		// accept zero as address, so 0;/PATTERN/ works correctly.
++		// Check the cursor position before returning.
+ 		if (eap->line2 > 0)
+ 		    check_cursor();
++		need_check_cursor = TRUE;
+ 	    }
+ 	}
+ 	else if (*eap->cmd != ',')
+@@ -3221,7 +3226,12 @@ parse_cmd_address(exarg_T *eap, char **e
+ 	if (lnum == MAXLNUM)
+ 	    eap->addr_count = 0;
+     }
+-    return OK;
++    ret = OK;
++
++theend:
++    if (need_check_cursor)
++	check_cursor();
++    return ret;
+ }
+ 
+ /*
+diff -up vim82/src/testdir/test_excmd.vim.cve1927 vim82/src/testdir/test_excmd.vim
+--- vim82/src/testdir/test_excmd.vim.cve1927	2022-06-13 15:26:53.941517542 +0200
++++ vim82/src/testdir/test_excmd.vim	2022-06-13 15:30:53.972860361 +0200
+@@ -536,4 +536,13 @@ func Test_sandbox()
+   sandbox call Sandbox_tests()
+ endfunc
+ 
++" This was leaving the cursor in line zero
++func Test_using_zero_in_range()
++  new
++  norm o00
++  silent!  0;s/\%')
++  bwipe!
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/vim.spec b/vim.spec
index 8b47419..39c40f5 100644
--- a/vim.spec
+++ b/vim.spec
@@ -132,6 +132,8 @@ Patch3049: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
 Patch3050: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
 # CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
 Patch3051: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
+# CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
+Patch3052: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -370,6 +372,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3049 -p1 -b .cve1629
 %patch3050 -p1 -b .cve1785
 %patch3051 -p1 -b .cve1897
+%patch3052 -p1 -b .cve1927
 
 %build
 cd src
@@ -930,6 +933,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 * Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-19
 - CVE-2022-1785 vim: Out-of-bounds Write
 - CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
+- CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
 
 * Tue May 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-18
 - CVE-2022-1621 vim: heap buffer overflow