diff --git a/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch b/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
index e998524..b887afe 100644
--- a/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
+++ b/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
@@ -1,7 +1,8 @@
-diff -up vim80/src/globals.h.cve1621 vim80/src/globals.h
---- vim80/src/globals.h.cve1621 2022-05-24 12:46:44.883952323 +0200
-+++ vim80/src/globals.h 2022-05-24 12:47:30.534183523 +0200
-@@ -1657,6 +1657,11 @@ EXTERN int *eval_lavars_used INIT(= NULL
+diff --git a/src/globals.h b/src/globals.h
+index d5320d7..968ba33 100644
+--- a/src/globals.h
++++ b/src/globals.h
+@@ -1657,6 +1657,11 @@ EXTERN int *eval_lavars_used INIT(= NULL);
EXTERN int ctrl_break_was_pressed INIT(= FALSE);
#endif
@@ -13,9 +14,10 @@ diff -up vim80/src/globals.h.cve1621 vim80/src/globals.h
/*
* Optional Farsi support. Include it here, so EXTERN and INIT are defined.
*/
-diff -up vim80/src/mbyte.c.cve1621 vim80/src/mbyte.c
---- vim80/src/mbyte.c.cve1621 2018-04-09 14:55:56.000000000 +0200
-+++ vim80/src/mbyte.c 2022-05-24 12:22:13.166893098 +0200
+diff --git a/src/mbyte.c b/src/mbyte.c
+index 6d21f11..a7531f1 100644
+--- a/src/mbyte.c
++++ b/src/mbyte.c
@@ -4034,7 +4034,7 @@ theend:
convert_setup(&vimconv, NULL, NULL);
}
@@ -25,9 +27,10 @@ diff -up vim80/src/mbyte.c.cve1621 vim80/src/mbyte.c
/*
* Return TRUE if string "s" is a valid utf-8 string.
* When "end" is NULL stop at the first NUL.
-diff -up vim80/src/spellfile.c.cve1621 vim80/src/spellfile.c
---- vim80/src/spellfile.c.cve1621 2022-05-24 12:22:13.167893104 +0200
-+++ vim80/src/spellfile.c 2022-05-24 12:49:55.816919350 +0200
+diff --git a/src/spellfile.c b/src/spellfile.c
+index 496e07f..92997ef 100644
+--- a/src/spellfile.c
++++ b/src/spellfile.c
@@ -4441,6 +4441,10 @@ store_word(
int res = OK;
char_u *p;
@@ -45,7 +48,7 @@ diff -up vim80/src/spellfile.c.cve1621 vim80/src/spellfile.c
+ if (enc_utf8 && !utf_valid_string(word, NULL))
+ {
-+ emsg(_(e_illegal_character_in_word));
++ EMSG(_(e_illegal_character_in_word));
+ return;
+ }
+
diff --git a/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch b/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
new file mode 100644
index 0000000..2391a5f
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
@@ -0,0 +1,57 @@
+diff -up vim80/src/ex_cmds.c.cve1785 vim80/src/ex_cmds.c
+--- vim80/src/ex_cmds.c.cve1785 2022-06-10 10:46:33.818286626 +0200
++++ vim80/src/ex_cmds.c 2022-06-10 10:58:04.009515524 +0200
+@@ -5486,12 +5486,17 @@ do_sub(exarg_T *eap)
+ /* Save flags for recursion. They can change for e.g.
+ * :s/^/\=execute("s#^##gn") */
+ subflags_save = subflags;
++
++ // Disallow changing text or switching window in an expression.
++ ++textlock;
+ #endif
+ /* get length of substitution part */
+ sublen = vim_regsub_multi(®match,
+ sub_firstlnum - regmatch.startpos[0].lnum,
+ sub, sub_firstline, FALSE, p_magic, TRUE);
+ #ifdef FEAT_EVAL
++ --textlock;
++
+ /* Don't keep flags set by a recursive call. */
+ subflags = subflags_save;
+ if (subflags.do_count)
+@@ -5570,9 +5575,15 @@ do_sub(exarg_T *eap)
+ mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
+ new_end += copy_len;
+
++#ifdef FEAT_EVAL
++ ++textlock;
++#endif
+ (void)vim_regsub_multi(®match,
+ sub_firstlnum - regmatch.startpos[0].lnum,
+ sub, new_end, TRUE, p_magic, TRUE);
++#ifdef FEAT_EVAL
++ --textlock;
++#endif
+ sub_nsubs++;
+ did_sub = TRUE;
+
+diff -up vim80/src/testdir/test_substitute.vim.cve1785 vim80/src/testdir/test_substitute.vim
+--- vim80/src/testdir/test_substitute.vim.cve1785 2022-06-10 10:46:33.818286626 +0200
++++ vim80/src/testdir/test_substitute.vim 2022-06-10 10:59:17.168437630 +0200
+@@ -500,3 +500,16 @@ func Test_sub_cmd_8()
+ enew!
+ set titlestring&
+ endfunc
++
++" This was switching windows in between computing the length and using it.
++func Test_sub_change_window()
++ silent! lfile
++ sil! norm o0000000000000000000000000000000000000000000000000000
++ func Repl()
++ lopen
++ endfunc
++ silent! s/\%')/\=Repl()
++ bwipe!
++ bwipe!
++ delfunc Repl
++endfunc
diff --git a/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch b/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
new file mode 100644
index 0000000..5475937
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
@@ -0,0 +1,120 @@
+diff -up vim80/src/normal.c.cve1897 vim80/src/normal.c
+--- vim80/src/normal.c.cve1897 2022-06-13 14:50:22.800290132 +0200
++++ vim80/src/normal.c 2022-06-13 14:55:06.082861349 +0200
+@@ -532,6 +532,22 @@ find_command(int cmdchar)
+ }
+
+ /*
++ * If currently editing a cmdline or text is locked: beep and give an error
++ * message, return TRUE.
++ */
++ static int
++check_text_locked(oparg_T *oap)
++{
++ if (text_locked())
++ {
++ clearopbeep(oap);
++ text_locked_msg();
++ return TRUE;
++ }
++ return FALSE;
++}
++
++/*
+ * Execute a command in Normal mode.
+ */
+ void
+@@ -792,14 +808,9 @@ getcount:
+ goto normal_end;
+ }
+
+- if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW))
+- {
+- /* This command is not allowed while editing a cmdline: beep. */
+- clearopbeep(oap);
+- text_locked_msg();
+- goto normal_end;
+- }
+- if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked())
++ if ((nv_cmds[idx].cmd_flags & NV_NCW)
++ && (check_text_locked(oap) || curbuf_locked()))
++ // this command is not allowed now
+ goto normal_end;
+
+ /*
+@@ -6234,12 +6245,8 @@ nv_gotofile(cmdarg_T *cap)
+ char_u *ptr;
+ linenr_T lnum = -1;
+
+- if (text_locked())
+- {
+- clearopbeep(cap->oap);
+- text_locked_msg();
++ if (check_text_locked(cap->oap))
+ return;
+- }
+ if (curbuf_locked())
+ {
+ clearop(cap->oap);
+@@ -8420,14 +8427,7 @@ nv_g_cmd(cmdarg_T *cap)
+
+ /* "gQ": improved Ex mode */
+ case 'Q':
+- if (text_locked())
+- {
+- clearopbeep(cap->oap);
+- text_locked_msg();
+- break;
+- }
+-
+- if (!checkclearopq(oap))
++ if (!check_text_locked(cap->oap) && !checkclearopq(oap))
+ do_exmode(TRUE);
+ break;
+
+diff -up vim80/src/testdir/test_substitute.vim.cve1897 vim80/src/testdir/test_substitute.vim
+--- vim80/src/testdir/test_substitute.vim.cve1897 2022-06-13 14:50:22.849290402 +0200
++++ vim80/src/testdir/test_substitute.vim 2022-06-13 14:55:50.370111134 +0200
+@@ -513,3 +513,26 @@ func Test_sub_change_window()
+ bwipe!
+ delfunc Repl
+ endfunc
++
++" This was undoign a change in between computing the length and using it.
++func Do_Test_sub_undo_change()
++ new
++ norm o0000000000000000000000000000000000000000000000000000
++ silent! s/\%')/\=Repl()
++ bwipe!
++endfunc
++
++func Test_sub_undo_change()
++ func Repl()
++ silent! norm g-
++ endfunc
++ call Do_Test_sub_undo_change()
++
++ func! Repl()
++ silent earlier
++ endfunc
++ call Do_Test_sub_undo_change()
++
++ delfunc Repl
++endfunc
++
+diff -up vim80/src/undo.c.cve1897 vim80/src/undo.c
+--- vim80/src/undo.c.cve1897 2022-06-13 14:50:22.849290402 +0200
++++ vim80/src/undo.c 2022-06-13 14:56:57.916492090 +0200
+@@ -2283,6 +2283,12 @@ undo_time(
+ if (curbuf->b_u_synced == FALSE)
+ u_sync(TRUE);
+
++ if (text_locked())
++ {
++ text_locked_msg();
++ return;
++ }
++
+ u_newcount = 0;
+ u_oldcount = 0;
+ if (curbuf->b_ml.ml_flags & ML_EMPTY)
diff --git a/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch b/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
new file mode 100644
index 0000000..bd20285
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
@@ -0,0 +1,85 @@
+diff -up vim80/src/ex_docmd.c.cve1927 vim80/src/ex_docmd.c
+--- vim80/src/ex_docmd.c.cve1927 2022-06-13 16:31:41.841068554 +0200
++++ vim80/src/ex_docmd.c 2022-06-13 16:37:02.789876973 +0200
+@@ -1720,6 +1720,8 @@ do_one_cmd(
+ int ni; /* set when Not Implemented */
+ char_u *cmd;
+ int address_count = 1;
++ int need_check_cursor = FALSE;
++ int ret_addr = FAIL;
+
+ vim_memset(&ea, 0, sizeof(ea));
+ ea.line1 = 1;
+@@ -2084,7 +2086,7 @@ do_one_cmd(
+ lnum = get_address(&ea, &ea.cmd, ea.addr_type, ea.skip,
+ ea.addr_count == 0, address_count++);
+ if (ea.cmd == NULL) /* error detected */
+- goto doend;
++ goto addr_end;
+ if (lnum == MAXLNUM)
+ {
+ if (*ea.cmd == '%') /* '%' - all lines */
+@@ -2128,12 +2130,12 @@ do_one_cmd(
+ /* there is no Vim command which uses '%' and
+ * ADDR_WINDOWS or ADDR_TABS */
+ errormsg = (char_u *)_(e_invrange);
+- goto doend;
++ goto addr_end;
+ }
+ break;
+ case ADDR_TABS_RELATIVE:
+ errormsg = (char_u *)_(e_invrange);
+- goto doend;
++ goto addr_end;
+ break;
+ case ADDR_ARGUMENTS:
+ if (ARGCOUNT == 0)
+@@ -2163,7 +2165,7 @@ do_one_cmd(
+ if (ea.addr_type != ADDR_LINES)
+ {
+ errormsg = (char_u *)_(e_invrange);
+- goto doend;
++ goto addr_end;
+ }
+
+ ++ea.cmd;
+@@ -2171,11 +2173,11 @@ do_one_cmd(
+ {
+ fp = getmark('<', FALSE);
+ if (check_mark(fp) == FAIL)
+- goto doend;
++ goto addr_end;
+ ea.line1 = fp->lnum;
+ fp = getmark('>', FALSE);
+ if (check_mark(fp) == FAIL)
+- goto doend;
++ goto addr_end;
+ ea.line2 = fp->lnum;
+ ++ea.addr_count;
+ }
+@@ -2190,8 +2192,11 @@ do_one_cmd(
+ if (!ea.skip)
+ {
+ curwin->w_cursor.lnum = ea.line2;
++
+ /* don't leave the cursor on an illegal line or column */
++ // Check the cursor position before returning.
+ check_cursor();
++ need_check_cursor = TRUE;
+ }
+ }
+ else if (*ea.cmd != ',')
+@@ -2208,6 +2213,13 @@ do_one_cmd(
+ ea.addr_count = 0;
+ }
+
++ ret_addr = OK;
++
++addr_end:
++ if (need_check_cursor)
++ check_cursor();
++ if (ret_addr == FAIL)
++ goto doend;
+ /*
+ * 5. Parse the command.
+ */
diff --git a/SPECS/vim.spec b/SPECS/vim.spec
index 4c78012..712d5ac 100644
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@@ -24,7 +24,7 @@ Summary: The VIM editor
URL: http://www.vim.org/
Name: vim
Version: %{baseversion}.%{patchlevel}
-Release: 19%{?dist}.2
+Release: 19%{?dist}.4
License: Vim and MIT
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
Source1: vim.sh
@@ -106,6 +106,12 @@ Patch3035: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
Patch3036: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
# CVE-2022-1629 vim: buffer over-read
Patch3037: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
+# CVE-2022-1785 vim: Out-of-bounds Write
+Patch3038: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
+# CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
+Patch3039: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
+# CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
+Patch3040: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
# gcc is no longer in buildroot by default
BuildRequires: gcc
@@ -320,6 +326,9 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
%patch3035 -p1 -b .cve1154
%patch3036 -p1 -b .cve1621
%patch3037 -p1 -b .cve1629
+%patch3038 -p1 -b .cve1785
+%patch3039 -p1 -b .cve1897
+%patch3040 -p1 -b .cve1927
%build
%if 0%{?rhel} > 7
@@ -838,6 +847,14 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
%{_datadir}/icons/locolor/*/apps/*
%changelog
+* Tue Jun 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.4
+- fix issue reported by covscan
+
+* Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.3
+- CVE-2022-1785 vim: Out-of-bounds Write
+- CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
+- CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
+
* Wed May 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.2
- CVE-2022-1621 vim: heap buffer overflow
- CVE-2022-1629 vim: buffer over-read