From d7d6b2cceeceb4470da4c886f0423b9b4a11036a Mon Sep 17 00:00:00 2001
From: guozhaorui <guozhaorui1@huawei.com>
Date: Fri, 28 Jan 2022 17:34:28 +0800
Subject: [PATCH] fix CVE-2022-0261 CVE-2022-0318

(cherry picked from commit 179c1dcc5adc1a9afd1969b9f163950a190f2bd6)
---
 backport-CVE-2022-0261.patch | 109 +++++++++++++++++++++++++++++++++++
 backport-CVE-2022-0318.patch |  63 ++++++++++++++++++++
 vim.spec                     |  10 +++-
 3 files changed, 181 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-0261.patch
 create mode 100644 backport-CVE-2022-0318.patch

diff --git a/backport-CVE-2022-0261.patch b/backport-CVE-2022-0261.patch
new file mode 100644
index 0000000..f5c2e76
--- /dev/null
+++ b/backport-CVE-2022-0261.patch
@@ -0,0 +1,109 @@
+From 9f8c304c8a390ade133bac29963dc8e56ab14cbc Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 17 Jan 2022 17:30:21 +0000
+Subject: [PATCH] patch 8.2.4120: block insert goes over the end of the line
+
+Problem:    Block insert goes over the end of the line.
+Solution:   Handle invalid byte better.  Fix inserting the wrong text.
+---
+ src/ops.c                   | 40 ++++++++++++++++++++++++-------------
+ src/testdir/test_visual.vim | 10 ++++++++++
+ 2 files changed, 36 insertions(+), 14 deletions(-)
+
+diff --git a/src/ops.c b/src/ops.c
+index d3e1e47..13e6bdb 100644
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -535,22 +535,27 @@ block_insert(
+ 	    if (b_insert)
+ 	    {
+ 		off = (*mb_head_off)(oldp, oldp + offset + spaces);
++		spaces -= off;
++		count -= off;
+ 	    }
+ 	    else
+ 	    {
+-		off = (*mb_off_next)(oldp, oldp + offset);
+-		offset += off;
++		// spaces fill the gap, the character that's at the edge moves
++		// right
++		off = (*mb_head_off)(oldp, oldp + offset);
++		offset -= off;
+ 	    }
+-	    spaces -= off;
+-	    count -= off;
+ 	}
+ 
+-	newp = alloc(STRLEN(oldp) + s_len + count + 1);
++	// Make sure the allocated size matches what is actually copied below.
++	newp = alloc(STRLEN(oldp) + spaces + s_len
++		    + (spaces > 0 && !bdp->is_short ? ts_val - spaces : 0)
++								  + count + 1);
+ 	if (newp == NULL)
+ 	    continue;
+ 
+ 	// copy up to shifted part
+-	mch_memmove(newp, oldp, (size_t)(offset));
++	mch_memmove(newp, oldp, (size_t)offset);
+ 	oldp += offset;
+ 
+ 	// insert pre-padding
+@@ -560,14 +565,21 @@ block_insert(
+ 	mch_memmove(newp + offset + spaces, s, (size_t)s_len);
+ 	offset += s_len;
+ 
+-	if (spaces && !bdp->is_short)
++	if (spaces > 0 && !bdp->is_short)
+ 	{
+-	    // insert post-padding
+-	    vim_memset(newp + offset + spaces, ' ', (size_t)(ts_val - spaces));
+-	    // We're splitting a TAB, don't copy it.
+-	    oldp++;
+-	    // We allowed for that TAB, remember this now
+-	    count++;
++	    if (*oldp == TAB)
++	    {
++		// insert post-padding
++		vim_memset(newp + offset + spaces, ' ',
++						    (size_t)(ts_val - spaces));
++		// we're splitting a TAB, don't copy it
++		oldp++;
++		// We allowed for that TAB, remember this now
++		count++;
++	    }
++	    else
++		// Not a TAB, no extra spaces
++		count = spaces;
+ 	}
+ 
+ 	if (spaces > 0)
+@@ -1609,7 +1621,7 @@ op_insert(oparg_T *oap, long count1)
+ 		oap->start_vcol = t;
+ 	    }
+ 	    else if (oap->op_type == OP_APPEND
+-		      && oap->end.col + oap->end.coladd
++			&& oap->start.col + oap->start.coladd
+ 			>= curbuf->b_op_start_orig.col
+ 					      + curbuf->b_op_start_orig.coladd)
+ 	    {
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index 0705fdb..84a8981 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -903,3 +903,13 @@ func Test_visual_block_ctrl_w_f()
+ endfunc
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
++
++func Test_visual_block_append_invalid_char()
++  " this was going over the end of the line
++  new
++  call setline(1, ['	   let xxx', 'xxxxxˆ', 'xxxxxxxxxxx'])
++  exe "normal 0\<C-V>jjA-\<Esc>"
++  call assert_equal(['	-   let xxx', 'xxxxx   -ˆ', 'xxxxxxxx-xxx'], getline(1, 3))
++  bwipe!
++endfunc
++
+-- 
+2.27.0
+
diff --git a/backport-CVE-2022-0318.patch b/backport-CVE-2022-0318.patch
new file mode 100644
index 0000000..2a062f8
--- /dev/null
+++ b/backport-CVE-2022-0318.patch
@@ -0,0 +1,63 @@
+From 57df9e8a9f9ae1aafdde9b86b10ad907627a87dc Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 20 Jan 2022 12:10:48 +0000
+Subject: [PATCH] patch 8.2.4151: reading beyond the end of a line
+
+Problem:    Reading beyond the end of a line.
+Solution:   For block insert only use the offset for correcting the length.
+---
+ src/ops.c                   | 20 ++------------------
+ src/testdir/test_visual.vim |  9 +++++++++
+ 2 files changed, 11 insertions(+), 18 deletions(-)
+
+diff --git a/src/ops.c b/src/ops.c
+index 13e6bdb..2122ff3 100644
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -528,24 +528,8 @@ block_insert(
+ 	}
+ 
+ 	if (has_mbyte && spaces > 0)
+-	{
+-	    int off;
+-
+-	    // Avoid starting halfway a multi-byte character.
+-	    if (b_insert)
+-	    {
+-		off = (*mb_head_off)(oldp, oldp + offset + spaces);
+-		spaces -= off;
+-		count -= off;
+-	    }
+-	    else
+-	    {
+-		// spaces fill the gap, the character that's at the edge moves
+-		// right
+-		off = (*mb_head_off)(oldp, oldp + offset);
+-		offset -= off;
+-	    }
+-	}
++	    // avoid copying part of a multi-byte character
++	    offset -= (*mb_head_off)(oldp, oldp + offset);
+ 
+ 	// Make sure the allocated size matches what is actually copied below.
+ 	newp = alloc(STRLEN(oldp) + spaces + s_len
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index 84a8981..3ed927a 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -913,3 +913,12 @@ func Test_visual_block_append_invalid_char()
+   bwipe!
+ endfunc
+ 
++func Test_visual_block_insert_round_off()
++  new
++  " The number of characters are tuned to fill a 4096 byte allocated block,
++  " so that valgrind reports going over the end.
++  call setline(1, ['xxxxx', repeat('0', 1350), "\t", repeat('x', 60)])
++  exe "normal gg0\<C-V>GI" .. repeat('0', 1320) .. "\<Esc>"
++  bwipe!
++endfunc
++
+-- 
+2.27.0
+
diff --git a/vim.spec b/vim.spec
index 5913932..ed61ac3 100644
--- a/vim.spec
+++ b/vim.spec
@@ -11,7 +11,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        12
+Release:        13
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -55,6 +55,8 @@ Patch6021:      backport-fix-arglist-test-fails.patch
 Patch6022:      backport-CVE-2021-4192.patch
 Patch6023:      backport-CVE-2021-4193.patch
 Patch6024:      backport-CVE-2022-0213.patch
+Patch6025:	backport-CVE-2022-0261.patch
+Patch6026:	backport-CVE-2022-0318.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -443,6 +445,12 @@ popd
 %{_mandir}/man1/evim.*
 
 %changelog
+* Fri Jan 28 2022 guozhaorui<guozhaorui@h-partners.com> - 2:8.2-13
+- Type:CVE
+- ID:CVE-2022-0261 CVE-2022-0318
+- SUG:NA
+- DESC:fix CVE-2022-0261 CVE-2022-0318
+
 * Thu Jan 20 2022 guozhaorui<guozhaorui1@huawei.com> - 2:8.2-12
 - Type:CVE
 - ID:CVE-2022-0213
-- 
Gitee