From a72edbb5b382f85a2ac51c6eb0ea0336d1281755 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Apr 05 2022 11:15:17 +0000
Subject: import vim-8.2.2637-15.el9


---

diff --git a/SOURCES/0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch b/SOURCES/0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch
new file mode 100644
index 0000000..e190f2c
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch
@@ -0,0 +1,49 @@
+From 34f8117dec685ace52cd9e578e2729db278163fc Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 16 Feb 2022 12:16:19 +0000
+Subject: [PATCH] patch 8.2.4397: crash when using many composing characters in
+ error message
+
+Problem:    Crash when using many composing characters in error message.
+Solution:   Use mb_cptr2char_adv() instead of mb_ptr2char_adv().
+---
+ src/testdir/test_assert.vim | 8 ++++++++
+ src/testing.c               | 2 +-
+ src/version.c               | 2 ++
+ 3 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim
+index 8987f3f8d..27b2d73fb 100644
+--- a/src/testdir/test_assert.vim
++++ b/src/testdir/test_assert.vim
+@@ -53,6 +53,14 @@ func Test_assert_equal()
+   call assert_equal("\b\e\f\n\t\r\\\x01\x7f", 'x')
+   call assert_match('Expected ''\\b\\e\\f\\n\\t\\r\\\\\\x01\\x7f'' but got ''x''', v:errors[0])
+   call remove(v:errors, 0)
++
++  " many composing characters are handled properly
++  call setline(1, ' ')
++  norm 100gr݀
++  call assert_equal(1, getline(1))
++  call assert_match("Expected 1 but got '.* occurs 100 times]'", v:errors[0])
++  call remove(v:errors, 0)
++  bwipe!
+ endfunc
+ 
+ func Test_assert_equal_dict()
+diff --git a/src/testing.c b/src/testing.c
+index 448c01c1e..48ba14d2c 100644
+--- a/src/testing.c
++++ b/src/testing.c
+@@ -101,7 +101,7 @@ ga_concat_shorten_esc(garray_T *gap, char_u *str)
+     {
+ 	same_len = 1;
+ 	s = p;
+-	c = mb_ptr2char_adv(&s);
++	c = mb_cptr2char_adv(&s);
+ 	clen = s - p;
+ 	while (*s != NUL && c == mb_ptr2char(s))
+ 	{
+-- 
+2.35.1
+
diff --git a/SOURCES/0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch b/SOURCES/0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch
new file mode 100644
index 0000000..123e7d6
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch
@@ -0,0 +1,35 @@
+diff --git a/src/indent.c b/src/indent.c
+index 77d8b0a..9830685 100644
+--- a/src/indent.c
++++ b/src/indent.c
+@@ -1284,6 +1284,8 @@ change_indent(
+ 		new_cursor_col += (*mb_ptr2len)(ptr + new_cursor_col);
+ 	    else
+ 		++new_cursor_col;
++	    if (ptr[new_cursor_col] == NUL)
++		break;
+ 	    vcol += lbr_chartabsize(ptr, ptr + new_cursor_col, (colnr_T)vcol);
+ 	}
+ 	vcol = last_vcol;
+diff --git a/src/testdir/test_vartabs.vim b/src/testdir/test_vartabs.vim
+index 0ff1ea8..a613510 100644
+--- a/src/testdir/test_vartabs.vim
++++ b/src/testdir/test_vartabs.vim
+@@ -419,4 +419,17 @@ func Test_varsofttabstop()
+   close!
+ endfunc
+ 
++func Test_vartabstop_latin1()
++  let save_encoding = &encoding
++  new
++  set encoding=iso8859-1
++  set compatible linebreak list revins smarttab
++  set vartabstop=400
++  exe "norm i00\t\<C-D>"
++  bwipe!
++  let &encoding = save_encoding
++  set nocompatible linebreak& list& revins& smarttab& vartabstop&
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/SPECS/vim.spec b/SPECS/vim.spec
index aa49305..aab134b 100644
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 13%{?dist}
+Release: 15%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@@ -112,6 +112,10 @@ Patch3039: 0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch
 Patch3040: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch
 # CVE-2022-0572 vim: heap overflow in ex_retab() may lead to crash
 Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch
+# CVE-2022-0629 vim: Stack-based Buffer Overflow in vim prior to 8.2
+Patch3042: 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch
+# CVE-2022-0714 vim: buffer overflow [rhel-9]
+Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -340,6 +344,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3039 -p1 -b .cve0443
 %patch3040 -p1 -b .cve0392
 %patch3041 -p1 -b .cve0572
+%patch3042 -p1 -b .cve0629
+%patch3043 -p1 -b .cve0714
 
 %build
 cd src
@@ -897,6 +903,12 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif
 
 %changelog
+* Thu Feb 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-15
+- CVE-2022-0714 vim: buffer overflow [rhel-9]
+
+* Wed Feb 23 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-14
+- CVE-2022-0629 vim: Stack-based Buffer Overflow in vim prior to 8.2
+
 * Wed Feb 16 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-13
 - CVE-2022-0572 vim: heap overflow in ex_retab() may lead to crash