From a4a102f29526d35c3b1b3e1fdcdb29c042266273 Mon Sep 17 00:00:00 2001
From: guozhaorui <guozhaorui1@huawei.com>
Date: Sat, 29 Jan 2022 12:05:52 +0800
Subject: [PATCH] fix CVE-2022-0213 CVE-2022-0261 CVE-2022-0318

---
 backport-CVE-2022-0213.patch |  62 ++++++++++++++++++++
 backport-CVE-2022-0261.patch | 109 +++++++++++++++++++++++++++++++++++
 backport-CVE-2022-0318.patch |  63 ++++++++++++++++++++
 vim.spec                     |  11 +++-
 4 files changed, 244 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-0213.patch
 create mode 100644 backport-CVE-2022-0261.patch
 create mode 100644 backport-CVE-2022-0318.patch

diff --git a/backport-CVE-2022-0213.patch b/backport-CVE-2022-0213.patch
new file mode 100644
index 0000000..0324ad8
--- /dev/null
+++ b/backport-CVE-2022-0213.patch
@@ -0,0 +1,62 @@
+From de05bb25733c3319e18dca44e9b59c6ee389eb26 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 13 Jan 2022 13:08:14 +0000
+Subject: [PATCH] patch 8.2.4074: going over the end of NameBuff
+
+Problem:    Going over the end of NameBuff.
+Solution:   Check length when appending a space.
+
+---
+ src/drawscreen.c          |  9 +++++----
+ src/testdir/test_edit.vim | 15 +++++++++++++++
+ src/version.c             |  2 ++
+ 3 files changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/src/drawscreen.c b/src/drawscreen.c
+index 9acb705..7425ad4 100644
+--- a/src/drawscreen.c
++++ b/src/drawscreen.c
+@@ -437,12 +437,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
+ 	p = NameBuff;
+ 	len = (int)STRLEN(p);
+ 
+-	if (bt_help(wp->w_buffer)
++	if ((bt_help(wp->w_buffer)
+ #ifdef FEAT_QUICKFIX
+-		|| wp->w_p_pvw
++		    || wp->w_p_pvw
+ #endif
+-		|| bufIsChanged(wp->w_buffer)
+-		|| wp->w_buffer->b_p_ro)
++		    || bufIsChanged(wp->w_buffer)
++		    || wp->w_buffer->b_p_ro)
++		&& len < MAXPATHL - 1)
+ 	    *(p + len++) = ' ';
+ 	if (bt_help(wp->w_buffer))
+ 	{
+diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
+index c3b1af5..48e6ff2 100644
+--- a/src/testdir/test_edit.vim
++++ b/src/testdir/test_edit.vim
+@@ -1532,3 +1532,18 @@ func Test_edit_put_CTRL_E()
+   set encoding=utf-8
+ endfunc
+ 
++" Weird long file name was going over the end of NameBuff
++func Test_edit_overlong_file_name()
++  CheckUnix
++
++  file 0000000000000000000000000000
++  file %%%%%%%%%%%%%%%%%%%%%%%%%%
++  file %%%%%%
++  set readonly
++  set ls=2
++
++  redraw!
++  set noreadonly ls&
++  bwipe!
++endfunc
++
+-- 
+2.23.0
+
diff --git a/backport-CVE-2022-0261.patch b/backport-CVE-2022-0261.patch
new file mode 100644
index 0000000..f5c2e76
--- /dev/null
+++ b/backport-CVE-2022-0261.patch
@@ -0,0 +1,109 @@
+From 9f8c304c8a390ade133bac29963dc8e56ab14cbc Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 17 Jan 2022 17:30:21 +0000
+Subject: [PATCH] patch 8.2.4120: block insert goes over the end of the line
+
+Problem:    Block insert goes over the end of the line.
+Solution:   Handle invalid byte better.  Fix inserting the wrong text.
+---
+ src/ops.c                   | 40 ++++++++++++++++++++++++-------------
+ src/testdir/test_visual.vim | 10 ++++++++++
+ 2 files changed, 36 insertions(+), 14 deletions(-)
+
+diff --git a/src/ops.c b/src/ops.c
+index d3e1e47..13e6bdb 100644
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -535,22 +535,27 @@ block_insert(
+ 	    if (b_insert)
+ 	    {
+ 		off = (*mb_head_off)(oldp, oldp + offset + spaces);
++		spaces -= off;
++		count -= off;
+ 	    }
+ 	    else
+ 	    {
+-		off = (*mb_off_next)(oldp, oldp + offset);
+-		offset += off;
++		// spaces fill the gap, the character that's at the edge moves
++		// right
++		off = (*mb_head_off)(oldp, oldp + offset);
++		offset -= off;
+ 	    }
+-	    spaces -= off;
+-	    count -= off;
+ 	}
+ 
+-	newp = alloc(STRLEN(oldp) + s_len + count + 1);
++	// Make sure the allocated size matches what is actually copied below.
++	newp = alloc(STRLEN(oldp) + spaces + s_len
++		    + (spaces > 0 && !bdp->is_short ? ts_val - spaces : 0)
++								  + count + 1);
+ 	if (newp == NULL)
+ 	    continue;
+ 
+ 	// copy up to shifted part
+-	mch_memmove(newp, oldp, (size_t)(offset));
++	mch_memmove(newp, oldp, (size_t)offset);
+ 	oldp += offset;
+ 
+ 	// insert pre-padding
+@@ -560,14 +565,21 @@ block_insert(
+ 	mch_memmove(newp + offset + spaces, s, (size_t)s_len);
+ 	offset += s_len;
+ 
+-	if (spaces && !bdp->is_short)
++	if (spaces > 0 && !bdp->is_short)
+ 	{
+-	    // insert post-padding
+-	    vim_memset(newp + offset + spaces, ' ', (size_t)(ts_val - spaces));
+-	    // We're splitting a TAB, don't copy it.
+-	    oldp++;
+-	    // We allowed for that TAB, remember this now
+-	    count++;
++	    if (*oldp == TAB)
++	    {
++		// insert post-padding
++		vim_memset(newp + offset + spaces, ' ',
++						    (size_t)(ts_val - spaces));
++		// we're splitting a TAB, don't copy it
++		oldp++;
++		// We allowed for that TAB, remember this now
++		count++;
++	    }
++	    else
++		// Not a TAB, no extra spaces
++		count = spaces;
+ 	}
+ 
+ 	if (spaces > 0)
+@@ -1609,7 +1621,7 @@ op_insert(oparg_T *oap, long count1)
+ 		oap->start_vcol = t;
+ 	    }
+ 	    else if (oap->op_type == OP_APPEND
+-		      && oap->end.col + oap->end.coladd
++			&& oap->start.col + oap->start.coladd
+ 			>= curbuf->b_op_start_orig.col
+ 					      + curbuf->b_op_start_orig.coladd)
+ 	    {
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index 0705fdb..84a8981 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -903,3 +903,13 @@ func Test_visual_block_ctrl_w_f()
+ endfunc
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
++
++func Test_visual_block_append_invalid_char()
++  " this was going over the end of the line
++  new
++  call setline(1, ['	   let xxx', 'xxxxxˆ', 'xxxxxxxxxxx'])
++  exe "normal 0\<C-V>jjA-\<Esc>"
++  call assert_equal(['	-   let xxx', 'xxxxx   -ˆ', 'xxxxxxxx-xxx'], getline(1, 3))
++  bwipe!
++endfunc
++
+-- 
+2.27.0
+
diff --git a/backport-CVE-2022-0318.patch b/backport-CVE-2022-0318.patch
new file mode 100644
index 0000000..2a062f8
--- /dev/null
+++ b/backport-CVE-2022-0318.patch
@@ -0,0 +1,63 @@
+From 57df9e8a9f9ae1aafdde9b86b10ad907627a87dc Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 20 Jan 2022 12:10:48 +0000
+Subject: [PATCH] patch 8.2.4151: reading beyond the end of a line
+
+Problem:    Reading beyond the end of a line.
+Solution:   For block insert only use the offset for correcting the length.
+---
+ src/ops.c                   | 20 ++------------------
+ src/testdir/test_visual.vim |  9 +++++++++
+ 2 files changed, 11 insertions(+), 18 deletions(-)
+
+diff --git a/src/ops.c b/src/ops.c
+index 13e6bdb..2122ff3 100644
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -528,24 +528,8 @@ block_insert(
+ 	}
+ 
+ 	if (has_mbyte && spaces > 0)
+-	{
+-	    int off;
+-
+-	    // Avoid starting halfway a multi-byte character.
+-	    if (b_insert)
+-	    {
+-		off = (*mb_head_off)(oldp, oldp + offset + spaces);
+-		spaces -= off;
+-		count -= off;
+-	    }
+-	    else
+-	    {
+-		// spaces fill the gap, the character that's at the edge moves
+-		// right
+-		off = (*mb_head_off)(oldp, oldp + offset);
+-		offset -= off;
+-	    }
+-	}
++	    // avoid copying part of a multi-byte character
++	    offset -= (*mb_head_off)(oldp, oldp + offset);
+ 
+ 	// Make sure the allocated size matches what is actually copied below.
+ 	newp = alloc(STRLEN(oldp) + spaces + s_len
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index 84a8981..3ed927a 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -913,3 +913,12 @@ func Test_visual_block_append_invalid_char()
+   bwipe!
+ endfunc
+ 
++func Test_visual_block_insert_round_off()
++  new
++  " The number of characters are tuned to fill a 4096 byte allocated block,
++  " so that valgrind reports going over the end.
++  call setline(1, ['xxxxx', repeat('0', 1350), "\t", repeat('x', 60)])
++  exe "normal gg0\<C-V>GI" .. repeat('0', 1320) .. "\<Esc>"
++  bwipe!
++endfunc
++
+-- 
+2.27.0
+
diff --git a/vim.spec b/vim.spec
index fc82e20..d26c8d9 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        19
+Release:        20
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -69,6 +69,9 @@ Patch6032:      backport-CVE-2021-4166.patch
 Patch6033:      backport-fix-arglist-test-fails.patch
 Patch6034:      backport-CVE-2021-4192.patch
 Patch6035:      backport-CVE-2021-4193.patch
+Patch6036:      backport-CVE-2022-0213.patch
+Patch6037:      backport-CVE-2022-0261.patch
+Patch6038:      backport-CVE-2022-0318.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -457,6 +460,12 @@ popd
 %{_mandir}/man1/evim.*
 
 %changelog
+* Sat Jan 29 2022 guozhaorui<guozhaorui1@h-partners.com> - 2:8.2-20
+- Type:CVE
+- ID:CVE-2022-0213 CVE-2022-0261 CVE-2022-0318
+- SUG:NA
+- DESC:CVE-2022-0213 CVE-2022-0261 CVE-2022-0318
+
 * Mon Jan 17 2022 yuanxin<yuanxin24@huawei.com> - 2:8.2-19
 - Type:CVE
 - ID:CVE-2021-4166 CVE-2021-4192 CVE-2021-4193
-- 
Gitee