diff --git a/SOURCES/0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch b/SOURCES/0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
new file mode 100644
index 0000000..8c2cf3a
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
@@ -0,0 +1,110 @@
+From e3537aec2f8d6470010547af28dcbd83d41461b8 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 8 Feb 2022 15:05:20 +0000
+Subject: [PATCH] patch 8.2.4327: may end up with no current buffer
+
+Problem: May end up with no current buffer.
+Solution: When deleting the current buffer to not pick a quickfix buffer as
+ the new current buffer.
+---
+ src/buffer.c | 26 ++++++++++++++++++++++----
+ src/testdir/test_quickfix.vim | 25 +++++++++++++++++++++++++
+ src/version.c | 2 ++
+ 3 files changed, 49 insertions(+), 4 deletions(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 81bdb31ca..b3e2bc3f9 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -1430,8 +1430,14 @@ do_buffer_ext(
+ buf = buflist_findnr(curwin->w_jumplist[jumpidx].fmark.fnum);
+ if (buf != NULL)
+ {
+- if (buf == curbuf || !buf->b_p_bl)
+- buf = NULL; // skip current and unlisted bufs
++ // Skip current and unlisted bufs. Also skip a quickfix
++ // buffer, it might be deleted soon.
++ if (buf == curbuf || !buf->b_p_bl
++#if defined(FEAT_QUICKFIX)
++ || bt_quickfix(buf)
++#endif
++ )
++ buf = NULL;
+ else if (buf->b_ml.ml_mfp == NULL)
+ {
+ // skip unloaded buf, but may keep it for later
+@@ -1467,7 +1473,11 @@ do_buffer_ext(
+ continue;
+ }
+ // in non-help buffer, try to skip help buffers, and vv
+- if (buf->b_help == curbuf->b_help && buf->b_p_bl)
++ if (buf->b_help == curbuf->b_help && buf->b_p_bl
++#if defined(FEAT_QUICKFIX)
++ && !bt_quickfix(buf)
++#endif
++ )
+ {
+ if (buf->b_ml.ml_mfp != NULL) // found loaded buffer
+ break;
+@@ -1485,7 +1495,11 @@ do_buffer_ext(
+ if (buf == NULL) // No loaded buffer, find listed one
+ {
+ FOR_ALL_BUFFERS(buf)
+- if (buf->b_p_bl && buf != curbuf)
++ if (buf->b_p_bl && buf != curbuf
++#if defined(FEAT_QUICKFIX)
++ && !bt_quickfix(buf)
++#endif
++ )
+ break;
+ }
+ if (buf == NULL) // Still no buffer, just take one
+@@ -1494,6 +1508,10 @@ do_buffer_ext(
+ buf = curbuf->b_next;
+ else
+ buf = curbuf->b_prev;
++#if defined(FEAT_QUICKFIX)
++ if (bt_quickfix(buf))
++ buf = NULL;
++#endif
+ }
+ }
+
+diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
+index 07fdb9644..adb0ea4fd 100644
+--- a/src/testdir/test_quickfix.vim
++++ b/src/testdir/test_quickfix.vim
+@@ -5851,5 +5851,30 @@ func Test_lopen_bwipe()
+ delfunc R
+ endfunc
+
++" Another sequence of commands that caused all buffers to be wiped out
++func Test_lopen_bwipe_all()
++ let lines =<< trim END
++ func R()
++ silent! tab lopen
++ e foo
++ silent! lfile
++ endfunc
++ cal R()
++ exe "norm \<C-W>\<C-V>0"
++ cal R()
++ bwipe
++
++ call writefile(['done'], 'Xresult')
++ qall!
++ END
++ call writefile(lines, 'Xscript')
++ if RunVim([], [], '-u NONE -n -X -Z -e -m -s -S Xscript')
++ call assert_equal(['done'], readfile('Xresult'))
++ endif
++
++ call delete('Xscript')
++ call delete('Xresult')
++endfunc
++
+
+ " vim: shiftwidth=2 sts=2 expandtab
+--
+2.35.1
+
diff --git a/SOURCES/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch b/SOURCES/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
new file mode 100644
index 0000000..4066b1e
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
@@ -0,0 +1,39 @@
+diff -up vim82/src/spellsuggest.c.cve0943 vim82/src/spellsuggest.c
+--- vim82/src/spellsuggest.c.cve0943 2022-03-28 20:48:07.079197805 +0200
++++ vim82/src/spellsuggest.c 2022-03-28 20:48:07.101197522 +0200
+@@ -501,6 +501,10 @@ spell_suggest(int count)
+ curwin->w_cursor.col = VIsual.col;
+ ++badlen;
+ end_visual_mode();
++ // make sure we don't include the NUL at the end of the line
++ line = ml_get_curline();
++ if (badlen > STRLEN(line) - curwin->w_cursor.col)
++ badlen = STRLEN(line) - curwin->w_cursor.col;
+ }
+ // Find the start of the badly spelled word.
+ else if (spell_move_to(curwin, FORWARD, TRUE, TRUE, NULL) == 0
+diff -up vim82/src/testdir/test_spell.vim.cve0943 vim82/src/testdir/test_spell.vim
+--- vim82/src/testdir/test_spell.vim.cve0943 2022-03-28 20:48:07.102197509 +0200
++++ vim82/src/testdir/test_spell.vim 2022-03-28 20:49:05.038452974 +0200
+@@ -441,6 +441,21 @@ func Test_spellsuggest_expr_errors()
+ delfunc MySuggest3
+ endfunc
+
++func Test_spellsuggest_visual_end_of_line()
++ let enc_save = &encoding
++ set encoding=iso8859
++
++ " This was reading beyond the end of the line.
++ norm R00000000000
++ sil norm �0
++ sil! norm �i00000)
++ sil! norm �i00000)
++ call feedkeys("\<CR>")
++ norm z=
++
++ let &encoding = enc_save
++endfunc
++
+ func Test_spellinfo()
+ new
+ let runtime = substitute($VIMRUNTIME, '\\', '/', 'g')
diff --git a/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch b/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
new file mode 100644
index 0000000..3d45b8e
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
@@ -0,0 +1,44 @@
+diff -up vim82/src/regexp_bt.c.cve1154 vim82/src/regexp_bt.c
+--- vim82/src/regexp_bt.c.cve1154 2022-04-25 15:22:28.367621755 +0200
++++ vim82/src/regexp_bt.c 2022-04-25 15:25:13.726340728 +0200
+@@ -3188,8 +3188,17 @@ regmatch(
+ int mark = OPERAND(scan)[0];
+ int cmp = OPERAND(scan)[1];
+ pos_T *pos;
++ size_t col = REG_MULTI ? rex.input - rex.line : 0;
+
+ pos = getmark_buf(rex.reg_buf, mark, FALSE);
++
++ // Line may have been freed, get it again.
++ if (REG_MULTI)
++ {
++ rex.line = reg_getline(rex.lnum);
++ rex.input = rex.line + col;
++ }
++
+ if (pos == NULL // mark doesn't exist
+ || pos->lnum <= 0 // mark isn't set in reg_buf
+ || (pos->lnum == rex.lnum + rex.reg_firstlnum
+diff -up vim82/src/testdir/test_regexp_latin.vim.cve1154 vim82/src/testdir/test_regexp_latin.vim
+--- vim82/src/testdir/test_regexp_latin.vim.cve1154 2022-04-25 15:22:28.368621752 +0200
++++ vim82/src/testdir/test_regexp_latin.vim 2022-04-25 15:26:57.515227712 +0200
+@@ -954,4 +954,19 @@ func Test_using_visual_position()
+ bwipe!
+ endfunc
+
++func Test_using_mark_position()
++ " this was using freed memory
++ " new engine
++ new
++ norm O0
++ call assert_fails("s/\\%')", 'E486:')
++ bwipe!
++
++ " old engine
++ new
++ norm O0
++ call assert_fails("s/\\%#=1\\%')", 'E486:')
++ bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/SOURCES/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch b/SOURCES/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
new file mode 100644
index 0000000..60a6c54
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
@@ -0,0 +1,51 @@
+diff -up vim82/src/errors.h.cve1420 vim82/src/errors.h
+--- vim82/src/errors.h.cve1420 2022-04-25 16:01:03.559985019 +0200
++++ vim82/src/errors.h 2022-04-25 16:01:58.113332024 +0200
+@@ -383,3 +383,7 @@ EXTERN char e_cannot_use_default_values_
+ INIT(= N_("E1172: Cannot use default values in a lambda"));
+ EXTERN char e_resulting_text_too_long[]
+ INIT(= N_("E1240: Resulting text too long"));
++#ifdef FEAT_EVAL
++EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
++ INIT(= N_("E1275: String or function required for ->(expr)"));
++#endif
+diff -up vim82/src/eval.c.cve1420 vim82/src/eval.c
+--- vim82/src/eval.c.cve1420 2022-04-25 16:01:03.560985007 +0200
++++ vim82/src/eval.c 2022-04-25 16:14:11.746600369 +0200
+@@ -3718,13 +3718,20 @@ eval_lambda(
+ if (**arg != ')')
+ {
+ emsg(_(e_missing_close));
+- ret = FAIL;
++ return FAIL;
++ }
++ if (rettv->v_type != VAR_STRING && rettv->v_type != VAR_FUNC
++ && rettv->v_type != VAR_PARTIAL)
++ {
++ emsg(_(e_string_or_function_required_for_arrow_parens_expr));
++ return FAIL;
+ }
+ ++*arg;
+ }
+ if (ret != OK)
+ return FAIL;
+- else if (**arg != '(')
++
++ if (**arg != '(')
+ {
+ if (verbose)
+ {
+diff -up vim82/src/testdir/test_lambda.vim.cve1420 vim82/src/testdir/test_lambda.vim
+--- vim82/src/testdir/test_lambda.vim.cve1420 2022-04-25 16:01:03.560985007 +0200
++++ vim82/src/testdir/test_lambda.vim 2022-04-25 16:17:01.694886566 +0200
+@@ -64,6 +64,10 @@ function Test_lambda_fails()
+ call assert_fails('echo {a, a -> a + a}(1, 2)', 'E853:')
+ call assert_fails('echo {a, b -> a + b)}(1, 2)', 'E451:')
+ echo assert_fails('echo 10->{a -> a + 2}', 'E107:')
++ call assert_fails('eval 0->(3)()', "E1275:")
++ call assert_fails('eval 0->([3])()', "E1275:")
++ call assert_fails('eval 0->({"a": 3})()', "E1275:")
++ call assert_fails('eval 0->(xxx)()', "E121:")
+ endfunc
+
+ func Test_not_lamda()
diff --git a/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch b/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
new file mode 100644
index 0000000..321bf48
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
@@ -0,0 +1,50 @@
+diff -up vim82/src/errors.h.cve1621 vim82/src/errors.h
+--- vim82/src/errors.h.cve1621 2022-05-24 13:36:23.883370040 +0200
++++ vim82/src/errors.h 2022-05-24 13:36:47.665487703 +0200
+@@ -387,3 +387,7 @@ EXTERN char e_resulting_text_too_long[]
+ EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
+ INIT(= N_("E1275: String or function required for ->(expr)"));
+ #endif
++#ifdef FEAT_SPELL
++EXTERN char e_illegal_character_in_word[]
++ INIT(= N_("E1280: Illegal character in word"));
++#endif
+diff -up vim82/src/mbyte.c.cve1621 vim82/src/mbyte.c
+--- vim82/src/mbyte.c.cve1621 2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/mbyte.c 2022-05-24 13:36:23.884370045 +0200
+@@ -4181,7 +4181,7 @@ theend:
+ convert_setup(&vimconv, NULL, NULL);
+ }
+
+-#if defined(FEAT_GUI_GTK) || defined(PROTO)
++#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO)
+ /*
+ * Return TRUE if string "s" is a valid utf-8 string.
+ * When "end" is NULL stop at the first NUL.
+diff -up vim82/src/spellfile.c.cve1621 vim82/src/spellfile.c
+--- vim82/src/spellfile.c.cve1621 2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/spellfile.c 2022-05-24 13:36:23.885370049 +0200
+@@ -4391,6 +4391,10 @@ store_word(
+ int res = OK;
+ char_u *p;
+
++ // Avoid adding illegal bytes to the word tree.
++ if (enc_utf8 && !utf_valid_string(word, NULL))
++ return FAIL;
++
+ (void)spell_casefold(word, len, foldword, MAXWLEN);
+ for (p = pfxlist; res == OK; ++p)
+ {
+@@ -6191,6 +6195,12 @@ spell_add_word(
+ int i;
+ char_u *spf;
+
++ if (enc_utf8 && !utf_valid_string(word, NULL))
++ {
++ emsg(_(e_illegal_character_in_word));
++ return;
++ }
++
+ if (idx == 0) // use internal wordlist
+ {
+ if (int_wordlist == NULL)
diff --git a/SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch b/SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
new file mode 100644
index 0000000..55dade6
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
@@ -0,0 +1,33 @@
+From 53a70289c2712808e6d4e88927e03cac01b470dd Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 9 May 2022 13:15:07 +0100
+Subject: [PATCH] patch 8.2.4925: trailing backslash may cause reading past end
+ of line
+
+Problem: Trailing backslash may cause reading past end of line.
+Solution: Check for NUL after backslash.
+---
+ src/testdir/test_textobjects.vim | 10 +++++++++-
+ src/textobject.c | 4 ++++
+ src/version.c | 2 ++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/textobject.c b/src/textobject.c
+index e4a7db38e..edaa64c51 100644
+--- a/src/textobject.c
++++ b/src/textobject.c
+@@ -1664,7 +1664,11 @@ find_next_quote(
+ if (c == NUL)
+ return -1;
+ else if (escape != NULL && vim_strchr(escape, c))
++ {
+ ++col;
++ if (line[col] == NUL)
++ return -1;
++ }
+ else if (c == quotechar)
+ break;
+ if (has_mbyte)
+--
+2.36.1
+
diff --git a/SPECS/vim.spec b/SPECS/vim.spec
index aab134b..8fe2b5d 100644
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@@ -27,7 +27,7 @@ Summary: The VIM editor
URL: http://www.vim.org/
Name: vim
Version: %{baseversion}.%{patchlevel}
-Release: 15%{?dist}
+Release: 16%{?dist}.2
License: Vim and MIT
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
Source1: virc
@@ -116,6 +116,18 @@ Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch
Patch3042: 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch
# CVE-2022-0714 vim: buffer overflow [rhel-9]
Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch
+# CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
+Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
+# CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim
+Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
+# CVE-2022-1154 vim: use after free in utf_ptr2char
+Patch3046: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
+# CVE-2022-1420 vim: Out-of-range Pointer Offset
+Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
+# CVE-2022-1621 vim: heap buffer overflow
+Patch3048: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
+# CVE-2022-1629 vim: buffer over-read
+Patch3049: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
# gcc is no longer in buildroot by default
BuildRequires: gcc
@@ -346,6 +358,12 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
%patch3041 -p1 -b .cve0572
%patch3042 -p1 -b .cve0629
%patch3043 -p1 -b .cve0714
+%patch3044 -p1 -b .cve0554
+%patch3045 -p1 -b .cve0943
+%patch3046 -p1 -b .cve1154
+%patch3047 -p1 -b .cve1420
+%patch3048 -p1 -b .cve1621
+%patch3049 -p1 -b .cve1629
%build
cd src
@@ -903,6 +921,16 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
%endif
%changelog
+* Wed May 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16.2
+- CVE-2022-1621 vim: heap buffer overflow
+- CVE-2022-1629 vim: buffer over-read
+
+* Mon Apr 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16.1
+- CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
+- CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim
+- CVE-2022-1154 vim: use after free in utf_ptr2char
+- CVE-2022-1420 vim: Out-of-range Pointer Offset
+
* Thu Feb 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-15
- CVE-2022-0714 vim: buffer overflow [rhel-9]