diff --git a/SOURCES/0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch b/SOURCES/0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch new file mode 100644 index 0000000..8c2cf3a --- /dev/null +++ b/SOURCES/0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch @@ -0,0 +1,110 @@ +From e3537aec2f8d6470010547af28dcbd83d41461b8 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 8 Feb 2022 15:05:20 +0000 +Subject: [PATCH] patch 8.2.4327: may end up with no current buffer + +Problem: May end up with no current buffer. +Solution: When deleting the current buffer to not pick a quickfix buffer as + the new current buffer. +--- + src/buffer.c | 26 ++++++++++++++++++++++---- + src/testdir/test_quickfix.vim | 25 +++++++++++++++++++++++++ + src/version.c | 2 ++ + 3 files changed, 49 insertions(+), 4 deletions(-) + +diff --git a/src/buffer.c b/src/buffer.c +index 81bdb31ca..b3e2bc3f9 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -1430,8 +1430,14 @@ do_buffer_ext( + buf = buflist_findnr(curwin->w_jumplist[jumpidx].fmark.fnum); + if (buf != NULL) + { +- if (buf == curbuf || !buf->b_p_bl) +- buf = NULL; // skip current and unlisted bufs ++ // Skip current and unlisted bufs. Also skip a quickfix ++ // buffer, it might be deleted soon. ++ if (buf == curbuf || !buf->b_p_bl ++#if defined(FEAT_QUICKFIX) ++ || bt_quickfix(buf) ++#endif ++ ) ++ buf = NULL; + else if (buf->b_ml.ml_mfp == NULL) + { + // skip unloaded buf, but may keep it for later +@@ -1467,7 +1473,11 @@ do_buffer_ext( + continue; + } + // in non-help buffer, try to skip help buffers, and vv +- if (buf->b_help == curbuf->b_help && buf->b_p_bl) ++ if (buf->b_help == curbuf->b_help && buf->b_p_bl ++#if defined(FEAT_QUICKFIX) ++ && !bt_quickfix(buf) ++#endif ++ ) + { + if (buf->b_ml.ml_mfp != NULL) // found loaded buffer + break; +@@ -1485,7 +1495,11 @@ do_buffer_ext( + if (buf == NULL) // No loaded buffer, find listed one + { + FOR_ALL_BUFFERS(buf) +- if (buf->b_p_bl && buf != curbuf) ++ if (buf->b_p_bl && buf != curbuf ++#if defined(FEAT_QUICKFIX) ++ && !bt_quickfix(buf) ++#endif ++ ) + break; + } + if (buf == NULL) // Still no buffer, just take one +@@ -1494,6 +1508,10 @@ do_buffer_ext( + buf = curbuf->b_next; + else + buf = curbuf->b_prev; ++#if defined(FEAT_QUICKFIX) ++ if (bt_quickfix(buf)) ++ buf = NULL; ++#endif + } + } + +diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim +index 07fdb9644..adb0ea4fd 100644 +--- a/src/testdir/test_quickfix.vim ++++ b/src/testdir/test_quickfix.vim +@@ -5851,5 +5851,30 @@ func Test_lopen_bwipe() + delfunc R + endfunc + ++" Another sequence of commands that caused all buffers to be wiped out ++func Test_lopen_bwipe_all() ++ let lines =<< trim END ++ func R() ++ silent! tab lopen ++ e foo ++ silent! lfile ++ endfunc ++ cal R() ++ exe "norm \\0" ++ cal R() ++ bwipe ++ ++ call writefile(['done'], 'Xresult') ++ qall! ++ END ++ call writefile(lines, 'Xscript') ++ if RunVim([], [], '-u NONE -n -X -Z -e -m -s -S Xscript') ++ call assert_equal(['done'], readfile('Xresult')) ++ endif ++ ++ call delete('Xscript') ++ call delete('Xresult') ++endfunc ++ + + " vim: shiftwidth=2 sts=2 expandtab +-- +2.35.1 + diff --git a/SOURCES/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch b/SOURCES/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch new file mode 100644 index 0000000..4066b1e --- /dev/null +++ b/SOURCES/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch @@ -0,0 +1,39 @@ +diff -up vim82/src/spellsuggest.c.cve0943 vim82/src/spellsuggest.c +--- vim82/src/spellsuggest.c.cve0943 2022-03-28 20:48:07.079197805 +0200 ++++ vim82/src/spellsuggest.c 2022-03-28 20:48:07.101197522 +0200 +@@ -501,6 +501,10 @@ spell_suggest(int count) + curwin->w_cursor.col = VIsual.col; + ++badlen; + end_visual_mode(); ++ // make sure we don't include the NUL at the end of the line ++ line = ml_get_curline(); ++ if (badlen > STRLEN(line) - curwin->w_cursor.col) ++ badlen = STRLEN(line) - curwin->w_cursor.col; + } + // Find the start of the badly spelled word. + else if (spell_move_to(curwin, FORWARD, TRUE, TRUE, NULL) == 0 +diff -up vim82/src/testdir/test_spell.vim.cve0943 vim82/src/testdir/test_spell.vim +--- vim82/src/testdir/test_spell.vim.cve0943 2022-03-28 20:48:07.102197509 +0200 ++++ vim82/src/testdir/test_spell.vim 2022-03-28 20:49:05.038452974 +0200 +@@ -441,6 +441,21 @@ func Test_spellsuggest_expr_errors() + delfunc MySuggest3 + endfunc + ++func Test_spellsuggest_visual_end_of_line() ++ let enc_save = &encoding ++ set encoding=iso8859 ++ ++ " This was reading beyond the end of the line. ++ norm R00000000000 ++ sil norm 0 ++ sil! norm i00000) ++ sil! norm i00000) ++ call feedkeys("\") ++ norm z= ++ ++ let &encoding = enc_save ++endfunc ++ + func Test_spellinfo() + new + let runtime = substitute($VIMRUNTIME, '\\', '/', 'g') diff --git a/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch b/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch new file mode 100644 index 0000000..3d45b8e --- /dev/null +++ b/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch @@ -0,0 +1,44 @@ +diff -up vim82/src/regexp_bt.c.cve1154 vim82/src/regexp_bt.c +--- vim82/src/regexp_bt.c.cve1154 2022-04-25 15:22:28.367621755 +0200 ++++ vim82/src/regexp_bt.c 2022-04-25 15:25:13.726340728 +0200 +@@ -3188,8 +3188,17 @@ regmatch( + int mark = OPERAND(scan)[0]; + int cmp = OPERAND(scan)[1]; + pos_T *pos; ++ size_t col = REG_MULTI ? rex.input - rex.line : 0; + + pos = getmark_buf(rex.reg_buf, mark, FALSE); ++ ++ // Line may have been freed, get it again. ++ if (REG_MULTI) ++ { ++ rex.line = reg_getline(rex.lnum); ++ rex.input = rex.line + col; ++ } ++ + if (pos == NULL // mark doesn't exist + || pos->lnum <= 0 // mark isn't set in reg_buf + || (pos->lnum == rex.lnum + rex.reg_firstlnum +diff -up vim82/src/testdir/test_regexp_latin.vim.cve1154 vim82/src/testdir/test_regexp_latin.vim +--- vim82/src/testdir/test_regexp_latin.vim.cve1154 2022-04-25 15:22:28.368621752 +0200 ++++ vim82/src/testdir/test_regexp_latin.vim 2022-04-25 15:26:57.515227712 +0200 +@@ -954,4 +954,19 @@ func Test_using_visual_position() + bwipe! + endfunc + ++func Test_using_mark_position() ++ " this was using freed memory ++ " new engine ++ new ++ norm O0 ++ call assert_fails("s/\\%')", 'E486:') ++ bwipe! ++ ++ " old engine ++ new ++ norm O0 ++ call assert_fails("s/\\%#=1\\%')", 'E486:') ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/SOURCES/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch b/SOURCES/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch new file mode 100644 index 0000000..60a6c54 --- /dev/null +++ b/SOURCES/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch @@ -0,0 +1,51 @@ +diff -up vim82/src/errors.h.cve1420 vim82/src/errors.h +--- vim82/src/errors.h.cve1420 2022-04-25 16:01:03.559985019 +0200 ++++ vim82/src/errors.h 2022-04-25 16:01:58.113332024 +0200 +@@ -383,3 +383,7 @@ EXTERN char e_cannot_use_default_values_ + INIT(= N_("E1172: Cannot use default values in a lambda")); + EXTERN char e_resulting_text_too_long[] + INIT(= N_("E1240: Resulting text too long")); ++#ifdef FEAT_EVAL ++EXTERN char e_string_or_function_required_for_arrow_parens_expr[] ++ INIT(= N_("E1275: String or function required for ->(expr)")); ++#endif +diff -up vim82/src/eval.c.cve1420 vim82/src/eval.c +--- vim82/src/eval.c.cve1420 2022-04-25 16:01:03.560985007 +0200 ++++ vim82/src/eval.c 2022-04-25 16:14:11.746600369 +0200 +@@ -3718,13 +3718,20 @@ eval_lambda( + if (**arg != ')') + { + emsg(_(e_missing_close)); +- ret = FAIL; ++ return FAIL; ++ } ++ if (rettv->v_type != VAR_STRING && rettv->v_type != VAR_FUNC ++ && rettv->v_type != VAR_PARTIAL) ++ { ++ emsg(_(e_string_or_function_required_for_arrow_parens_expr)); ++ return FAIL; + } + ++*arg; + } + if (ret != OK) + return FAIL; +- else if (**arg != '(') ++ ++ if (**arg != '(') + { + if (verbose) + { +diff -up vim82/src/testdir/test_lambda.vim.cve1420 vim82/src/testdir/test_lambda.vim +--- vim82/src/testdir/test_lambda.vim.cve1420 2022-04-25 16:01:03.560985007 +0200 ++++ vim82/src/testdir/test_lambda.vim 2022-04-25 16:17:01.694886566 +0200 +@@ -64,6 +64,10 @@ function Test_lambda_fails() + call assert_fails('echo {a, a -> a + a}(1, 2)', 'E853:') + call assert_fails('echo {a, b -> a + b)}(1, 2)', 'E451:') + echo assert_fails('echo 10->{a -> a + 2}', 'E107:') ++ call assert_fails('eval 0->(3)()', "E1275:") ++ call assert_fails('eval 0->([3])()', "E1275:") ++ call assert_fails('eval 0->({"a": 3})()', "E1275:") ++ call assert_fails('eval 0->(xxx)()', "E121:") + endfunc + + func Test_not_lamda() diff --git a/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch b/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch new file mode 100644 index 0000000..321bf48 --- /dev/null +++ b/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch @@ -0,0 +1,50 @@ +diff -up vim82/src/errors.h.cve1621 vim82/src/errors.h +--- vim82/src/errors.h.cve1621 2022-05-24 13:36:23.883370040 +0200 ++++ vim82/src/errors.h 2022-05-24 13:36:47.665487703 +0200 +@@ -387,3 +387,7 @@ EXTERN char e_resulting_text_too_long[] + EXTERN char e_string_or_function_required_for_arrow_parens_expr[] + INIT(= N_("E1275: String or function required for ->(expr)")); + #endif ++#ifdef FEAT_SPELL ++EXTERN char e_illegal_character_in_word[] ++ INIT(= N_("E1280: Illegal character in word")); ++#endif +diff -up vim82/src/mbyte.c.cve1621 vim82/src/mbyte.c +--- vim82/src/mbyte.c.cve1621 2021-03-22 10:02:42.000000000 +0100 ++++ vim82/src/mbyte.c 2022-05-24 13:36:23.884370045 +0200 +@@ -4181,7 +4181,7 @@ theend: + convert_setup(&vimconv, NULL, NULL); + } + +-#if defined(FEAT_GUI_GTK) || defined(PROTO) ++#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO) + /* + * Return TRUE if string "s" is a valid utf-8 string. + * When "end" is NULL stop at the first NUL. +diff -up vim82/src/spellfile.c.cve1621 vim82/src/spellfile.c +--- vim82/src/spellfile.c.cve1621 2021-03-22 10:02:42.000000000 +0100 ++++ vim82/src/spellfile.c 2022-05-24 13:36:23.885370049 +0200 +@@ -4391,6 +4391,10 @@ store_word( + int res = OK; + char_u *p; + ++ // Avoid adding illegal bytes to the word tree. ++ if (enc_utf8 && !utf_valid_string(word, NULL)) ++ return FAIL; ++ + (void)spell_casefold(word, len, foldword, MAXWLEN); + for (p = pfxlist; res == OK; ++p) + { +@@ -6191,6 +6195,12 @@ spell_add_word( + int i; + char_u *spf; + ++ if (enc_utf8 && !utf_valid_string(word, NULL)) ++ { ++ emsg(_(e_illegal_character_in_word)); ++ return; ++ } ++ + if (idx == 0) // use internal wordlist + { + if (int_wordlist == NULL) diff --git a/SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch b/SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch new file mode 100644 index 0000000..55dade6 --- /dev/null +++ b/SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch @@ -0,0 +1,33 @@ +From 53a70289c2712808e6d4e88927e03cac01b470dd Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Mon, 9 May 2022 13:15:07 +0100 +Subject: [PATCH] patch 8.2.4925: trailing backslash may cause reading past end + of line + +Problem: Trailing backslash may cause reading past end of line. +Solution: Check for NUL after backslash. +--- + src/testdir/test_textobjects.vim | 10 +++++++++- + src/textobject.c | 4 ++++ + src/version.c | 2 ++ + 3 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/src/textobject.c b/src/textobject.c +index e4a7db38e..edaa64c51 100644 +--- a/src/textobject.c ++++ b/src/textobject.c +@@ -1664,7 +1664,11 @@ find_next_quote( + if (c == NUL) + return -1; + else if (escape != NULL && vim_strchr(escape, c)) ++ { + ++col; ++ if (line[col] == NUL) ++ return -1; ++ } + else if (c == quotechar) + break; + if (has_mbyte) +-- +2.36.1 + diff --git a/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch b/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch new file mode 100644 index 0000000..b5a9272 --- /dev/null +++ b/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch @@ -0,0 +1,59 @@ +diff -up vim82/src/ex_cmds.c.cve1785 vim82/src/ex_cmds.c +--- vim82/src/ex_cmds.c.cve1785 2022-06-10 10:26:16.883312704 +0200 ++++ vim82/src/ex_cmds.c 2022-06-10 10:26:16.910312568 +0200 +@@ -4356,12 +4356,17 @@ ex_substitute(exarg_T *eap) + // Save flags for recursion. They can change for e.g. + // :s/^/\=execute("s#^##gn") + subflags_save = subflags; ++ ++ // Disallow changing text or switching window in an expression. ++ ++textwinlock; + #endif + // get length of substitution part + sublen = vim_regsub_multi(®match, + sub_firstlnum - regmatch.startpos[0].lnum, + sub, sub_firstline, FALSE, magic_isset(), TRUE); + #ifdef FEAT_EVAL ++ --textwinlock; ++ + // If getting the substitute string caused an error, don't do + // the replacement. + // Don't keep flags set by a recursive call. +@@ -4462,9 +4467,15 @@ ex_substitute(exarg_T *eap) + mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len); + new_end += copy_len; + ++#ifdef FEAT_EVAL ++ ++textwinlock; ++#endif + (void)vim_regsub_multi(®match, + sub_firstlnum - regmatch.startpos[0].lnum, + sub, new_end, TRUE, magic_isset(), TRUE); ++#ifdef FEAT_EVAL ++ --textwinlock; ++#endif + sub_nsubs++; + did_sub = TRUE; + +diff -up vim82/src/testdir/test_substitute.vim.cve1785 vim82/src/testdir/test_substitute.vim +--- vim82/src/testdir/test_substitute.vim.cve1785 2022-06-10 10:26:16.910312568 +0200 ++++ vim82/src/testdir/test_substitute.vim 2022-06-10 10:27:02.166084629 +0200 +@@ -942,5 +942,18 @@ func Test_using_old_sub() + set nocompatible + endfunc + ++" This was switching windows in between computing the length and using it. ++func Test_sub_change_window() ++ silent! lfile ++ sil! norm o0000000000000000000000000000000000000000000000000000 ++ func Repl() ++ lopen ++ endfunc ++ silent! s/\%')/\=Repl() ++ bwipe! ++ bwipe! ++ delfunc Repl ++endfunc ++ + + " vim: shiftwidth=2 sts=2 expandtab diff --git a/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch b/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch new file mode 100644 index 0000000..71ce847 --- /dev/null +++ b/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch @@ -0,0 +1,121 @@ +diff -up vim82/src/normal.c.cve1897 vim82/src/normal.c +--- vim82/src/normal.c.cve1897 2022-06-13 09:31:42.880768567 +0200 ++++ vim82/src/normal.c 2022-06-13 09:35:38.560084927 +0200 +@@ -479,6 +479,22 @@ find_command(int cmdchar) + } + + /* ++ * If currently editing a cmdline or text is locked: beep and give an error ++ * message, return TRUE. ++ */ ++ static int ++check_text_locked(oparg_T *oap) ++{ ++ if (text_locked()) ++ { ++ clearopbeep(oap); ++ text_locked_msg(); ++ return TRUE; ++ } ++ return FALSE; ++} ++ ++/* + * Execute a command in Normal mode. + */ + void +@@ -742,14 +758,9 @@ getcount: + goto normal_end; + } + +- if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW)) +- { +- // This command is not allowed while editing a cmdline: beep. +- clearopbeep(oap); +- text_locked_msg(); +- goto normal_end; +- } +- if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked()) ++ if ((nv_cmds[idx].cmd_flags & NV_NCW) ++ && (check_text_locked(oap) || curbuf_locked())) ++ // this command is not allowed now + goto normal_end; + + /* +@@ -4212,12 +4223,8 @@ nv_gotofile(cmdarg_T *cap) + char_u *ptr; + linenr_T lnum = -1; + +- if (text_locked()) +- { +- clearopbeep(cap->oap); +- text_locked_msg(); ++ if (check_text_locked(cap->oap)) + return; +- } + if (curbuf_locked()) + { + clearop(cap->oap); +@@ -6343,14 +6350,7 @@ nv_g_cmd(cmdarg_T *cap) + + // "gQ": improved Ex mode + case 'Q': +- if (text_locked()) +- { +- clearopbeep(cap->oap); +- text_locked_msg(); +- break; +- } +- +- if (!checkclearopq(oap)) ++ if (!check_text_locked(cap->oap) && !checkclearopq(oap)) + do_exmode(TRUE); + break; + +diff -up vim82/src/testdir/test_substitute.vim.cve1897 vim82/src/testdir/test_substitute.vim +--- vim82/src/testdir/test_substitute.vim.cve1897 2022-06-13 09:31:42.938768884 +0200 ++++ vim82/src/testdir/test_substitute.vim 2022-06-13 09:36:39.013406036 +0200 +@@ -955,5 +955,27 @@ func Test_sub_change_window() + delfunc Repl + endfunc + ++" This was undoign a change in between computing the length and using it. ++func Do_Test_sub_undo_change() ++ new ++ norm o0000000000000000000000000000000000000000000000000000 ++ silent! s/\%')/\=Repl() ++ bwipe! ++endfunc ++ ++func Test_sub_undo_change() ++ func Repl() ++ silent! norm g- ++ endfunc ++ call Do_Test_sub_undo_change() ++ ++ func! Repl() ++ silent earlier ++ endfunc ++ call Do_Test_sub_undo_change() ++ ++ delfunc Repl ++endfunc ++ + + " vim: shiftwidth=2 sts=2 expandtab +diff -up vim82/src/undo.c.cve1897 vim82/src/undo.c +--- vim82/src/undo.c.cve1897 2022-06-13 09:31:42.904768698 +0200 ++++ vim82/src/undo.c 2022-06-13 09:31:42.938768884 +0200 +@@ -2323,6 +2323,12 @@ undo_time( + int above = FALSE; + int did_undo = TRUE; + ++ if (text_locked()) ++ { ++ text_locked_msg(); ++ return; ++ } ++ + // First make sure the current undoable change is synced. + if (curbuf->b_u_synced == FALSE) + u_sync(TRUE); diff --git a/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch b/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch new file mode 100644 index 0000000..a8eeda7 --- /dev/null +++ b/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch @@ -0,0 +1,106 @@ +diff -up vim82/src/ex_docmd.c.cve1927 vim82/src/ex_docmd.c +--- vim82/src/ex_docmd.c.cve1927 2021-03-22 10:02:42.000000000 +0100 ++++ vim82/src/ex_docmd.c 2022-06-13 15:29:45.099472751 +0200 +@@ -3081,6 +3081,8 @@ parse_cmd_address(exarg_T *eap, char **e + { + int address_count = 1; + linenr_T lnum; ++ int need_check_cursor = FALSE; ++ int ret = FAIL; + + // Repeat for all ',' or ';' separated addresses. + for (;;) +@@ -3091,7 +3093,7 @@ parse_cmd_address(exarg_T *eap, char **e + lnum = get_address(eap, &eap->cmd, eap->addr_type, eap->skip, silent, + eap->addr_count == 0, address_count++); + if (eap->cmd == NULL) // error detected +- return FAIL; ++ goto theend; + if (lnum == MAXLNUM) + { + if (*eap->cmd == '%') // '%' - all lines +@@ -3136,14 +3138,14 @@ parse_cmd_address(exarg_T *eap, char **e + // there is no Vim command which uses '%' and + // ADDR_WINDOWS or ADDR_TABS + *errormsg = _(e_invrange); +- return FAIL; ++ goto theend; + } + break; + case ADDR_TABS_RELATIVE: + case ADDR_UNSIGNED: + case ADDR_QUICKFIX: + *errormsg = _(e_invrange); +- return FAIL; ++ goto theend; + case ADDR_ARGUMENTS: + if (ARGCOUNT == 0) + eap->line1 = eap->line2 = 0; +@@ -3175,7 +3177,7 @@ parse_cmd_address(exarg_T *eap, char **e + if (eap->addr_type != ADDR_LINES) + { + *errormsg = _(e_invrange); +- return FAIL; ++ goto theend; + } + + ++eap->cmd; +@@ -3183,11 +3185,11 @@ parse_cmd_address(exarg_T *eap, char **e + { + fp = getmark('<', FALSE); + if (check_mark(fp) == FAIL) +- return FAIL; ++ goto theend; + eap->line1 = fp->lnum; + fp = getmark('>', FALSE); + if (check_mark(fp) == FAIL) +- return FAIL; ++ goto theend; + eap->line2 = fp->lnum; + ++eap->addr_count; + } +@@ -3202,10 +3204,13 @@ parse_cmd_address(exarg_T *eap, char **e + if (!eap->skip) + { + curwin->w_cursor.lnum = eap->line2; ++ + // Don't leave the cursor on an illegal line or column, but do + // accept zero as address, so 0;/PATTERN/ works correctly. ++ // Check the cursor position before returning. + if (eap->line2 > 0) + check_cursor(); ++ need_check_cursor = TRUE; + } + } + else if (*eap->cmd != ',') +@@ -3221,7 +3226,12 @@ parse_cmd_address(exarg_T *eap, char **e + if (lnum == MAXLNUM) + eap->addr_count = 0; + } +- return OK; ++ ret = OK; ++ ++theend: ++ if (need_check_cursor) ++ check_cursor(); ++ return ret; + } + + /* +diff -up vim82/src/testdir/test_excmd.vim.cve1927 vim82/src/testdir/test_excmd.vim +--- vim82/src/testdir/test_excmd.vim.cve1927 2022-06-13 15:26:53.941517542 +0200 ++++ vim82/src/testdir/test_excmd.vim 2022-06-13 15:30:53.972860361 +0200 +@@ -536,4 +536,13 @@ func Test_sandbox() + sandbox call Sandbox_tests() + endfunc + ++" This was leaving the cursor in line zero ++func Test_using_zero_in_range() ++ new ++ norm o00 ++ silent! 0;s/\%') ++ bwipe! ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/SPECS/vim.spec b/SPECS/vim.spec index aab134b..2cc9194 100644 --- a/SPECS/vim.spec +++ b/SPECS/vim.spec @@ -27,7 +27,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 15%{?dist} +Release: 16%{?dist}.3 License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: virc @@ -116,6 +116,24 @@ Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch Patch3042: 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch # CVE-2022-0714 vim: buffer overflow [rhel-9] Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch +# CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior +Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch +# CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim +Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch +# CVE-2022-1154 vim: use after free in utf_ptr2char +Patch3046: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch +# CVE-2022-1420 vim: Out-of-range Pointer Offset +Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch +# CVE-2022-1621 vim: heap buffer overflow +Patch3048: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch +# CVE-2022-1629 vim: buffer over-read +Patch3049: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch +# CVE-2022-1785 vim: Out-of-bounds Write +Patch3050: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch +# CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c +Patch3051: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch +# CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c +Patch3052: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -346,6 +364,15 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3041 -p1 -b .cve0572 %patch3042 -p1 -b .cve0629 %patch3043 -p1 -b .cve0714 +%patch3044 -p1 -b .cve0554 +%patch3045 -p1 -b .cve0943 +%patch3046 -p1 -b .cve1154 +%patch3047 -p1 -b .cve1420 +%patch3048 -p1 -b .cve1621 +%patch3049 -p1 -b .cve1629 +%patch3050 -p1 -b .cve1785 +%patch3051 -p1 -b .cve1897 +%patch3052 -p1 -b .cve1927 %build cd src @@ -903,6 +930,21 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %endif %changelog +* Mon Jun 13 2022 Zdenek Dohnal - 2:8.2.2637-16.3 +- CVE-2022-1785 vim: Out-of-bounds Write +- CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c +- CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c + +* Wed May 25 2022 Zdenek Dohnal - 2:8.2.2637-16.2 +- CVE-2022-1621 vim: heap buffer overflow +- CVE-2022-1629 vim: buffer over-read + +* Mon Apr 25 2022 Zdenek Dohnal - 2:8.2.2637-16.1 +- CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior +- CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim +- CVE-2022-1154 vim: use after free in utf_ptr2char +- CVE-2022-1420 vim: Out-of-range Pointer Offset + * Thu Feb 24 2022 Zdenek Dohnal - 2:8.2.2637-15 - CVE-2022-0714 vim: buffer overflow [rhel-9]