From 39f0b7844691cbf9c93427a507129955b3178e7c Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jan 11 2022 18:44:50 +0000
Subject: import vim-8.2.2637-9.el9


---

diff --git a/SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch b/SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch
new file mode 100644
index 0000000..b308783
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch
@@ -0,0 +1,34 @@
+diff --git a/src/cindent.c b/src/cindent.c
+index b2fac1a..ce513e3 100644
+--- a/src/cindent.c
++++ b/src/cindent.c
+@@ -1654,7 +1654,7 @@ find_start_brace(void)	    // XXX
+ 		       && (pos = ind_find_start_CORS(NULL)) == NULL) // XXX
+ 	    break;
+ 	if (pos != NULL)
+-	    curwin->w_cursor.lnum = pos->lnum;
++	    curwin->w_cursor = *pos;
+     }
+     curwin->w_cursor = cursor_save;
+     return trypos;
+diff --git a/src/testdir/test_cindent.vim b/src/testdir/test_cindent.vim
+index 5926408..f668faa 100644
+--- a/src/testdir/test_cindent.vim
++++ b/src/testdir/test_cindent.vim
+@@ -5307,4 +5307,16 @@ func Test_cindent_pragma()
+   enew! | close
+ endfunc
+ 
++func Test_find_brace_backwards()
++  " this was looking beyond the end of the line
++  new
++  norm R/*
++  norm o0{
++  norm o//
++  norm V{=
++  call assert_equal(['/*', '   0{', '//'], getline(1, 3))
++  bwipe!
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch b/SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch
new file mode 100644
index 0000000..8f8c075
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch
@@ -0,0 +1,32 @@
+diff --git a/src/help.c b/src/help.c
+index ee6ff18..67e4fb2 100644
+--- a/src/help.c
++++ b/src/help.c
+@@ -422,8 +422,7 @@ find_help_tags(
+ 		    || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL
+ 							   && arg[2] != NUL)))
+ 	{
+-	    STRCPY(d, "/\\\\");
+-	    STRCPY(d + 3, arg + 1);
++	    vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1);
+ 	    // Check for "/\\_$", should be "/\\_\$"
+ 	    if (d[3] == '_' && d[4] == '$')
+ 		STRCPY(d + 4, "\\$");
+diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim
+index ff2bc41..c8ff5b8 100644
+--- a/src/testdir/test_help.vim
++++ b/src/testdir/test_help.vim
+@@ -123,5 +123,13 @@ func Test_helptag_cmd_readonly()
+   call delete('Xdir', 'rf')
+ endfunc
+ 
++func Test_help_long_argument()
++  try
++    exe 'help \%' .. repeat('0', 1021)
++  catch
++    call assert_match("E149:", v:exception)
++  endtry
++endfunc
++
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/SPECS/vim.spec b/SPECS/vim.spec
index 522a865..bcbf058 100644
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@@ -80,6 +80,10 @@ Patch3023: 0001-patch-8.2.3428-using-freed-memory-when-replacing.patch
 Patch3024: 0001-patch-8.2.3406-on-some-systems-tests-fail-without-_R.patch
 # 2016202 - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-9.0]
 Patch3025: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
+# 2028342 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-9.0]
+Patch3026: 0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch
+# 2028431 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-9.0]
+Patch3027: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -292,6 +296,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3023 -p1 -b .cve-nv-replace
 %patch3024 -p1 -b .reentrant
 %patch3025 -p1 -b .cve-win-redr
+%patch3026 -p1 -b .cve3984
+%patch3027 -p1 -b .cve4019
 
 %build
 cd src
@@ -849,6 +855,12 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif
 
 %changelog
+* Mon Dec 02 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-9
+- 2028431 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-9.0]
+
+* Thu Dec 02 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-9
+- 2028342 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-9.0]
+
 * Tue Oct 26 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-8
 - 2016202 - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-9.0]