diff --git a/SOURCES/0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch b/SOURCES/0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
new file mode 100644
index 0000000..8c2cf3a
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
@@ -0,0 +1,110 @@
+From e3537aec2f8d6470010547af28dcbd83d41461b8 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 8 Feb 2022 15:05:20 +0000
+Subject: [PATCH] patch 8.2.4327: may end up with no current buffer
+
+Problem: May end up with no current buffer.
+Solution: When deleting the current buffer to not pick a quickfix buffer as
+ the new current buffer.
+---
+ src/buffer.c | 26 ++++++++++++++++++++++----
+ src/testdir/test_quickfix.vim | 25 +++++++++++++++++++++++++
+ src/version.c | 2 ++
+ 3 files changed, 49 insertions(+), 4 deletions(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 81bdb31ca..b3e2bc3f9 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -1430,8 +1430,14 @@ do_buffer_ext(
+ buf = buflist_findnr(curwin->w_jumplist[jumpidx].fmark.fnum);
+ if (buf != NULL)
+ {
+- if (buf == curbuf || !buf->b_p_bl)
+- buf = NULL; // skip current and unlisted bufs
++ // Skip current and unlisted bufs. Also skip a quickfix
++ // buffer, it might be deleted soon.
++ if (buf == curbuf || !buf->b_p_bl
++#if defined(FEAT_QUICKFIX)
++ || bt_quickfix(buf)
++#endif
++ )
++ buf = NULL;
+ else if (buf->b_ml.ml_mfp == NULL)
+ {
+ // skip unloaded buf, but may keep it for later
+@@ -1467,7 +1473,11 @@ do_buffer_ext(
+ continue;
+ }
+ // in non-help buffer, try to skip help buffers, and vv
+- if (buf->b_help == curbuf->b_help && buf->b_p_bl)
++ if (buf->b_help == curbuf->b_help && buf->b_p_bl
++#if defined(FEAT_QUICKFIX)
++ && !bt_quickfix(buf)
++#endif
++ )
+ {
+ if (buf->b_ml.ml_mfp != NULL) // found loaded buffer
+ break;
+@@ -1485,7 +1495,11 @@ do_buffer_ext(
+ if (buf == NULL) // No loaded buffer, find listed one
+ {
+ FOR_ALL_BUFFERS(buf)
+- if (buf->b_p_bl && buf != curbuf)
++ if (buf->b_p_bl && buf != curbuf
++#if defined(FEAT_QUICKFIX)
++ && !bt_quickfix(buf)
++#endif
++ )
+ break;
+ }
+ if (buf == NULL) // Still no buffer, just take one
+@@ -1494,6 +1508,10 @@ do_buffer_ext(
+ buf = curbuf->b_next;
+ else
+ buf = curbuf->b_prev;
++#if defined(FEAT_QUICKFIX)
++ if (bt_quickfix(buf))
++ buf = NULL;
++#endif
+ }
+ }
+
+diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
+index 07fdb9644..adb0ea4fd 100644
+--- a/src/testdir/test_quickfix.vim
++++ b/src/testdir/test_quickfix.vim
+@@ -5851,5 +5851,30 @@ func Test_lopen_bwipe()
+ delfunc R
+ endfunc
+
++" Another sequence of commands that caused all buffers to be wiped out
++func Test_lopen_bwipe_all()
++ let lines =<< trim END
++ func R()
++ silent! tab lopen
++ e foo
++ silent! lfile
++ endfunc
++ cal R()
++ exe "norm \<C-W>\<C-V>0"
++ cal R()
++ bwipe
++
++ call writefile(['done'], 'Xresult')
++ qall!
++ END
++ call writefile(lines, 'Xscript')
++ if RunVim([], [], '-u NONE -n -X -Z -e -m -s -S Xscript')
++ call assert_equal(['done'], readfile('Xresult'))
++ endif
++
++ call delete('Xscript')
++ call delete('Xresult')
++endfunc
++
+
+ " vim: shiftwidth=2 sts=2 expandtab
+--
+2.35.1
+
diff --git a/SOURCES/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch b/SOURCES/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
new file mode 100644
index 0000000..4066b1e
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
@@ -0,0 +1,39 @@
+diff -up vim82/src/spellsuggest.c.cve0943 vim82/src/spellsuggest.c
+--- vim82/src/spellsuggest.c.cve0943 2022-03-28 20:48:07.079197805 +0200
++++ vim82/src/spellsuggest.c 2022-03-28 20:48:07.101197522 +0200
+@@ -501,6 +501,10 @@ spell_suggest(int count)
+ curwin->w_cursor.col = VIsual.col;
+ ++badlen;
+ end_visual_mode();
++ // make sure we don't include the NUL at the end of the line
++ line = ml_get_curline();
++ if (badlen > STRLEN(line) - curwin->w_cursor.col)
++ badlen = STRLEN(line) - curwin->w_cursor.col;
+ }
+ // Find the start of the badly spelled word.
+ else if (spell_move_to(curwin, FORWARD, TRUE, TRUE, NULL) == 0
+diff -up vim82/src/testdir/test_spell.vim.cve0943 vim82/src/testdir/test_spell.vim
+--- vim82/src/testdir/test_spell.vim.cve0943 2022-03-28 20:48:07.102197509 +0200
++++ vim82/src/testdir/test_spell.vim 2022-03-28 20:49:05.038452974 +0200
+@@ -441,6 +441,21 @@ func Test_spellsuggest_expr_errors()
+ delfunc MySuggest3
+ endfunc
+
++func Test_spellsuggest_visual_end_of_line()
++ let enc_save = &encoding
++ set encoding=iso8859
++
++ " This was reading beyond the end of the line.
++ norm R00000000000
++ sil norm �0
++ sil! norm �i00000)
++ sil! norm �i00000)
++ call feedkeys("\<CR>")
++ norm z=
++
++ let &encoding = enc_save
++endfunc
++
+ func Test_spellinfo()
+ new
+ let runtime = substitute($VIMRUNTIME, '\\', '/', 'g')
diff --git a/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch b/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
new file mode 100644
index 0000000..3d45b8e
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
@@ -0,0 +1,44 @@
+diff -up vim82/src/regexp_bt.c.cve1154 vim82/src/regexp_bt.c
+--- vim82/src/regexp_bt.c.cve1154 2022-04-25 15:22:28.367621755 +0200
++++ vim82/src/regexp_bt.c 2022-04-25 15:25:13.726340728 +0200
+@@ -3188,8 +3188,17 @@ regmatch(
+ int mark = OPERAND(scan)[0];
+ int cmp = OPERAND(scan)[1];
+ pos_T *pos;
++ size_t col = REG_MULTI ? rex.input - rex.line : 0;
+
+ pos = getmark_buf(rex.reg_buf, mark, FALSE);
++
++ // Line may have been freed, get it again.
++ if (REG_MULTI)
++ {
++ rex.line = reg_getline(rex.lnum);
++ rex.input = rex.line + col;
++ }
++
+ if (pos == NULL // mark doesn't exist
+ || pos->lnum <= 0 // mark isn't set in reg_buf
+ || (pos->lnum == rex.lnum + rex.reg_firstlnum
+diff -up vim82/src/testdir/test_regexp_latin.vim.cve1154 vim82/src/testdir/test_regexp_latin.vim
+--- vim82/src/testdir/test_regexp_latin.vim.cve1154 2022-04-25 15:22:28.368621752 +0200
++++ vim82/src/testdir/test_regexp_latin.vim 2022-04-25 15:26:57.515227712 +0200
+@@ -954,4 +954,19 @@ func Test_using_visual_position()
+ bwipe!
+ endfunc
+
++func Test_using_mark_position()
++ " this was using freed memory
++ " new engine
++ new
++ norm O0
++ call assert_fails("s/\\%')", 'E486:')
++ bwipe!
++
++ " old engine
++ new
++ norm O0
++ call assert_fails("s/\\%#=1\\%')", 'E486:')
++ bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/SOURCES/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch b/SOURCES/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
new file mode 100644
index 0000000..60a6c54
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
@@ -0,0 +1,51 @@
+diff -up vim82/src/errors.h.cve1420 vim82/src/errors.h
+--- vim82/src/errors.h.cve1420 2022-04-25 16:01:03.559985019 +0200
++++ vim82/src/errors.h 2022-04-25 16:01:58.113332024 +0200
+@@ -383,3 +383,7 @@ EXTERN char e_cannot_use_default_values_
+ INIT(= N_("E1172: Cannot use default values in a lambda"));
+ EXTERN char e_resulting_text_too_long[]
+ INIT(= N_("E1240: Resulting text too long"));
++#ifdef FEAT_EVAL
++EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
++ INIT(= N_("E1275: String or function required for ->(expr)"));
++#endif
+diff -up vim82/src/eval.c.cve1420 vim82/src/eval.c
+--- vim82/src/eval.c.cve1420 2022-04-25 16:01:03.560985007 +0200
++++ vim82/src/eval.c 2022-04-25 16:14:11.746600369 +0200
+@@ -3718,13 +3718,20 @@ eval_lambda(
+ if (**arg != ')')
+ {
+ emsg(_(e_missing_close));
+- ret = FAIL;
++ return FAIL;
++ }
++ if (rettv->v_type != VAR_STRING && rettv->v_type != VAR_FUNC
++ && rettv->v_type != VAR_PARTIAL)
++ {
++ emsg(_(e_string_or_function_required_for_arrow_parens_expr));
++ return FAIL;
+ }
+ ++*arg;
+ }
+ if (ret != OK)
+ return FAIL;
+- else if (**arg != '(')
++
++ if (**arg != '(')
+ {
+ if (verbose)
+ {
+diff -up vim82/src/testdir/test_lambda.vim.cve1420 vim82/src/testdir/test_lambda.vim
+--- vim82/src/testdir/test_lambda.vim.cve1420 2022-04-25 16:01:03.560985007 +0200
++++ vim82/src/testdir/test_lambda.vim 2022-04-25 16:17:01.694886566 +0200
+@@ -64,6 +64,10 @@ function Test_lambda_fails()
+ call assert_fails('echo {a, a -> a + a}(1, 2)', 'E853:')
+ call assert_fails('echo {a, b -> a + b)}(1, 2)', 'E451:')
+ echo assert_fails('echo 10->{a -> a + 2}', 'E107:')
++ call assert_fails('eval 0->(3)()', "E1275:")
++ call assert_fails('eval 0->([3])()', "E1275:")
++ call assert_fails('eval 0->({"a": 3})()', "E1275:")
++ call assert_fails('eval 0->(xxx)()', "E121:")
+ endfunc
+
+ func Test_not_lamda()
diff --git a/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch b/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
new file mode 100644
index 0000000..321bf48
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
@@ -0,0 +1,50 @@
+diff -up vim82/src/errors.h.cve1621 vim82/src/errors.h
+--- vim82/src/errors.h.cve1621 2022-05-24 13:36:23.883370040 +0200
++++ vim82/src/errors.h 2022-05-24 13:36:47.665487703 +0200
+@@ -387,3 +387,7 @@ EXTERN char e_resulting_text_too_long[]
+ EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
+ INIT(= N_("E1275: String or function required for ->(expr)"));
+ #endif
++#ifdef FEAT_SPELL
++EXTERN char e_illegal_character_in_word[]
++ INIT(= N_("E1280: Illegal character in word"));
++#endif
+diff -up vim82/src/mbyte.c.cve1621 vim82/src/mbyte.c
+--- vim82/src/mbyte.c.cve1621 2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/mbyte.c 2022-05-24 13:36:23.884370045 +0200
+@@ -4181,7 +4181,7 @@ theend:
+ convert_setup(&vimconv, NULL, NULL);
+ }
+
+-#if defined(FEAT_GUI_GTK) || defined(PROTO)
++#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO)
+ /*
+ * Return TRUE if string "s" is a valid utf-8 string.
+ * When "end" is NULL stop at the first NUL.
+diff -up vim82/src/spellfile.c.cve1621 vim82/src/spellfile.c
+--- vim82/src/spellfile.c.cve1621 2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/spellfile.c 2022-05-24 13:36:23.885370049 +0200
+@@ -4391,6 +4391,10 @@ store_word(
+ int res = OK;
+ char_u *p;
+
++ // Avoid adding illegal bytes to the word tree.
++ if (enc_utf8 && !utf_valid_string(word, NULL))
++ return FAIL;
++
+ (void)spell_casefold(word, len, foldword, MAXWLEN);
+ for (p = pfxlist; res == OK; ++p)
+ {
+@@ -6191,6 +6195,12 @@ spell_add_word(
+ int i;
+ char_u *spf;
+
++ if (enc_utf8 && !utf_valid_string(word, NULL))
++ {
++ emsg(_(e_illegal_character_in_word));
++ return;
++ }
++
+ if (idx == 0) // use internal wordlist
+ {
+ if (int_wordlist == NULL)
diff --git a/SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch b/SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
new file mode 100644
index 0000000..55dade6
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
@@ -0,0 +1,33 @@
+From 53a70289c2712808e6d4e88927e03cac01b470dd Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 9 May 2022 13:15:07 +0100
+Subject: [PATCH] patch 8.2.4925: trailing backslash may cause reading past end
+ of line
+
+Problem: Trailing backslash may cause reading past end of line.
+Solution: Check for NUL after backslash.
+---
+ src/testdir/test_textobjects.vim | 10 +++++++++-
+ src/textobject.c | 4 ++++
+ src/version.c | 2 ++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/textobject.c b/src/textobject.c
+index e4a7db38e..edaa64c51 100644
+--- a/src/textobject.c
++++ b/src/textobject.c
+@@ -1664,7 +1664,11 @@ find_next_quote(
+ if (c == NUL)
+ return -1;
+ else if (escape != NULL && vim_strchr(escape, c))
++ {
+ ++col;
++ if (line[col] == NUL)
++ return -1;
++ }
+ else if (c == quotechar)
+ break;
+ if (has_mbyte)
+--
+2.36.1
+
diff --git a/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch b/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
new file mode 100644
index 0000000..b5a9272
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
@@ -0,0 +1,59 @@
+diff -up vim82/src/ex_cmds.c.cve1785 vim82/src/ex_cmds.c
+--- vim82/src/ex_cmds.c.cve1785 2022-06-10 10:26:16.883312704 +0200
++++ vim82/src/ex_cmds.c 2022-06-10 10:26:16.910312568 +0200
+@@ -4356,12 +4356,17 @@ ex_substitute(exarg_T *eap)
+ // Save flags for recursion. They can change for e.g.
+ // :s/^/\=execute("s#^##gn")
+ subflags_save = subflags;
++
++ // Disallow changing text or switching window in an expression.
++ ++textwinlock;
+ #endif
+ // get length of substitution part
+ sublen = vim_regsub_multi(®match,
+ sub_firstlnum - regmatch.startpos[0].lnum,
+ sub, sub_firstline, FALSE, magic_isset(), TRUE);
+ #ifdef FEAT_EVAL
++ --textwinlock;
++
+ // If getting the substitute string caused an error, don't do
+ // the replacement.
+ // Don't keep flags set by a recursive call.
+@@ -4462,9 +4467,15 @@ ex_substitute(exarg_T *eap)
+ mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
+ new_end += copy_len;
+
++#ifdef FEAT_EVAL
++ ++textwinlock;
++#endif
+ (void)vim_regsub_multi(®match,
+ sub_firstlnum - regmatch.startpos[0].lnum,
+ sub, new_end, TRUE, magic_isset(), TRUE);
++#ifdef FEAT_EVAL
++ --textwinlock;
++#endif
+ sub_nsubs++;
+ did_sub = TRUE;
+
+diff -up vim82/src/testdir/test_substitute.vim.cve1785 vim82/src/testdir/test_substitute.vim
+--- vim82/src/testdir/test_substitute.vim.cve1785 2022-06-10 10:26:16.910312568 +0200
++++ vim82/src/testdir/test_substitute.vim 2022-06-10 10:27:02.166084629 +0200
+@@ -942,5 +942,18 @@ func Test_using_old_sub()
+ set nocompatible
+ endfunc
+
++" This was switching windows in between computing the length and using it.
++func Test_sub_change_window()
++ silent! lfile
++ sil! norm o0000000000000000000000000000000000000000000000000000
++ func Repl()
++ lopen
++ endfunc
++ silent! s/\%')/\=Repl()
++ bwipe!
++ bwipe!
++ delfunc Repl
++endfunc
++
+
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch b/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
new file mode 100644
index 0000000..71ce847
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
@@ -0,0 +1,121 @@
+diff -up vim82/src/normal.c.cve1897 vim82/src/normal.c
+--- vim82/src/normal.c.cve1897 2022-06-13 09:31:42.880768567 +0200
++++ vim82/src/normal.c 2022-06-13 09:35:38.560084927 +0200
+@@ -479,6 +479,22 @@ find_command(int cmdchar)
+ }
+
+ /*
++ * If currently editing a cmdline or text is locked: beep and give an error
++ * message, return TRUE.
++ */
++ static int
++check_text_locked(oparg_T *oap)
++{
++ if (text_locked())
++ {
++ clearopbeep(oap);
++ text_locked_msg();
++ return TRUE;
++ }
++ return FALSE;
++}
++
++/*
+ * Execute a command in Normal mode.
+ */
+ void
+@@ -742,14 +758,9 @@ getcount:
+ goto normal_end;
+ }
+
+- if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW))
+- {
+- // This command is not allowed while editing a cmdline: beep.
+- clearopbeep(oap);
+- text_locked_msg();
+- goto normal_end;
+- }
+- if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked())
++ if ((nv_cmds[idx].cmd_flags & NV_NCW)
++ && (check_text_locked(oap) || curbuf_locked()))
++ // this command is not allowed now
+ goto normal_end;
+
+ /*
+@@ -4212,12 +4223,8 @@ nv_gotofile(cmdarg_T *cap)
+ char_u *ptr;
+ linenr_T lnum = -1;
+
+- if (text_locked())
+- {
+- clearopbeep(cap->oap);
+- text_locked_msg();
++ if (check_text_locked(cap->oap))
+ return;
+- }
+ if (curbuf_locked())
+ {
+ clearop(cap->oap);
+@@ -6343,14 +6350,7 @@ nv_g_cmd(cmdarg_T *cap)
+
+ // "gQ": improved Ex mode
+ case 'Q':
+- if (text_locked())
+- {
+- clearopbeep(cap->oap);
+- text_locked_msg();
+- break;
+- }
+-
+- if (!checkclearopq(oap))
++ if (!check_text_locked(cap->oap) && !checkclearopq(oap))
+ do_exmode(TRUE);
+ break;
+
+diff -up vim82/src/testdir/test_substitute.vim.cve1897 vim82/src/testdir/test_substitute.vim
+--- vim82/src/testdir/test_substitute.vim.cve1897 2022-06-13 09:31:42.938768884 +0200
++++ vim82/src/testdir/test_substitute.vim 2022-06-13 09:36:39.013406036 +0200
+@@ -955,5 +955,27 @@ func Test_sub_change_window()
+ delfunc Repl
+ endfunc
+
++" This was undoign a change in between computing the length and using it.
++func Do_Test_sub_undo_change()
++ new
++ norm o0000000000000000000000000000000000000000000000000000
++ silent! s/\%')/\=Repl()
++ bwipe!
++endfunc
++
++func Test_sub_undo_change()
++ func Repl()
++ silent! norm g-
++ endfunc
++ call Do_Test_sub_undo_change()
++
++ func! Repl()
++ silent earlier
++ endfunc
++ call Do_Test_sub_undo_change()
++
++ delfunc Repl
++endfunc
++
+
+ " vim: shiftwidth=2 sts=2 expandtab
+diff -up vim82/src/undo.c.cve1897 vim82/src/undo.c
+--- vim82/src/undo.c.cve1897 2022-06-13 09:31:42.904768698 +0200
++++ vim82/src/undo.c 2022-06-13 09:31:42.938768884 +0200
+@@ -2323,6 +2323,12 @@ undo_time(
+ int above = FALSE;
+ int did_undo = TRUE;
+
++ if (text_locked())
++ {
++ text_locked_msg();
++ return;
++ }
++
+ // First make sure the current undoable change is synced.
+ if (curbuf->b_u_synced == FALSE)
+ u_sync(TRUE);
diff --git a/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch b/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
new file mode 100644
index 0000000..a8eeda7
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
@@ -0,0 +1,106 @@
+diff -up vim82/src/ex_docmd.c.cve1927 vim82/src/ex_docmd.c
+--- vim82/src/ex_docmd.c.cve1927 2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/ex_docmd.c 2022-06-13 15:29:45.099472751 +0200
+@@ -3081,6 +3081,8 @@ parse_cmd_address(exarg_T *eap, char **e
+ {
+ int address_count = 1;
+ linenr_T lnum;
++ int need_check_cursor = FALSE;
++ int ret = FAIL;
+
+ // Repeat for all ',' or ';' separated addresses.
+ for (;;)
+@@ -3091,7 +3093,7 @@ parse_cmd_address(exarg_T *eap, char **e
+ lnum = get_address(eap, &eap->cmd, eap->addr_type, eap->skip, silent,
+ eap->addr_count == 0, address_count++);
+ if (eap->cmd == NULL) // error detected
+- return FAIL;
++ goto theend;
+ if (lnum == MAXLNUM)
+ {
+ if (*eap->cmd == '%') // '%' - all lines
+@@ -3136,14 +3138,14 @@ parse_cmd_address(exarg_T *eap, char **e
+ // there is no Vim command which uses '%' and
+ // ADDR_WINDOWS or ADDR_TABS
+ *errormsg = _(e_invrange);
+- return FAIL;
++ goto theend;
+ }
+ break;
+ case ADDR_TABS_RELATIVE:
+ case ADDR_UNSIGNED:
+ case ADDR_QUICKFIX:
+ *errormsg = _(e_invrange);
+- return FAIL;
++ goto theend;
+ case ADDR_ARGUMENTS:
+ if (ARGCOUNT == 0)
+ eap->line1 = eap->line2 = 0;
+@@ -3175,7 +3177,7 @@ parse_cmd_address(exarg_T *eap, char **e
+ if (eap->addr_type != ADDR_LINES)
+ {
+ *errormsg = _(e_invrange);
+- return FAIL;
++ goto theend;
+ }
+
+ ++eap->cmd;
+@@ -3183,11 +3185,11 @@ parse_cmd_address(exarg_T *eap, char **e
+ {
+ fp = getmark('<', FALSE);
+ if (check_mark(fp) == FAIL)
+- return FAIL;
++ goto theend;
+ eap->line1 = fp->lnum;
+ fp = getmark('>', FALSE);
+ if (check_mark(fp) == FAIL)
+- return FAIL;
++ goto theend;
+ eap->line2 = fp->lnum;
+ ++eap->addr_count;
+ }
+@@ -3202,10 +3204,13 @@ parse_cmd_address(exarg_T *eap, char **e
+ if (!eap->skip)
+ {
+ curwin->w_cursor.lnum = eap->line2;
++
+ // Don't leave the cursor on an illegal line or column, but do
+ // accept zero as address, so 0;/PATTERN/ works correctly.
++ // Check the cursor position before returning.
+ if (eap->line2 > 0)
+ check_cursor();
++ need_check_cursor = TRUE;
+ }
+ }
+ else if (*eap->cmd != ',')
+@@ -3221,7 +3226,12 @@ parse_cmd_address(exarg_T *eap, char **e
+ if (lnum == MAXLNUM)
+ eap->addr_count = 0;
+ }
+- return OK;
++ ret = OK;
++
++theend:
++ if (need_check_cursor)
++ check_cursor();
++ return ret;
+ }
+
+ /*
+diff -up vim82/src/testdir/test_excmd.vim.cve1927 vim82/src/testdir/test_excmd.vim
+--- vim82/src/testdir/test_excmd.vim.cve1927 2022-06-13 15:26:53.941517542 +0200
++++ vim82/src/testdir/test_excmd.vim 2022-06-13 15:30:53.972860361 +0200
+@@ -536,4 +536,13 @@ func Test_sandbox()
+ sandbox call Sandbox_tests()
+ endfunc
+
++" This was leaving the cursor in line zero
++func Test_using_zero_in_range()
++ new
++ norm o00
++ silent! 0;s/\%')
++ bwipe!
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/SPECS/vim.spec b/SPECS/vim.spec
index aab134b..2cc9194 100644
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@@ -27,7 +27,7 @@ Summary: The VIM editor
URL: http://www.vim.org/
Name: vim
Version: %{baseversion}.%{patchlevel}
-Release: 15%{?dist}
+Release: 16%{?dist}.3
License: Vim and MIT
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
Source1: virc
@@ -116,6 +116,24 @@ Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch
Patch3042: 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch
# CVE-2022-0714 vim: buffer overflow [rhel-9]
Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch
+# CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
+Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
+# CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim
+Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
+# CVE-2022-1154 vim: use after free in utf_ptr2char
+Patch3046: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
+# CVE-2022-1420 vim: Out-of-range Pointer Offset
+Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
+# CVE-2022-1621 vim: heap buffer overflow
+Patch3048: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
+# CVE-2022-1629 vim: buffer over-read
+Patch3049: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
+# CVE-2022-1785 vim: Out-of-bounds Write
+Patch3050: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
+# CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
+Patch3051: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
+# CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
+Patch3052: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
# gcc is no longer in buildroot by default
BuildRequires: gcc
@@ -346,6 +364,15 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
%patch3041 -p1 -b .cve0572
%patch3042 -p1 -b .cve0629
%patch3043 -p1 -b .cve0714
+%patch3044 -p1 -b .cve0554
+%patch3045 -p1 -b .cve0943
+%patch3046 -p1 -b .cve1154
+%patch3047 -p1 -b .cve1420
+%patch3048 -p1 -b .cve1621
+%patch3049 -p1 -b .cve1629
+%patch3050 -p1 -b .cve1785
+%patch3051 -p1 -b .cve1897
+%patch3052 -p1 -b .cve1927
%build
cd src
@@ -903,6 +930,21 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
%endif
%changelog
+* Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16.3
+- CVE-2022-1785 vim: Out-of-bounds Write
+- CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
+- CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
+
+* Wed May 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16.2
+- CVE-2022-1621 vim: heap buffer overflow
+- CVE-2022-1629 vim: buffer over-read
+
+* Mon Apr 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16.1
+- CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
+- CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim
+- CVE-2022-1154 vim: use after free in utf_ptr2char
+- CVE-2022-1420 vim: Out-of-range Pointer Offset
+
* Thu Feb 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-15
- CVE-2022-0714 vim: buffer overflow [rhel-9]