From 26754e0637413d362d5bcb2f01040564d490bb6f Mon Sep 17 00:00:00 2001
From: Jiryu <2018302180146@whu.edu.cn>
Date: Fri, 14 Jul 2023 13:39:03 +0800
Subject: [PATCH 1/2] =?UTF-8?q?CVE-2022-1616=20=E5=AE=89=E5=85=A8=E6=9B=B4?=
 =?UTF-8?q?=E6=96=B0:Use=20after=20free=20in=20append=5Fcommand?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 debian/changelog             |  6 ++++++
 src/ex_docmd.c               |  4 +++-
 src/testdir/test_cmdline.vim | 11 +++++++++++
 src/version.c                |  2 ++
 4 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 3401811..6b87075 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+vim (2:8.1.2269-ok6) yangtze; urgency=medium
+
+  * Jiryu CVE-2022-1616 Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895
+
+ -- Jiryu <2018302180146@whu.edu.cn>  Fri, 14 Jul 2023 13:33:54 +0800
+
 vim (2:8.1.2269-ok5) yangtze; urgency=medium
 
   * CVE-2022-1620 Vim 8.2之前版本存在代码问题漏洞，该漏洞源于regexp.c:2729的vim_regexec_string函数中NULL指针取消引用
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index 385cf3b..6b8fecb 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -3089,7 +3089,7 @@ append_command(char_u *cmd)
 
     STRCAT(IObuff, ": ");
     d = IObuff + STRLEN(IObuff);
-    while (*s != NUL && d - IObuff < IOSIZE - 7)
+    while (*s != NUL && d - IObuff + 5 < IOSIZE)
     {
 	if (enc_utf8 ? (s[0] == 0xc2 && s[1] == 0xa0) : *s == 0xa0)
 	{
@@ -3097,6 +3097,8 @@ append_command(char_u *cmd)
 	    STRCPY(d, "<a0>");
 	    d += 4;
 	}
+	else if (d - IObuff + (*mb_ptr2len)(s) + 1 >= IOSIZE)
+	    break;
 	else
 	    MB_COPY_CHAR(s, d);
     }
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index 3f73d3d..c977a63 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -842,3 +842,14 @@ func Test_buffers_lastused()
   bwipeout bufb
   bwipeout bufc
 endfunc
+
+" this was going over the end of IObuff
+func Test_report_error_with_composing()
+  let caught = 'no'
+  try
+    exe repeat('0', 987) .. "0\xdd\x80\xdd\x80\xdd\x80\xdd\x80"
+  catch /E492:/
+    let caught = 'yes'
+  endtry
+  call assert_equal('yes', caught)
+endfunc
\ No newline at end of file
diff --git a/src/version.c b/src/version.c
index bd442f5..5ceb369 100644
--- a/src/version.c
+++ b/src/version.c
@@ -741,6 +741,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2271,
 /**/
     2270,
 /**/
-- 
Gitee


From 78dc96dbdfd59358894327b7a80c0bcbacf3716d Mon Sep 17 00:00:00 2001
From: Jiryu <xiaoxianghuayu@gmail.com>
Date: Thu, 27 Jul 2023 11:28:44 +0800
Subject: [PATCH 2/2] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=20CVE-2022-1616?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 debian/changelog | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 6b87075..3401811 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,3 @@
-vim (2:8.1.2269-ok6) yangtze; urgency=medium
-
-  * Jiryu CVE-2022-1616 Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895
-
- -- Jiryu <2018302180146@whu.edu.cn>  Fri, 14 Jul 2023 13:33:54 +0800
-
 vim (2:8.1.2269-ok5) yangtze; urgency=medium
 
   * CVE-2022-1620 Vim 8.2之前版本存在代码问题漏洞，该漏洞源于regexp.c:2729的vim_regexec_string函数中NULL指针取消引用
-- 
Gitee